Bitmantic a.k.a. Coinbank a.k.a. Koinrise a.k.a. …
Table of Contents
Introduction#
As I skimmed through my inbox one morning, an email caught my eye – 115 BTC (roughly ten million dollars) had just been deposited into someone’s wallet, and I had “accidentally” received a confirmation email containing their customer ID and password.
Obviously fake… but I visited the site anyways out of curiosity, and I realized this wasn’t the usual low-effort crypto scam, as the sloppy email might suggest. Instead, I found a surprisingly polished “crypto bank” complete with login portal, legal pages and even customer support.
Follow me down the rabbit hole that uncovered more than one hundred scam domains belonging to the same unexpectedly sophisticated phishing campaign.
Coinbank.su#
Heading over to the website mentioned in the email, I saw a landing page for a “crypto bank” based in the UK. As I said before, compared to the fairly low-effort e-mail, the website was suprisingly well put together – at least in my opinion. All links on the site led somewhere, and they even went through the effort of writing out both a privacy policy and terms of service!
Using the customer ID and password from the email, I was able to sign in as “Mustafa”, and see the following message informing me that I was required to set a new password, as well as enable 2FA:
If I had to guess, I would say the scammers have victims set new passwords in the hope they pick a password that’s already been used elsewhere – like their email, for example, which the attackers already know of. This could explain why the address I received the phishing email from appears to belong to a Chilean library – they may have been one of the victims of this scam.
Once I set a new password, the site asked me for a phone number to receive a one-time password, either by call or SMS.
After entering a phone number, I received a call from a Canadian number (+1 647 257 0064) during which a robotic voice read out a 6-digit OTP, and allowed me to conclude the “2FA setup”.
In my opinion, the scammers are doing this to make the site appear more legitimate – after all, what fake bank requires 2FA? At the same time, however, I’d wager the scammers compile victims’ phone numbers into a list that can be sold or reused for targeted phishing SMSs later.
With the account “secured”, I was presented with a message informing me of an annual fee of 0.0005 BTC (about $46) to cover network expenses, and that “for my convenience” they would not charge it to my existing balance of 115 BTC.
An invoice was generated, with a two-day deadline, and a Bitcoin wallet address to send the money to. Based on the complete lack of activity, my guess is that wallets are automatically generated on a per-victim basis, to make it harder to track where the money goes.
Now, unfortunately I can’t get into specifics here, but as I performed my due diligance, deciding whether or not I can trust this bank enough to send $46 over, I stumbled upon an error-based SQL injection in the website. For such a modern bank, you would think they’d be better than this!
Old news#
A bit of googling reveals that this is by no means a new scam. In fact, I was able to find a Reddit post from April 2021 about this, the only difference being the domain – bitmantic.com.
The top comment on that post claims the goal of the scam is to perform a SIM swap attack while you’re [busy] with the withdrawal function. That seemed interesting to me, because when I went through the scam I never saw any option to withdraw anything…
More googling resulted in more references to this scam:
- August 2021 - A Reddit post about
fortcoin.net. - September 2021 - A blog post by AhnLab about
fortcoin.net. - December 2021 - A Reddit post about
bitlux.net. - January 2022 - A post on StopScamFraud about
coinlux.net. - January 2022 - A post on Scammer.info about
bitlux.net. - May 2022 - A blog post by SANS’ ISC about
orbitcoin.net. - September 2022 - A Reddit post about
coinloaf.net. - April 2023 - A blog post by PCrisk about
horizencoin.net. - November 2024 - A blog post by PCrisk about
stackscoin.net. - January 2025 - A Reddit post about
koinetics.com.
Eventually I realized certain victims are provided with the opportunity to legitimately withdraw small amounts (e.g. 0.00001) of Bitcoin, probably to appear even more trustworthy (why would a scam site actually send you BTC afterall?).
Furthermore, some victims are given access to actually functioning “customer support” which the scammers, of course, run…
Diving even deeper, I was able to identify more than one hundred domains (full list in appendix) that were used for this exact scam at some point, thirty of which are currently live.
