A large number of phishing campaigns emerged in the aftermath of the Bybit heist, designed to siphon cryptocurrency from its customers, according to BforeAI.
The security vendor detected 596 suspicious domains originating from at least 13 different countries in the three weeks following news of the biggest crypto theft in history.
Dozens of these domains spoofed the cryptocurrency exchange itself, many using typosquatting techniques and including keywords such as “refund,” “wallet,” “information,” “check” and “recovery.”
“There were also instances of popular crypto keywords such as ‘metaconnect,’ ‘mining,’ and ‘airdrop,’ as well as the use of free hosting and subdomain registration services such as Netlify, Vercel, and Pages.dev,” BforeAI said.
“The use of free hosting services and dynamic subdomains is a widely used tactic in this dataset. Many phishing pages are hosted on platforms that provide fast, anonymous deployment without requiring domain purchases.”
Interestingly, the largest number of confirmed malicious domains was registered in the UK.
Read more on phishing: Phishing Campaigns Use SVB Collapse to Harvest Crypto
Bybit said at the time of the incident that no customers would be left out of pocket by the incident, but that didn’t stop the scammers from trying to create a sense of anxiety and urgency.
Many of the phishing websites were designed to resemble a recovery service for customers that may have lost funds in the heist, with some purporting to be a “Bybit Help Center.”
The end goal appears to have been to trick victims into entering their Bybit/crypto passwords.
A few weeks after the heist, phishing campaigns segued from “withdrawals, information and refunds” via lookalike Bybit sites, to offering “crypto and training guides” and exclusive rewards in order to lure would-be investors, the report claimed.
“Despite the shift to these crypto and training guides, the campaigns maintained a connection to the earlier withdrawal scams by including ‘how to withdraw from Bybit guides.’ This creates a flow of traffic between learning resources fakes and withdrawal phishing attempts,” BforeAI explained.
North Korean hackers were blamed for the attack on Bybit, which is thought to have cost the firm nearly $1.5bn in stolen crypto.
It helped Q1 2025 to an infamous record: hackers stole almost $1.7bn in the quarter, more than any other in history.