Hui Jiang (Tsinghua University and Baidu Inc), Zhenrui Zhang (Baidu Inc), Xiang Li (Nankai University), Yan Li (Tsinghua University), Anpeng Zhou (Tsinghua University), Chenghui Wu (Baidu Inc), Man Hou (Zhongguancun Laboratory), Jia Zhang (Tsinghua University), Zongpeng Li (Tsinghua University)
Due to the substantial financial incentives involved, credential-theft-based cryptocurrency wallet phishing (CtPhish) scams have emerged as one of the most prevalent malicious activities in the cryptocurrency ecosystem. In these attacks, victims are lured into visiting CtPhish websites or applications and deceived into disclosing their credentials, allowing attackers to steal their cryptocurrency assets. Although several phishing detection approaches exist, they are either inapplicable to CtPhish or suffer from significant limitations.
To bridge this gap, we propose CtPhishCapture, a large-scale detection system targeting CtPhish websites and applications. CtPhishCapture visits suspicious websites, employs large language model (LLM)-based detection methods to identify CtPhish websites, and attempts to download and analyze potential CtPhish applications for further detection. Over a six-month deployment, CtPhishCapture identifies 5,138 CtPhish websites and 10,612 CtPhish applications. Notably, only 17% of the websites and 21% of the applications were previously reported by the community, indicating that CtPhishCapture newly discovers 83% of the websites and 79% of the applications, making it the largest known detection system for CtPhish to date.
Leveraging the collected dataset, we conduct a comprehensive end-to-end measurement and analysis of the CtPhish ecosystem. Our analysis examines how attackers attract victims to CtPhish websites and apps, how they gain users' trust, and ultimately how they exfiltrate victims' cryptocurrency assets. Additionally, we provide in-depth measurements of the associated websites and applications, including their characteristics, evasion techniques, and estimated financial losses. Finally, we deploy CtPhishCapture in collaboration with a leading search engine provider. By integrating CtPhishCapture’s detection results, the weekly user complaints about CtPhish are reduced by a factor of 5.8.