SBI Crypto Investment Campaign

SBI Crypto Investment Campaign

Shreshta Threat Research has uncovered a SBI crypto investment campaign targeting cryptocurrency users across Japan, Vietnam, South Korea, China, Thailand, and the United Kingdom.

Executive Summary

SBI Investment Co., Ltd is the core company in the SBI Group’s Investment Business. It is one of the leading venture capital firm in Japan.

Initial domain level indicators suggest a broader operation, leveraging professionally crafted look alike websites impersonating SBI Investment Co., Ltd.

These scams impersonate well-known platforms, leverage scalable systems, and employ sophisticated tactics. As a result, victims suffer financial losses while the platforms themselves face reputational damage.

Signup to our newsletter to receive the latest cyber threats and research.

Key Findings

  • Impersonation & Deception – The threat actors imitate trusted exchange platforms and use keywords in domain name that are similar to the targeted company to gain trust.(Figure 1.1)
  • Credential & Identity Theft – Extract login credentials and PII such as username, email, passwords and ID front, ID back, ID handheld photos for loan assistance
  • Client-Side Exploitation – Hijack wallet transactions in the browser
  • Regional Targeting – The main focus of the threat actors is on East Asian countries and the United Kingdom
Phishing website impersonate SBI Investment Co., Ltd

Figure 1.1 Phishing site impersonate SBI crypto exchange platform

Techniques Used

  • The subdomains all share the same hostname (“h5”), and platform keywords such as sbikeno, sbiklo, sbi-hot-online, sbi-root-online sbi-smart-online. In this analysis we use the keywords related to the SBI crypto investment campaign (Figure 1.1, 1.2, 1.3 1.4, 1.5).
  • Bare domain access returns “400 Bad Request ” (nginx) to enforce subdomain routing and also uses Fully Qualified Domain Name URL’s to route the traffic (Figure 1.6).
  • Brand Impersonation
  • Spoofed logos placed at the top-left of each homepage (see Figure 1.1, 1.2, 1.3 1.4, 1.5) for recognition and gaining user trust.
  • Usage of other trusted and branded company logos to show them as partners in DeFi mining to gain users trust to invest in DeFi
    (Figure 1.7)
  • Real-time ROI calculators to imitate real exchange platforms
    (Figure 1.8)
  • Credential & PII Theft
  • Fake login and PII harvest:
  • Username, Email addresses & mobile numbers (Figure 1.9, 1.10 and 1.11)
  • Account passwords
  • ID document scans (front, back, and handheld ID) (Figure 1.12)
  • Wallet Hijacking
  • All portals load an externally hosted JavaScript (1.js) on hw[.]rangwodf[.]cc (Figure 1.13)
  • On devices running Windows OS, it intercepts BTC/ETH/TRC20 wallet fields for deposit and withdrawal and silently replaces them with attacker-controlled addresses

Code snippet 1 illustrates the behavior on Windows systems, while Code snippet 2 demonstrates the behavior on non-Windows systems.

Windows Users – Code Snippet 1

Javascript code snippet showing behavior on Windows OS

Non-Windows Users – Code Snippet 2

Javascript code snippet showing behavior on non-Windows OS

Deceptive investment schemes

  • Victims were shown banners and messages promoting a fake “USDT Smart Contract” investment with:
    • 3% fixed return in 30 days
    • Minimum investment of 10,000 USDT
    • Maximum cap of 5,000,000 USDT
  • The investment was positioned as a time limited DeFi staking or mining opportunity.(Figure 1.14)
Phishing website impersonate SBI Investment Co., Ltd

Figure 1.2 Phishing site-2 imitating crypto exchange platform

Phishing website impersonate SBI Investment

Figure 1.3 Phishing site-3 imitating crypto exchange platform

Phishing website impersonate SBI Investment

Figure 1.4 Phishing site-4 imitating crypto exchange platform

Phishing website impersonate SBI Investment

Figure 1.5 Phishing site-5 imitating crypto exchange platform

HTTP 400 Bad Request on direct access to phishing website

Figure 1.6 Access to the main domain returns a 400 Bad Request (nginx)

SBI Investment phishing website with logos of Coinbase, Metamask etc

Figure 1.7 Usage of trusted and branded company logos to show them as partners in DeFi mining.

