SBI Crypto Investment Campaign

Shreshta Threat Research has uncovered a SBI crypto investment campaign targeting cryptocurrency users across Japan, Vietnam, South Korea, China, Thailand, and the United Kingdom.

Executive Summary

SBI Investment Co., Ltd is the core company in the SBI Group’s Investment Business. It is one of the leading venture capital firm in Japan.

Initial domain level indicators suggest a broader operation, leveraging professionally crafted look alike websites impersonating SBI Investment Co., Ltd.

These scams impersonate well-known platforms, leverage scalable systems, and employ sophisticated tactics. As a result, victims suffer financial losses while the platforms themselves face reputational damage.

Signup to our newsletter to receive the latest cyber threats and research.

Key Findings

• Impersonation & Deception – The threat actors imitate trusted exchange platforms and use keywords in domain name that are similar to the targeted company to gain trust.(Figure 1.1)
• Credential & Identity Theft – Extract login credentials and PII such as username, email, passwords and ID front, ID back, ID handheld photos for loan assistance
• Client-Side Exploitation – Hijack wallet transactions in the browser
• Regional Targeting – The main focus of the threat actors is on East Asian countries and the United Kingdom

Figure 1.1 Phishing site impersonate SBI crypto exchange platform

Techniques Used

• The subdomains all share the same hostname (“h5”), and platform keywords such as sbikeno, sbiklo, sbi-hot-online, sbi-root-online sbi-smart-online. In this analysis we use the keywords related to the SBI crypto investment campaign (Figure 1.1, 1.2, 1.3 1.4, 1.5).

• Bare domain access returns “400 Bad Request ” (nginx) to enforce subdomain routing and also uses Fully Qualified Domain Name URL’s to route the traffic (Figure 1.6).

• Brand Impersonation
  
• Spoofed logos placed at the top-left of each homepage (see Figure 1.1, 1.2, 1.3 1.4, 1.5) for recognition and gaining user trust.
  
• Usage of other trusted and branded company logos to show them as partners in DeFi mining to gain users trust to invest in DeFi
  (Figure 1.7)

• Real-time ROI calculators to imitate real exchange platforms
  (Figure 1.8)

• Credential & PII Theft

• Fake login and PII harvest:

• Username, Email addresses & mobile numbers (Figure 1.9, 1.10 and 1.11)
  
• Account passwords
  
• ID document scans (front, back, and handheld ID) (Figure 1.12)

• Wallet Hijacking

• All portals load an externally hosted JavaScript (1.js) on hw[.]rangwodf[.]cc (Figure 1.13)

• On devices running Windows OS, it intercepts BTC/ETH/TRC20 wallet fields for deposit and withdrawal and silently replaces them with attacker-controlled addresses

Code snippet 1 illustrates the behavior on Windows systems, while Code snippet 2 demonstrates the behavior on non-Windows systems.

Windows Users – Code Snippet 1

Non-Windows Users – Code Snippet 2

Deceptive investment schemes

• Victims were shown banners and messages promoting a fake “USDT Smart Contract” investment with:
  • 3% fixed return in 30 days
  • Minimum investment of 10,000 USDT
  • Maximum cap of 5,000,000 USDT
• The investment was positioned as a time limited DeFi staking or mining opportunity.(Figure 1.14)

Figure 1.2 Phishing site-2 imitating crypto exchange platform

Figure 1.3 Phishing site-3 imitating crypto exchange platform

Figure 1.4 Phishing site-4 imitating crypto exchange platform

Figure 1.5 Phishing site-5 imitating crypto exchange platform

Figure 1.6 Access to the main domain returns a 400 Bad Request (nginx)

Figure 1.7 Usage of trusted and branded company logos to show them as partners in DeFi mining.

