Hui Jiang (Tsinghua University and Baidu Inc), Zhenrui Zhang (Baidu Inc), Xiang Li (Nankai University), Yan Li (Tsinghua University), Anpeng Zhou (Tsinghua University), Chenghui Wu (Baidu Inc), Man Hou (Zhongguancun Laboratory), Jia Zhang (Tsinghua University), Zongpeng Li (Tsinghua University)

Due to the substantial financial incentives involved, credential-theft-based cryptocurrency wallet phishing (CtPhish) scams have emerged as one of the most prevalent malicious activities in the cryptocurrency ecosystem. In these attacks, victims are lured into visiting CtPhish websites or applications and deceived into disclosing their credentials, allowing attackers to steal their cryptocurrency assets. Although several phishing detection approaches exist, they are either inapplicable to CtPhish or suffer from significant limitations.

To bridge this gap, we propose CtPhishCapture, a large-scale detection system targeting CtPhish websites and applications. CtPhishCapture visits suspicious websites, employs large language model (LLM)-based detection methods to identify CtPhish websites, and attempts to download and analyze potential CtPhish applications for further detection. Over a six-month deployment, CtPhishCapture identifies 5,138 CtPhish websites and 10,612 CtPhish applications. Notably, only 17% of the websites and 21% of the applications were previously reported by the community, indicating that CtPhishCapture newly discovers 83% of the websites and 79% of the applications, making it the largest known detection system for CtPhish to date.

Leveraging the collected dataset, we conduct a comprehensive end-to-end measurement and analysis of the CtPhish ecosystem. Our analysis examines how attackers attract victims to CtPhish websites and apps, how they gain users' trust, and ultimately how they exfiltrate victims' cryptocurrency assets. Additionally, we provide in-depth measurements of the associated websites and applications, including their characteristics, evasion techniques, and estimated financial losses. Finally, we deploy CtPhishCapture in collaboration with a leading search engine provider. By integrating CtPhishCapture’s detection results, the weekly user complaints about CtPhish are reduced by a factor of 5.8.

View More Papers

Constructive Noise Defeats Adversarial Noise: Adversarial Example Detection for...

Meng Shen (Beijing Institute of Technology), Jiangyuan Bi (Beijing Institute of Technology), Hao Yu (National University of Defense Technology), Zhenming Bai (Beijing Institute of Technology), Wei Wang (Xi'an Jiaotong University), Liehuang Zhu (Beijing Institute of Technology)

Read More

BPA-X: An Architecture-Agnostic Block-Based Points-to Analysis for Stripped Binaries

Bokai Zhang, Monika Santra, Syed Rafiul Hussain, Gang Tan (Pennsylvania State University)

Read More

Understanding the Stealthy BGP Hijacking Risk in the ROV...

Yihao Chen (DCST & BNRist & State Key Laboratory of Internet Architecture, Tsinghua University; Zhongguancun Laboratory), Qi Li (INSC & State Key Laboratory of Internet Architecture, Tsinghua University; Zhongguancun Laboratory), Ke Xu (DCST & State Key Laboratory of Internet Architecture, Tsinghua University; Zhongguancun Laboratory), Zhuotao Liu (INSC & State Key Laboratory of Internet Architecture, Tsinghua…

Read More