SBI Investment phishing website with real-time ROI calculators and graphs

Figure 1.8 Real-time ROI calculators to imitate real exchange platforms

SBI Investment phishing website login page

Figure 1.9 Fake login and PII harvest

SBI Investment phishing website login page

Figure 1.10 Fake login and PII harvest

SBI Investment phishing website login page

Figure 1.11 Fake login and PII harvest

SBI Investment phishing website KYC page

Figure 1.12 ID document scans (front, back, and handheld ID)

SBI Investment phishing website javascript code

Figure 1.13 Externally hosted JavaScript code

SBI Investment phishing website with promised returns

Figure 1.14 The investment positioned as a time-limited DeFi staking or mining opportunity.

Conclusion

  • In the SBI crypto investment campaign, our threat research team has detected more than a dozen phishing websites which were deployed using consistent subdomain naming and domain structure.
  • Direct access to the root domain triggered 400 Bad Request responses, indicating virtual host enforcement.
  • Victims submitted:
    • Email and mobile number
    • Login password and transaction PIN
    • ID photos: front, back, and selfie with ID in hand
  • The injected script located wallet fields (BTC, ETH, TRC20) and silently replaced them with attacker-controlled addresses.
  • Fake investment terms were displayed through smart contract banners and on-boarding pages, designed to simulate legitimate staking portals.
  • An identified Bitcoin (BTC) wallet address, bc1q7fjfm0zay537xwkyd5deeyqjrwmjfhz3mcq2hp, served as a collection point, receiving victim deposits and then transferring funds to other wallets or suspected
  • Input Trace: This visualization (Figure 1.15) shows funds flowing into the wallet from diverse victim sources.
Input trace of the crypto transaction on the blockchain

Figure 1.15 Input trace

  • Output Trace: This visualization (Figure 1.16) shows funds flowing out of the wallet, detailing dispersal patterns.
Output trace of the crypto transaction on the blockchain

Figure 1.16 Output Trace

Delivery & Infection Workflow

1. Victim clicks subdomain.domain.tld/# link
2. Site prompts for email → sends Gmail OTP
3. Victim submits credentials, ID photos, wallet address
4. 1.js executes before submission and swaps address (Windows OS only)
5. Funds arrive in attacker’s wallet, withdrawal UI is fake

Fraud Kill Chain Mapping

StageDescriptionObserved TTPs
DeliveryVictim lands on phishing pagesubdomain.domain.tld/# URLs
DeceptionFake DeFi UI & referral scheme“beez” theme, cloned logos
InteractionVictim submits KYC & wallet dataEmail/OTP + credentials + ID photos
ExploitationScript hijacks deposit1.js swaps address client-side
MonetizationCrypto redirected to attackerBTC/TRC20/ETH wallets
LaunderingOff-ramp via mixers/exchangesNot observed directly

Indicators of Compromise

h5[.]sbi-root-online[.]cc

h5[.]trc20ing[.]com

boczyht[.]com

batbid[.]net

sgxonline[.]vip

bithot[.]cc

h5[.]sbikeno[.]com

h5[.]sbi-smart-online[.]cc

h5[.]sbi-root-online[.]cc.

h5[.]sbi-hot-online[.]cc.

h5[.]sbi-smart-online[.]cc.

h5[.]sbikeno.com[.]

h5[.]sbikol.com[.]

h5[.]trc20ing.com[.]

Javascript hosted domain

hw[.]rangwodf[.]cc

Crypto Wallet Address

User agent windows

usdt-trc-TK3skn7HMmiUg8AKGN8AaV5ewLZ3UDYrWD

eth-0xf57c2E8Ec516a78a3872f1670f5E2E3F9136e80E

btc-bc1q7fjfm0zay537xwkyd5deeyqjrwmjfhz3mcq2hp

usdt-erc-0xf57c2E8Ec516a78a3872f1670f5E2E3F9136e80E

User agent linux

trc-TJ9T3aQMRb7ggxg5i2erpj2W1henkV9dsy

eth-0x79C9D40FF57BfaAbc17419a90F4491C55C9dCD46

erc-0x79C9D40FF57BfaAbc17419a90F4491C55C9dCD46

btc-1C3G2DtchhUwYsr74krQdM1mDPbq2BXkTC

DNS Threat Intelligence feeds

Stay ahead of evolving cyber threats – explore our DNS Threat Intelligence feeds today and protect your digital ecosystem with real-time domain abuse insights.

Further reading

Shreshta logo
Website |  + posts