Cybercriminals are exploiting the collapse of Silicon Valley Bank (SVB), once the go-to financial institution for early-stage technology companies and startups. In this blog post, we discuss some of the tactics and techniques that Netcraft has already detected being used by criminals to exploit the SVB crash, either directly or indirectly as a lure.
As the flurry of COVID-related attacks has shown, cybercriminals waste no time exploiting the attention such stories generate. Criminals often exploit current news or specific times of the year (such as tax returns) to make their scam seem more relevant to victims. They will also use the fear of missing out, hoping to trick victims into responding quickly.
New SVB-themed websites abound – criminal and otherwise
Since the news of the SVB collapse was announced, Netcraft has detected and blocked several SVB-related attacks on our malicious site sources:
svb-usdc[.]network and svb-usdc[.]com were scam sites, posing as the legitimate SVB website and claiming to offer “direct payment” of USDC cryptocurrency. USDC is a stablecoin run by a consortium including Circle and Coinbase that aims to track the US dollar and was affected by the SVB collapse. It lost its fictitious 1:1 peg against the dollar on March 11, falling to 87¢, after announcing that it had $3.3 billion tied up in SVB bank accounts. Since then it has recovered its parity and is operating normally.
svb.meta-shops.xyz is a fraudulent Web3 site that will empty a user’s wallet if they allow the connection. It uses minimal SVB branding (the logo on the jersey), but nonetheless claims to be them (“after 40 years of banking”) and offers a “Free Silicon Valley Bankers NFT for every NFT you own.” (NFT = Non-fungible token). Based on our initial investigations, this site posts updates to Discord as a wallet is connected via WalletConnect and its contents are transferred, and has handling for various NFTs (including handling specifically for CryptoPunks).
We have also detected a number of sites using opportunistic domain names such as wefundsvbclients.[.]com and help from siliconvalleybank[.]com. These sites do not pose as SVB, but instead claim to be a company called ‘All Day Capital Partners’ (alldaycapitalpartners[.]com), offering to “help all SVB customers”. This company has recently registered these domains, probably with the intention of capitalizing on SVB’s notoriety.
svbdao[.]xyz claims to be a Decentralized Autonomous Organization (a member-run organization controlled via a blockchain) created “to invest in Silicon Valley Bank (SVB) as part of a syndicate to make it private.” As with many new cryptocurrency projects, it is sometimes difficult to distinguish between good intentions and scams. However, the latest update on his Twitter account indicates that the members voted to disband following the FDIC’s announcement that all funds will be recovered.
cash4svb[.]com offers to buy claims from companies affected by the SVB news and “will pay 65-85% of the value of the claim.” The page claims that it is not affiliated with Silicon Valley Bank and that they are “a private investment group based in Stanford, California.” Following the FDIC’s announcement, they posted an update on the page that they will “reverse any purchases made and discontinue any future offers.”
great patriots[.]com is not impersonating SVB directly, but is taking advantage of the news to promote “Trump TRB Checks… …Former President Trump predicted Silicon Valley Bank, now he is giving everyone a chance to protect themselves from the very looming disaster soon”. ‘Trump TRB Checks’ are billed as souvenirs. This website specifically states that these checks have a monetary value and can be deposited into any bank account. Like other cryptocurrency investment scams, the page makes use of the illusion of celebrity endorsement. In this case, a fake video of Donald Trump endorsing these checks.
Regarding social networks:
twitter[.]com/svb_support, which was added in February 2023, claims to be “official support” for SVB bank. twitter[.]com/silliconvalleiy (note the spelling), which joined in May 2021, is an account with 272 followers who are clearly posing as SVB and claiming to give away cryptocurrency.
What can we expect to see next?
We are mainly seeing communications from various companies, assuring their customers that they are not affected by the SVB incident. However, we hope that cybercriminals, posing as legitimate companies, will start sending out phishing emails urging customers to “update your billing information” to avoid being affected by the SVB event. The details of the new account will (of course) be controlled by the cybercriminal.
How can Netcraft help?
Netcraft is the world leader in cybercrime detection, disruption, and removal, and has been protecting businesses online since 1996. We scan millions of suspected malicious sites every day, typically blocking an attack within minutes of being launched. discovered.
Netcraft provides cybercrime detection, disruption, and suppression services to organizations around the world, including 12 of the top 50 global banks. We take down around a third of the world’s phishing attacks and take down over 90 types of attacks at a rate of 1 attack every 15 seconds.
The Netcraft browser extension and mobile apps block fraudulent sites, such as those exploiting news about the disappearance of SVB. Our malicious site feeds protect billions of people around the world from phishing, malware, and other cybercrime activity.