Bitcoin Core: A High-Value Target for Cybercriminals
Bitcoin Core, the reference implementation of the Bitcoin protocol, is one of the most trusted open-source projects in the cryptocurrency ecosystem. Its reputation, however, makes it a prime target for phishing campaigns and other cyberattacks designed to exploit unsuspecting users.
Earlier this year, PhishFort identified and neutralized a phishing campaign impersonating the release of Bitcoin Core version 30.0. The attackers used fraudulent domains and spam emails to lure users into downloading malicious software disguised as a legitimate update.
The Phishing Attack: How It Worked
Fake Bitcoin Core Domains
Attackers registered bitcoincore[.]extensionversion[.]org, designed to mimic the official Bitcoin Core site.
The fake site imitated branding, download options, and cryptographic hash links to appear credible.
Bitcoin Core scam
Phishing Email Campaign
To drive traffic, the threat actors launched an email campaign spoofing the Bitcoin Core Team. The messages, sent from bitcoincore@projectfoundation[.]blog, announced a new version of Bitcoin Core and urged recipients to “Download Extension Here.” The phishing emails were professionally formatted, highlighting features such as Taproot support and CoinJoin compatibility, in an attempt to build legitimacy and urgency.
Technical Infrastructure
Behind the scenes, DNS records revealed the phishing infrastructure was registered via Nicenic and hosted within Vercel Infrastructure, while the sender infrastructure relied on Hostinger’s outbound mail services.
PhishFort’s Pro Bono Response
As part of our commitment to protecting open-source communities and the broader crypto ecosystem, PhishFort acted pro bono to dismantle this phishing operation.
Our takedown team coordinated directly with domain registrars and hosting providers, gathering technical evidence to demonstrate abuse. Within hours, the malicious site was taken offline and email delivery infrastructure was disabled, preventing further spread of the campaign.
By intervening quickly, we helped safeguard Bitcoin users from downloading compromised software and ensured the fraudulent domains were neutralized before they could escalate.
Risks to Users
If successful, the campaign could have had devastating consequences for Bitcoin users:
Theft of funds: Malicious software disguised as Bitcoin Core could compromise private keys and drain wallets.
Loss of trust: Attacks on widely respected open-source projects can erode confidence in the broader ecosystem.
Supply chain risk: By targeting a key node implementation, attackers could disrupt participation in the Bitcoin network itself.
Given Bitcoin Core’s critical role, this type of impersonation poses not just a risk to individual users but also to the credibility of the Bitcoin ecosystem as a whole.
Protecting the Open-Source Ecosystem
This case highlights two critical truths:
Open-source decentralized projects are prime targets for impersonation — attackers know that grassroots communities often lack dedicated brand protection resources.
Rapid detection and takedown is essential — phishing domains can cause widespread harm in hours, not days.
At PhishFort , we believe in protecting not just commercial brands, but also the open-source foundations that underpin the internet and digital finance. That’s why we provide pro bono support to projects like Bitcoin Core when the community faces threats beyond their immediate capacity to handle.
How to Protect Yourself
Users are reminded to:
Always download Bitcoin Core only from the official website:https://bitcoincore.org
Verify PGP signatures and SHA256 hashes before installing software.
Treat unsolicited emails with links to downloads as suspicious, even if they appear to come from trusted projects.
Be aware that this campaign is not isolated — attackers are also targeting the broader Bitcoin ecosystem. Recent phishing activity has impersonated:
Bitcoin mining companies such as Riot, Compass Mining, and Bitmain
Bitcoin investment firms, including Fidelity, Bitwise, and Nakamoto
Bitcoin wallets like BitBox, Bitkey, and Sparrow Wallet
Bitcoin Implementation and infrastructure, like Bitcoinknots and Blockstream
If you interact with any of these services, always verify that you are on the official domain and never trust download or investment links received over email.
Final Thoughts
As part of our threat intelligence operations, PhishFort continues to monitor malicious file hashes associated with phishing kits and malware samples. This proactive tracking recently led us to identify activity connected to bitcoincoreapp[.]store & bitcoincore[.]versiondownload[.]org, fraudulent domains distributing malicious downloads under the guise of Bitcoin Core. Thanks to swift action, these sites have now been taken down.
In parallel, our systems continuously monitor newly registered domains that attempt to impersonate Bitcoin Core. Through this process, we uncovered bitcoincore[.]yachts, another deceptive site attempting to mislead users. This domain has also been successfully taken offline, further disrupting the phishing campaign’s infrastructure.
Phishing continues to evolve, and attackers are increasingly professional in their impersonation efforts. But as this case demonstrates, coordinated response and proactive takedowns can neutralize threats before they cause widespread harm.
PhishFort is proud to have supported the Bitcoin Core community in protecting its users and reaffirming the importance of trust in open-source ecosystems.
Take Action: Protect Your Brand from Phishing
Phishing attacks don’t just target open-source projects — they target every organization with digital assets worth protecting.
At PhishFort, we specialize in detecting, disrupting, and taking down phishing campaigns before they can harm your users or reputation.
Get in touch with our team today to learn how we can help secure your brand and protect your community.
