Anatomy of Cryptophishing – Hydro Project

Cross-posted to “” and “BecomeACyberSecurity.Expert”


Logo is stolen from the real Hydro Protocol folks.

I get some interesting emails, and in particular, some interesting phishing emails. Most of them are quite poor, and fairly easy to spot, and the people constructing them don’t go through a lot of effort.

I received one today that was much more interesting — the perpetrators have gone to some effort to make their scam work.

It consists of three parts: the email, the Medium article, and the “Hydro Wallet”. All are fairly convincing. The Hydro Wallet even has an interesting little twist which I’ll detail below.

The first piece is the email:


Page 1 of the email.

Note the “noreply@taxijetci” from address. I received another with the return of “noreply@soul-sister”.


Page 2 of the email.

One thing the phishers did well in this email is to use standard mail tracking software (Mandrill App) which is what you’d normally get in any marketing email, and so my mail programme (MailMate) did not set off any alarms. When links are suspicious and/or don’t go to where they purport to go, Mailmate will highlight the address in red at the bottom of the screen, indicating at the very minimum that the link is suspicious.

Once you click the link, it takes you to a Medium article on the supposed Hydro Protocol:


Page 1 of the “Hydro Protocol” Medium article. Note that it says “blog.hydroproject. co” at the top.

(Yes, I keep open a lot of tabs. This is even just one of five browsers, all of which are similar. I use Tab Suspender so they don’t take up RAM.)


Page 2 of the “Hydro Protocol” Medium article.


Page 3 of the “Hydro Protocol” Medium article.

Note the seeming legitimacy of everything so far. A marketing email like everyone gets dozens of times per days leads to an actual Medium article that in itself is not suspicious. It is ‘legitimately’ posted on Medium – and has 231 “claps” – and you’d have to be really sharp to look for the “project” part in the address bar. Clicking on any of the links except the first two in the numbered list takes you to the legitimate Hydro Protocol Medium site. Click those two links, however, and you’re brought to hydroproject .co.

I was still connected to Zscaler Internet Access when I went there the first time. Zscaler picked up on the security threat:


The TLS isn’t to be trusted.

Disabling Zscaler Internet Access (I wouldn’t have been able to access anything on the site otherwise) so I could probe further is where the fun begins. The site itself is fairly impressive – it uses a modern Web 2.0 feel, contains pictures of the real Hydro Protocol team, links to various things, and overall looks exactly like what you’d expect from a new crypto team creating a new project. (Side note: some existing real projects could learn a thing or two here about how to present a particular technology.) You can give the phishers your email address (I gave a particular one so I can track what spam comes from there in the future):


I used a unique email address (though not the one in the screenshot).

It’s worth noting it asks for an Ethereum address (ostensibly one with Ethereum in it) but you can put in any address. I used one I randomly found on Etherscan for the screenshot (which has no funds) and for the fake registration I used the Ethereum address of a popular exchange.

After you register, you don’t get any confirmation email or attempts to verify that the email is legitimate. That’s another indication the site is shady.

Once in, you’re greeted with a “setup” screen that has two parts:


This is all actually generally good advice.

Note the line: “If you send your private key to someone, they now have full control of your account.”


This is where the trap is set. It’s the list of instructions at this part of the setup that will get people in trouble.

Once you’re into the “Hydro Wallet” you’re presented with a fairly reasonable screen that shows transactions that you’ll recognise if you’d used your own address:


These are legitimate transactions for this address. (This is a contract address, which means they make no attempt to check the address type, but then they wouldn’t.) They’re pulling the information directly from something like Etherscan, so the transactions would be seen by the user and they would recognise them.

Clicking on the “Claim HYD Tokens” is the actual trap:


Note that they give you three handy ways to lose your money!

In the “Claim HYD Tokens” dropdown, you can provide the phishers with your Private Key, your Mnemonic Phrase, or your UTC / JSON file (the latter being more used by web wallets like “My Ether Wallet”). Note that you were forewarned during the ‘set up’ not to actually provide this information!


Choosing this if you want to lose your money with your Private Key.



Choose this if you want to type in your mnemonic phrase to lose your money.


You can also drag & drop to lose your money!

