Users of 'Btc-e' cryptocurrency exchange reporting spike in email phishing attempts

Users of a popular cryptocurrency exchange called Btc-e are reporting a significant spike in email phishing attempts, a potential harbinger of a fresh spam or malware campaign being launched in an attempt to defraud the bitcoin community.

The reports emerged this week (2 May) on the bitcoin sections of Reddit and Twitter, with many recipients posting images of the spam that appears to currently be in circulation.

The attacker is luring victims by asking them to "review attached Btc-e codes" and claiming they only have a matter of hours to redeem them.

The emails contain a password and a Microsoft Word document. Sender names vary, with some to date including Pierce Cynthia and Parsons Dillon.

One Reddit user wrote: "In the word document it claims to be an encrypted document (really just an image). To decrypt it you have to enter the code from the email. Once you do that it downloads a program that encrypts your whole computer."

Another claimed: "I got the same thing. Seems like btc-e.com has had a breach of their account details. [The attacker] had my email and username, passwords may have been taken too but likely hashed so it may be worth changing your password just to be on the safe side."

According to one Twitter user with name "GasGeverij" – a self-described penetration tester – the slew of fraudulent emails may be part of a "well-organised spam campaign leveraging [the] new Office vulnerability bypassing Gmail and Yahoo filters".

This is in reference to recent reports from cybersecurity firms McAfee and FireEye, which discovered a bug in Word that hackers could exploit by using attached documents to spread malware and exploit kits. Before a patch was released it put "millions of users" at risk.

Btc-e was previously attacked back in 2014 with a breach that exposed over 560,000 accounts. The widespread incident compromised email domains, user IDs, bitcoin wallet balances and IP addresses, as first reported by now-defunct breach notification website, LeakedSource.

More recently, a vendor on the dark web was selling packages of hacked data from bitcoin websites and forums including Btc-e, BitCoinTalk, MtGox and Bitcoinsec. As reported at the time, the release allegedly contained emails, phone numbers, and dates of birth, locations and passwords.

Some users who say they were never signed up to Btc-e were reportedly also hit with the emails, meaning it remains unclear what dataset has been compromised and exploited.

Although unverified at this time, it appears the new campaign is taking advantage of previously-leaked information. As such, it is highly advised that all Word users ensure all security updates are installed and Btc-e accounts are linked to passwords that are both strong and unique.

On 23 April, Btc-e updated its website with a post titled "How to protect your account from hacking" however did not mention any news of a fresh breach or cyberattack. It said cases of hacked accounts and the "use of viruses disguised as trade bots" were becoming more frequent.

At the time of publication, Twitter users continued to report receiving the spam: