en

IPv4

  • 9.9.9.9
  • 149.112.112.112

    • IPv6

  • 2620:fe::fe
  • 2620:fe::9
    • More options
    Back to Blog
    blog

    Protecting Your Crypto: How Quad9 Safeguards You from Crypto Exploits

    To protect our users, Quad9 blocks DNS lookups of malicious host names from an up-to-the-minute list of threats. This blocking action protects your computer, mobile device, or IoT systems against a wide range of threats, such as malware, phishing, spyware, and botnets, and it can improve performance and privacy. In this blogpost, we want to cover crypto-related threats that we protect our users from.

    On a daily basis, Quad9 leverages an extensive number of threat intelligence feeds to identify and block malicious domains associated with cryptocurrency scams, phishing sites designed to steal crypto credentials, and domains distributing crypto-mining malware or other crypto-related exploits. Quad9 currently integrates threat intelligence from over 25 diverse partners, including three specializing in crypto threats, with the remaining partners contributing broader cybersecurity insights that, while not exclusively focused on cryptocurrency, significantly enhance our overall defense against the various attack vectors also employed in the crypto landscape.

    These attacks primarily aim to steal digital assets or illicitly exploit computing resources:

    • Cryptocurrency scams often involve deceptive investment schemes promising unrealistic returns, fake giveaways, or “rug pulls” where developers abandon a project after raising funds, leaving investors with worthless tokens. These scams work by leveraging social engineering tactics, exploiting the hype around crypto, and pressuring users into making quick decisions, leading to significant financial losses as users transfer their funds to the scammers’ controlled wallets or platforms.
    • Phishing sites designed to steal crypto credentials mimic legitimate cryptocurrency exchanges, wallet providers, or decentralised applications (dApps) with astonishing accuracy. They typically employ fake URLs, emails, or messages to trick users into entering their private keys, seed phrases, or login credentials, which the attackers then immediately capture to gain unauthorised access to the user’s actual crypto wallets and drain their funds.
    • Domains distributing crypto-mining malware or other crypto-related exploits engage in “cryptojacking” or other forms of digital theft. Cryptojacking malware, once installed on a user’s device (often through malicious links, infected downloads, or compromised websites), silently harnesses the device’s processing power (CPU/GPU) to mine cryptocurrency for the attacker without the user’s consent.

    In past months and years, we saw large volumes of queries to the domain attributed to the Remote Access Trojan (RAT) - ViperSoftX. This is a malware that can steal cryptocurrency wallet addresses and password information stored in browsers and password managers. It is often distributed through the download of cracked software from suspicious domains, torrent downloads, and key generators (keygens) from third-party sites. It is still one of the top threats we observe at Quad9 that we protect our users from. We also see that malicious mining is still popular among cybercriminals. Among the top domains blocked for Quad9 users in past years was a domain attributed to the XMRig malware.

    On any given day, Quad9’s is working to protect its users from the evolving landscape of cyber threats, including those targeting the cryptocurrency space. We observe millions of attempts to connect to malicious crypto-related domains, with more than 73M of queries blocked to the top 10 most visited crypto-related domains alone.

    Top blocked threats and blocked query volumes (17 June 2025)

    These attacks are primarily attributed to categories such as Mainnet-related scams, designed to trick users into sending funds to fraudulent addresses on major blockchain networks; Cryptojacking, where unsuspecting users’ devices are commandeered to mine cryptocurrency without their consent; and, specifically, scams related to emerging ecosystems like Arbitrum and Sepolia, highlighting the attackers’ agility in targeting new opportunities within the crypto world. The ability of Quad9 to block these malicious DNS requests at the very first step of connection is critical, preventing users from ever reaching these dangerous sites and falling victim to financial loss or system compromise.

    In the dynamic world of cryptocurrency, the work of services like Quad9 and our partners is more critical than ever. In just one day, Quad9 blocks tens of millions of query attempts to crypto-related malicious domains. This blocking at the DNS level means that long before a malicious site can load or a deceptive pop-up can appear, the threat has already been neutralised. Thanks to Quad9 and our threat intelligence partners, our users can engage with cryptocurrencies with greater peace of mind.

    About Quad9

    Quad9 is a nonprofit foundation based in Switzerland that provides free cybersecurity services to the emerging world via secure and private DNS lookup. Quad9 operates more than 240 locations across more than 115 nations, blocking hundreds of millions of malware, phishing, and spyware events daily for an estimated 100+ million end users. Quad9 reduces harm in vulnerable regions, increases privacy globally against criminal or institutionalized interception of Internet data, and improves performance in under-served areas. For more information, please visit https://www.quad9.net/.