HQ/EMEAFind out how we can help your business
A new phishing operation is currently targeting the claimants involved in the Celsius crypto lender bankruptcy proceedings. The scammers in these operations have been disguising themselves as the bankruptcy claim agent, Stretto, to steal cryptocurrency funds from unsuspecting victims.
Celsius crypto lender filed for bankruptcy in July last year and froze withdrawals from user accounts, leaving countless customers hanging. Hence, these affected users initiated claims against the lending company to regain a portion of their frozen assets.
The phishing scam takes advantage of the event about the claims against the Celsius crypto lender.
A surge of phishing emails that pose as communications from Stretto, the Claims Agent for the Celsius crypto lender bankruptcy case, has emerged to target claimants. These deceptive emails offer creditors a seven-day window to claim their frozen assets. In addition, the scammers disseminate fraudulent messages that include the name “Stretto Corporate Restructing” using the email address no-reply@stretto.com.
One aspect of this scam is its link to a fake website dubbed case-stretto[.]com. The link in the phishing emails redirects victims to this malicious site, a domain registered recently and hosted in Seychelles.
This phishing page instructs visitors to enter their email addresses to initiate claims. Next, it triggers a WalletConnect prompt upon submission, which could give the malicious actors access to critical information stored within the connected cryptocurrency wallet, such as wallet addresses, balances, transaction history, and even the ability to run unauthorised transactions.
The most threatening part of this campaign is that the phishing operation could bypass Sender Policy Framework (SPF) checks, commonly used to verify the legitimacy of email senders.
Furthermore, the scammers send these phishing emails from the return path ‘bounces+xxx-xx=xxx.com@em6462.stretto.com,’ with em6462.stretto.com displaying an SPF record that deems emails from IP address 149.72.171.199 are valid and not spam.
However, the attackers could use the IP address 149.72.171.199 to obfuscate their attacks since it links to the email marketing firm SendGrid. This feature of the IP address enabled these phishing emails to pass SPF checks and reach their intended targets.
This loophole has effectively fooled recipients, as some have reported receiving these malicious emails despite not having accounts with Celsius or filing as claimants. The attackers could have exploited older contact lists, likely stolen from previously infected crypto marketing accounts.
This latest phishing scam reminds all Celsius claimants to be vigilant with the emails they receive, especially from the bankrupt crypto lending company. They should exercise caution with unsolicited messages and verify their details before providing any information, allowing actors to steal valuable assets and data.