I chose the passphrase method to investigate further. Obviously I wasn’t going to use a legitimate passphrase, but making up twelve random words wasn’t particularly taxing. (Whereas generating a private key or UTC/JSON file would have been more work. 😉 ) They of course have all the popular wallets so when they set it up on the backend, they know exactly which wallet to use to steal your crypto.

After coming up with twelve random words, I typed them in:


Note that you can optionally provide them your password as well!


They start enumerating all the possible addresses associated with that mnemonic – very quickly.

After that, they start scanning for balances – or – and I’d have to use a legitimate passphrase to determine this – they might be zeroing them out – it’s difficult to tell without using something that actually has money in it.


From the screenshot above where it says “Please wait” to this is actually REALLY quick – I had great difficulty getting the “Please Wait” and had to settle for a fullscreen screenshot.

Suffice it to say that if you get this far, your crypto is gone. You’ll not only lose all your Ethereum, you’ll lose every single ERC-20 token that you have as well.

What makes this particularly effective if you’re not paying attention are the following:

  1. The marketing email went to a legitimate email address. It’s one I’ve associated with crypto in the past. Thankfully, since I use a separate email address for literally everything (catchalls are great) I knew not to expect such an email from the organisation that purportedly sent me the email.
  2. The email itself seems like a legitimate email with proper tracking and redirection technology.
  3. It redirects to a seemingly legitimate Medium article first, copying a practise the actual organisation they’re spoofing uses.
  4. The links on that Medium article, when clicked, all lead to the actual project, with the exception of only two.
  5. The phishing site’s initial pages are virtually identical to the real thing, and they use a “.co” address exactly like the real thing – the only difference is “protocol” for the legitimate one and “project” for the phishing site.
  6. When you get into the “Web Wallet” (an experience that would be familiar to crypto noobs) they present you with transactions you would recognise as your own if you use your own address.
  7. The biggest factor is of course greed. There are quite legitimate forks of cryptocurrency technology, as well as legitimate airdrops. They position this as an airdrop (free tokens!) and then tell you in the email it only lasts three days. That preys directly on the fear of missing out – FOMO.

If I’ve time, I’m going to see what happens when you use an address that actually has money in it – how quick that money goes. Obviously I won’t use a lot, but I think it would be interesting to see what the actual process is from this point, and where the money ends up. I’ll also be hopefully working with some folks to try and get this shut down. It’s worth noting the actual Hydro team already knows about it and has a pinned tweet to the top of their Twitter indicating they are never forking anything and that people should be aware of phishing attempts.


The actual Hydro Protocol folks are aware and warning people.

As always, please take care on the internet. Crypto forks and airdrops are common, but one must be careful!

Working on a Second Edition!


I likely won’t change the cover.

Hi Everyone!

I’m currently working on a second edition of “Adventures in Cybersecurity”. I’m going to hopefully make it a little better, as while I think it’s good, I think it could be better, too. It’s been out for nine months already(!) and re-reading it since then has made me think that I could do a couple of things differently, and also add in a bit more in the way of stories relevant to the title.

If you’ve purchased the book, I’ll refund your money if you purchase the second edition. I’ve never been one for charging for different editions of a book – I view them like software in that regard. Unless the product is materially different from the original, then I think you should get upgrades for free. 🙂

On Becoming a CISSP


Picture from

(Note: I in no way received any compensation and no one has influenced me in creating this post. It is purely of my own desire and design.)

A CISSP is a Certified Information Systems Security Professional, and is essentially the “gold standard” of information security certifications, as well as one of the longest-standing.

I’ve been a CISSP since October of 2003. That’s almost thirteen years now.

Among hackers/computer security professionals, particularly ones who think they’re better than everyone else (and to be fair, some of them really are when it comes to computer security) the CISSP is seen as a “paper certification” that just about anyone can get. While it’s not impossible to get, I don’t think it’s nearly as easy to obtain as they might suggest, and to some extent I think that some people in those circles are covering up for the fact that they were too afraid to try to qualify. Regardless of the psychology of my peer group, I believe the certification has merit, which is both why I got it, and why I maintain it.

An illustration of that point is how employers treat it. It’s difficult to get a job in Information Security without some kind of certification, and the CISSP always works for that qualification. That’s not to say that you can’t get that same job without it; if you are a cyberninja and you can prove it, you can certainly pass on merit. However, you might have some difficulty making it past the HR screening software, which will likely have automatically eliminated your resume for not having included it in the first place.

