Cisco in conjunction with the Department of Cyber policy of the National Police of Ukraine has uncovered a phishing scheme, whose organizers managed to seize $50 million in cryptocurrency within the last three years.

The campaign was organized by the Ukrainian hacker group Coinhoarder. Cybercriminals focused on bitcoin holders, who kept their assets on Blockchain.info, one of the most popular bitcoin wallets.

"The campaign was very simple, and after initial setup, the attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims. This campaign targeted specific geographic regions and allowed the attackers to amass millions in revenue through the theft of cryptocurrency from victims. This campaign demonstrates just how lucrative these sorts of malicious attacks can be for cybercriminals," the Talos's report reads.

Malicious ads were targeted at keywords related to the crypto industry ("blockchain," "bitcoin wallet"), and contained links to phishing copies of Blockchain.info - "blokchien.info/wallet" and "block-clain.info."

After clicking these links, users were redirected to phishing copies of the real site Blockchain.info, which manages the purses Blockchain.info and Blockchain.com.

At the same time, the wallet's real site in the Google search results ranked lower than the malicious ones.

Users fooled by scammers introduced private information that allowed hackers to access their wallets and steal bitcoins stored in them.

Cisco in cooperation with the Ukrainian cyber police has been studying this "large-scale phishing campaign" for six months. Researchers note that since then the method used by the Coinhoarder group has become widespread among scammers.

According to the facts revealed by Cisco, the Coinhoarder group functioned at least since 2015. During this time, hackers stole about $50 million in cryptocurrency. Their booty only within the period from September to December 2017 amounted to $10 million.