Kaspersky said it has detected a wave of phishing attacks targeting former customers of the bankrupt crypto lending platform BlockFi, exploiting the ongoing distribution of customer assets to steal cryptocurrency.
The scams are linked to BlockFi’s bankruptcy process. BlockFi, once a major provider of high-yield interest accounts and crypto-backed loans, filed for bankruptcy in November 2022 and began disbursing repayments to affected clients in 2024 as part of its restructuring plan.
According to Kaspersky, attackers are sending fraudulent emails that closely mimic BlockFi’s official branding. The messages invite recipients to “claim the payment” they are “entitled to” following the bankruptcy. Users who click on the embedded links are redirected to phishing pages that prompt them to “connect their wallet.”
The attackers then instruct victims to import their existing cryptocurrency wallet by entering their secret recovery phrase. Providing this information gives the attackers direct access to the wallet, potentially allowing them to drain funds.
“Phishing attacks like this are widespread, capitalising on real-world events to build trust and urgency. Victims who fall for these scams risk exposing their crypto wallets to theft,” said Roman Dedenok, an anti-spam expert at Kaspersky. He added that users should verify communications through official channels and carefully check the sender’s email address for legitimacy.
Kaspersky said the phishing emails use convincing logos, color schemes and language, making them difficult to identify at first glance.
To reduce the risk of falling victim, the cybersecurity firm advised users not to click on links or respond to unsolicited emails, and to never share banking credentials, wallet seed phrases or private keys through email or online forms. It also recommended enabling two-factor authentication on financial accounts and using security software and password managers to protect sensitive information.