Anecdotally, my obtaining the CISSP made a very big difference in my career, as you’ve likely read in my book. (You have, haven’t you? 😉 ) Having already been doing security work at what was Corsis at the time (later I had fulfilled the work requirement of the CISSP (then three years and a college degree; now it’s four years and a college degree) so it made sense to me that I should try for it, since Information Security is what I wanted to be doing. I started researching, and found that it was indeed difficult, and that I needed to prepare.

As I outlined in the chapter “Data Center Nightmares” it was a bit arduous to get the certification, requiring quite a bit of study, and a class. The class cost $3500 (not including airfare, but including hotel & breakfast each day) and took place in Fort Lauderdale, Florida. I actually took out an education loan from Key Bank ($KEYW) for the $3500 at the time, given that it was a class and that I’d spent my other $3500 from the tax return previously on the Computer Forensics class that I took.

It was a good investment. The payoff when I switched to my job at Capital IQ was an immediate increase in salary by more than $30,000 per year. That’s an immediate 8.57x return on my money (to say nothing of the lifelong value of that increase & subsequent ones) and I paid off the education loan well before it was due, thereby also increasing my credit score.

So while some people may say that a CISSP is not worth it, I tend to think it is. It will get you past gatekeepers – automated or otherwise, and proves to employers that you have a broad understanding of Information Security. You will still have to prove yourself at any job, but less of it will be upfront while attempting to get it. It ensures to employers that you have a level of competency, and more importantly, since you have to take an oath to actually obtain the certification, that you are trustworthy. Yes, some 1337 h4ck3rs may have levels of skills that are higher than some people with the CISSP, but there are other factors to consider, and those other factors play an important role and make the CISSP the prominent security certification that it is today.

Print Version Published!

Hi Everyone,

The print version of “Adventures in Cybersecurity” is now available! It’s $9.99, which is the lowest Amazon will allow me to price it. I’ll have a few of them myself, and carry copies to sign if anyone is interested. (Also, the copies I’ll sign will be free, so there’s that.)

I also have an official Amazon Author page now:


Those of you connected to me on Linked In may recognise the profile. 😉

The print book is listed as being sold used and new for multiple sellers, but I’m not sure how that could be possible since no one’s bought any quite yet. Nonetheless, if you check out the page for the print version of the book, you can actually get it cheaper than for what it retails at new. Or like I said, you can get a free copy from me, even signed, if you’re ever in the same place (or nearby) that I am.

Forums Are Now Live!

The forums for the site are now live. You can click the “Forums” button at the top of the page to discuss the book, your own adventures in cybersecurity, or just adventures in IT. I’m looking forward to hearing more about the things others have experienced, and am happy to answer questions about the book as well!

Kindle Fire HD 7

Kindle Fire HD 7 Giveaway!

Kindle Fire HD 7

To celebrate the release of my first book on Amazon, I’m giving away a Kindle Fire HD 7! All you have to do to enter the drawing is show that you’ve purchased the book and left a review. The Kindle is a Fire HD 7 in white, with 8GB storage, Wifi, and with the special offers. It retails for $139 in the US.

The proof for entry can be a screenshot of the purchase and review on Amazon, or a forward of the receipt email with the review username to me. Forward all proof to:

I’ll be picking a winner at the end of August (the 31st to be precise) beginning of November (for any entries received prior to the 31st of October) and the winner will be notified by email in the first week of September November. The entry is open to customers in all countries, excepting those embargoed by the US.

If you have any questions, please feel free to reach out at the email above as well.

Good luck!

(Edits on 26 July extending the contest.)

Adventures in Cybersecurity is Published!


It’s official! I am a published author. Adventures in Cybersecurity has been published on Amazon. (Click the link to head to Amazon & get it!) I chose to use Kindle Direct Publishing (KDP) and to make the book available exclusively through Amazon.

The price is currently set at $3.99 (USD) which is what Amazon suggested, but if you have Kindle Unlimited you can read it for free.

I’m planning to give away a Kindle Fire HD 7 to one lucky purchaser of the book. Simply take a screenshot of your receipt or forward the email showing your purchase to tom@adventuresincybersecurity to be entered into the drawing! The winner will be chosen at the end of August, and notified by email.