Since 2015, a bitcoin-stealing cybercrime gang has been launching phishing attacks exploiting Google's own advertising network to pilfer more than $50m worth of cryptocurrency.

Researchers from Talos – a division of Cisco – worked alongside the Ukraine Cyberpolice to track the group responsible for six months, they said in a blog post this week. The campaign, dubbed CoinHoarder, has been hijacking Google AdWords for years, they found.

AdWords lets marketers pay to display content on Google's popular online network. Advertisers bid on keywords that then appear as clickable results.

In this campaign, Ukraine-based phishers were "poisoning" the results by posing as cryptocurrency websites to the steal login details of users' wallets – used to store virtual money.

Often, Talos said, the top results for "blockchain" and "bitcoin wallet" led to the hackers' sites.

Illicit domains would have slightly different spellings to real crypto platforms. Instead of blockchain.info the hackers would use blockchalna[.]info. The websites, which had hundreds of thousands of visitors, were hosted on "bulletproof hosting providers based in Europe" including Ukraine.

"These attacks can be nearly impossible to spot with the human eye, especially when delivered on a mobile platform," a team of Talos experts said in the Wednesday (14 Feb) blog.

The experts said that attackers typically target victims in developing nations where, they noted, banking "can be more difficult" and English is not a first language. "While working with Ukraine law enforcement, we were able to identify the attackers' Bitcoin wallet addresses and thus, we could track their activity for the period of time between September and December 2017," Talos wrote.

"Based on our findings associated with this syndicate, we estimate the CoinHoarder group to have netted more than $50m over the past three years," it added.

Talos cryptocurrency results
Screenshot posted by Talos of the hijacked Google results Cisco Talos

Cryptocurrencies, primarily bitcoin, spiked in value during the last few months of 2017 and at one point a single coin was worth more than $19,000. As the mainstream adoption grew, the worth of the funds was also rising for the global cybercrime gangs involved in heists.

"What is clear from the CoinHoarder campaign is that cryptocurrency phishing via Google Adwords is a lucrative attack on users worldwide," Talos researchers noted.