The variety in the malware families delivered to victims may indicate that the campaign operators experiment with various strains to see what works best.

Another portion of these sites target cryptocurrency wallets and seed phrases, a very profitable activity for threat actors.

For example, BleepingComputer found "ethersmine[.]com", which attempts to steal the visitor's Ethereum wallet seed phrase.


Other sites in the campaign target cryptocurrency holders and digital asset investors impersonating popular crypto wallets, trading apps, and NFT sites.

Of course, the threat actors use multiple variants of each domain to cover as many mistypes as possible, so these domains are only a small sample of the entire network of domains used in the campaign.

Some browsers like Google Chrome and Microsoft Edge include typosquatting protection. However, in our tests, the browsers did not block any of the domains we tested.

To protect yourself from typosquatting domains, the best method to find a legitimate site is to search for a particular brand in a search engine.

However, you should avoid clicking on ads shown in search results, as there have been many cases where malicious ads are created to impersonate a real site.