How can all these crypto banks be number one at the same time?
Interestingly, the thirty domains with clones of the site all resolve to CloudFlare IP addresses. This implies the scammers are trying to mask their real infrastructure, and perhaps even make use of Cloudflare’s WAF to block bots/crawlers.
I informed the abuse team at CloudFlare of all the relevant domains, and hopefully these will end up with an ugly warning like the one on invested.su, but domain names are cheap, and so realistically this will only temporarily inconvenience the scammers.
What about the other seventy domains though? At some point in time, they were all used for a clone of the site, but now many of them are for sale, including bitmantic.com – the oldest domain I could find that was used for this scam.
Other domains have been repurposed for different scam techniques, such as this amusing “Windows BSOD” that pdcoin.net redirects to. This suggests that the “crypto bank” is not the only phishing campaign these scammers are running.
Lessons learned#
In the end, what stood out most to me wasn’t the polished UI or the functioning 2FA, but the sheer persistence of the operation. This exact scam has rotated through over a hundred domains over the last five years, been written about dozens of times, and yet still exists! One must assume people fall for this, as the scammers couldn’t possibly be bothered otherwise… It just goes to show that phishing doesn’t have to be complicated, just consistent.
Whether or not you should think of people who fall for this as victims is debatable, in my opinion. The whole premise of the scam, after all, is that the victim received an email that was meant to be sent to someone else, and saw the opportunity to steal hundreds of BTC from an unknown third party…
There’s a lesson about greed in here somewhere…
Appendix#
List of domains#
1astarcoin.net
2banco.su
3beekoin.com
4bigcoin.su
5billkoin.com
6bit55.net
7bitacco.com
8bitciti.net
9bitcount.net
10bitforte.net
11bitmantic.com
12bitlux.net
13bitrow.net
14blockearn.net
15bogkoin.com
16capitalcoin.su
17capitalkoin.com
18coinarch.net
19coinbank.su
20coinciti.net
21coincore.su
22coincounty.net
23coincrow.net
24coinfist.net
25coinforte.net
26coingate.su
27coingrow.su
28coinlace.net
29coinlaps.net
30coinloaf.net
31coinlux.net
32coinmace.net
33coinmast.net
34coinment.net
35coinmore.su
36coinomac.com
37coinpay.su
38coinreef.net
39coinregion.net
40coinrow.net
41coins45.com
42coinsta.net
43coinstapro.com
44coinvale.net
45coinvalley.su
46cryptoncoin.net
47fortcoin.net
48gobkoin.com
49gokoins.com
50golemcoin.net
51hatchcoin.net
52heliumcoin.net
53henkoin.com
54horizencoin.net
55invested.su
56kavacoin.net
57koinbarn.com
58koinbeam.com
59koinblend.com
60koincentral.com
61koincoast.com
62koincorp.com
63koincrane.com
64koincrate.com
65koincrest.com
66koindeck.com
67koinerra.com
68koinetics.com
69koinfleet.com
70koinhill.com
71koinlane.com
72koinlead.com
73koinline.com
74koinmill.com
75koinpath.com
76koinpod.com
77koinprime.com
78koinpulse.com
79koinrave.com
80koinrise.com
81koinstack.net
82kointotal.com
83koinyard.com
84lacekoin.com
85laserkoin.com
86lidocoin.net
87nankoin.com
88nextkoin.com
89orbitcoin.net
90orchidcoin.net
91oxkoin.com
92pacekoin.com
93paddlecoin.net
94paxcoin.net
95payrise.su
96pdcoin.net
97peakoin.com
98piggykoin.com
99procoin.su
100protoncoin.net
101pushkoin.com
102qtumcoin.net
103regalcoin.net
104rendercoin.net
105safakoin.com
106serumcoin.net
107stackscoin.net
108swancoins.net
109swankoin.com
110tatcoin.net
111tricoin.net
112vitakoin.com
113wavescoin.net