Figure 1.8 Real-time ROI calculators to imitate real exchange platforms

Figure 1.9 Fake login and PII harvest

Figure 1.10 Fake login and PII harvest

Figure 1.11 Fake login and PII harvest

Figure 1.12 ID document scans (front, back, and handheld ID)

Figure 1.13 Externally hosted JavaScript code

Figure 1.14 The investment positioned as a time-limited DeFi staking or mining opportunity.

Conclusion

• In the SBI crypto investment campaign, our threat research team has detected more than a dozen phishing websites which were deployed using consistent subdomain naming and domain structure.
• Direct access to the root domain triggered 400 Bad Request responses, indicating virtual host enforcement.
• Victims submitted:
  • Email and mobile number
  • Login password and transaction PIN
  • ID photos: front, back, and selfie with ID in hand
• The injected script located wallet fields (BTC, ETH, TRC20) and silently replaced them with attacker-controlled addresses.
• Fake investment terms were displayed through smart contract banners and on-boarding pages, designed to simulate legitimate staking portals.
• An identified Bitcoin (BTC) wallet address, bc1q7fjfm0zay537xwkyd5deeyqjrwmjfhz3mcq2hp, served as a collection point, receiving victim deposits and then transferring funds to other wallets or suspected
• Input Trace: This visualization (Figure 1.15) shows funds flowing into the wallet from diverse victim sources.

Figure 1.15 Input trace

• Output Trace: This visualization (Figure 1.16) shows funds flowing out of the wallet, detailing dispersal patterns.

Figure 1.16 Output Trace

Delivery & Infection Workflow

1. Victim clicks subdomain.domain.tld/# link
2. Site prompts for email → sends Gmail OTP
3. Victim submits credentials, ID photos, wallet address
4. 1.js executes before submission and swaps address (Windows OS only)
5. Funds arrive in attacker’s wallet, withdrawal UI is fake

Fraud Kill Chain Mapping

Stage	Description	Observed TTPs
Delivery	Victim lands on phishing page	subdomain.domain.tld/# URLs
Deception	Fake DeFi UI & referral scheme	“beez” theme, cloned logos
Interaction	Victim submits KYC & wallet data	Email/OTP + credentials + ID photos
Exploitation	Script hijacks deposit	1.js swaps address client-side
Monetization	Crypto redirected to attacker	BTC/TRC20/ETH wallets
Laundering	Off-ramp via mixers/exchanges	Not observed directly

Indicators of Compromise

h5[.]sbi-root-online[.]cc

h5[.]trc20ing[.]com

boczyht[.]com

batbid[.]net

sgxonline[.]vip

bithot[.]cc

h5[.]sbikeno[.]com

h5[.]sbi-smart-online[.]cc

h5[.]sbi-root-online[.]cc.

h5[.]sbi-hot-online[.]cc.

h5[.]sbi-smart-online[.]cc.

h5[.]sbikeno.com[.]

h5[.]sbikol.com[.]

h5[.]trc20ing.com[.]

Javascript hosted domain

hw[.]rangwodf[.]cc

Crypto Wallet Address

User agent windows

usdt-trc-TK3skn7HMmiUg8AKGN8AaV5ewLZ3UDYrWD

eth-0xf57c2E8Ec516a78a3872f1670f5E2E3F9136e80E

btc-bc1q7fjfm0zay537xwkyd5deeyqjrwmjfhz3mcq2hp

usdt-erc-0xf57c2E8Ec516a78a3872f1670f5E2E3F9136e80E

User agent linux

trc-TJ9T3aQMRb7ggxg5i2erpj2W1henkV9dsy

eth-0x79C9D40FF57BfaAbc17419a90F4491C55C9dCD46

erc-0x79C9D40FF57BfaAbc17419a90F4491C55C9dCD46

btc-1C3G2DtchhUwYsr74krQdM1mDPbq2BXkTC

DNS Threat Intelligence feeds

Stay ahead of evolving cyber threats – explore our DNS Threat Intelligence feeds today and protect your digital ecosystem with real-time domain abuse insights.

Further reading

Crypto & Investment scams exploiting the Tesla brand