Main Page > Blog >


AMLT Crypto Alert of the Week - Fake Sites

Nov 23, 2018

About Us

Recognized as a global leader in RegTech for blockchain, Coinfirm serves as a foundation for the safe adoption and use of blockchain. The Coinfirm AML/CTF Platform uses proprietary algorithms and big data analysis to provide structured, actionable data that solves compliance and transaction risk issues in blockchain and cryptocurrencies. The blockchain agnostic platform is currently used by anyone ranging from major financial institutions to exchanges. In addition, Coinfirm develops dedicated blockchain solutions such as the data provenance platform Trudatum that was recently integrated by the largest bank in CE.

Follow Us


Welcome to week 15 of the Crypto Alert of the Week series by AMLT, a series dedicated to documenting interesting or high profile frauds/hacks etc that recently happened and have been reported into the AMLT Network and show how the AMLT Network can help track and prevent it in the future.

Out of all the ways to risk having your crypto stolen, the one that is usually overlooked is using a fake site posing as your favourite crypto wallet/exchange. What’s even worse is that an attack of this kind isn’t that easy to detect.

The differences could be incredibly subtle. It mostly revolves around using similar using letters or adding one in the middle. What usually gives these sites away is using the unsafe HTTP protocol and having no SSL certificate. (as seen below, a site posing as idex instead having an L in the name, making it barely distinguishable).

But what if a person is sure that they have entered the right address and didn’t click on any phishing links? This is the problem many MyEtherWallet users faced when the site had its DNS servers hacked. MEW being an extremely popular online Ethereum wallet service is often a target of various attacks, although until this year, an attack this sophisticated hasn’t happened.

So how does it work?
A DNS server is the computer server that contains a database of IP addresses and their corresponding hostnames. Whenever you enter an address into a browser it has to resolve its actual IP address that is hidden under the website address. If an attacker is able to replace the site’s IP address with his own under the same name, the only way a victim is able to tell that the site is fake is to thoroughly check the SSL certificate, and truth be told, barely anyone does that. (as seen below, the fake site had an invalid certificate despite the url being right)

These counterfeit sites work pretty much the same as the ones they try to emulate. Once the fake site obtains somebody’s login information or - even worse - their wallet keys, it’s a matter of minutes before the victim loses everything they had with no real way of recovering the stolen funds.

These stories are a great reminder that while enjoying the benefits of cryptocurrencies, one must remain vigilant and adhere to the basic rule: Verify.

At Coinfirm we believe in setting the highest standards for the industry. If anyone notices such an attack, they can report the attacker through the AMLT panel or widget. The submitted data is then analysed and processed by our data science team for validation of submitted data. Once flagged entities using the Coinfirm AML Platform such as exchanges can see the source and potentially freeze the funds and prevent further risk spreading through the ecosystem. This helps the crypto economy become safer and more transparent while fighting malicious actors.

Below you can see the risk score in the Coinfirm AML Risk Report created for the MyEtherWallet hackers address.

If you're interested in partnering with Coinfirm or becoming an AMLT Network Member then contact us!

Thank you for your continued support and make sure to follow all of our latest updates on Twitter, Facebook, LinkedIn and Telegram Community.

The AMLT Team