This threat campaign involves over 60 phishing websites impersonating well-known cryptocurrency hardware wallet brands, specifically Trezor and Ledger. The phishing sites aim to deceive cryptocurrency users into divulging sensitive information such as private keys, seed phrases, or login credentials. The attackers hosted the majority of these phishing pages on Cloudflare Pages, a popular static site hosting service, with some hosted on custom domains. An unusual aspect of this campaign is the attackers' attempt to use the robots.txt file to block security researchers and phishing reporting sites from crawling their phishing pages. This demonstrates a misunderstanding of the robots.txt function, which is a voluntary standard and not an effective method to prevent access or detection. The same robots.txt pattern was also found in GitHub repositories containing crypto-themed spoof pages, indicating the attackers may be reusing code or infrastructure. Merge conflicts in README files suggest the threat actor lacks advanced web development skills. Additionally, the campaign utilized various free web hosting providers to deploy spoofed pages, increasing the scale and reach of the phishing effort. The campaign highlights the persistent targeting of cryptocurrency users, especially those using hardware wallets, which are considered more secure but remain attractive targets due to the high value of assets involved. Despite the attackers' poor operational security and technical errors, the phishing attempts could still be effective against less vigilant or inexperienced users. The campaign is tagged with MITRE ATT&CK techniques related to phishing (T1566), user execution (T1204), and credential access (T1192), among others, underscoring the social engineering and credential theft nature of the threat.

For European organizations, especially those involved in cryptocurrency trading, investment, or custody, this phishing campaign poses a significant risk. Employees or customers who use hardware wallets like Trezor or Ledger could be targeted, potentially leading to theft of cryptocurrency assets. Financial institutions, crypto exchanges, and fintech companies in Europe could face reputational damage if their users fall victim to these scams. Additionally, the campaign could indirectly impact European cybersecurity teams by increasing the volume of phishing incidents to investigate and mitigate. The use of Cloudflare Pages and free hosting services complicates takedown efforts, potentially prolonging exposure. Given Europe's strong interest and adoption of cryptocurrencies, the threat could lead to financial losses for individuals and businesses, undermine trust in hardware wallet brands, and increase regulatory scrutiny on crypto-related services. The campaign's reliance on social engineering means that even well-secured organizations could be vulnerable if users are not adequately trained to recognize phishing attempts.

European organizations should implement targeted user awareness training focused on recognizing phishing attempts related to cryptocurrency and hardware wallets. Security teams should monitor for domains and URLs similar to legitimate wallet brands, including those hosted on Cloudflare Pages and free hosting platforms, and collaborate with hosting providers to expedite takedown of identified phishing sites. Deploy advanced email filtering and web gateway solutions that can detect and block phishing URLs, including those using newly registered or suspicious domains. Organizations should encourage users to verify URLs carefully and use official wallet applications or browser extensions rather than web-based interfaces. Multi-factor authentication (MFA) should be enforced on all cryptocurrency-related accounts to reduce the risk of credential compromise. Security researchers and incident response teams should share intelligence on new phishing domains and tactics via trusted threat intelligence platforms to improve detection capabilities. Finally, organizations should consider implementing domain monitoring services to detect typosquatting or brand impersonation attempts promptly.