The collapse of Silicon Valley Bank (SVB), once the go-to financial institution for early-stage technology businesses and startups, is being exploited by cybercriminals. In this blog post, we discuss some of the tactics and techniques Netcraft has already detected criminals using to exploit SVB’s collapse – either directly or indirectly – as a lure.
As the flurry of COVID-themed attacks proved, cybercriminals waste no time in exploiting the attention such stories generate. Criminals often exploit current news stories, or specific times of year (like tax reporting) to make their scam seem more relevant to victims. They’ll also use the fear of missing out, hoping to trick victims into responding quickly.
New SVB-themed websites abound – criminal and otherwise
Since news of SVB’s collapse was announced, Netcraft has detected and blocked several SVB-related attacks in our malicious site feeds:
svb-usdc[.]net and svb-usdc[.]com were both fraudulent sites, impersonating the legitimate SVB website and claiming to offer a “direct payout” of the USDC cryptocurrency. USDC is a stablecoin managed by a consortium including Circle and Coinbase which aims to track the US dollar and was itself impacted by SVB’s collapse. It lost its notional 1:1 peg against the dollar on the 11th March, dipping to 87¢, after it announced it had $3.3B tied up in SVB bank accounts. It has since recovered its peg and is operating normally.
svb.meta-shops.xyz is a fraudulent Web3 site which will drain a user’s wallet if they authorize the connection. It uses minimal SVB branding (the logo on the t-shirt), but nonetheless claims to be them (“after 40 years of banking”) and offers a “free Silicon Valley Bankers NFT for each NFT you hold” (NFT = Non-fungible token). Based on our initial investigations, this site posts updates to Discord as a wallet is connected through WalletConnect and its contents are transferred, and has handling for various NFTs (including specific handling for CryptoPunks).
We’ve also detected a series of sites using opportunistic domain names such as wefundsvbclients[.]com and siliconvalleybankhelp[.]com. These sites do not impersonate SVB, but claim to be a company called ‘All Day Capital Partners’ (alldaycapitalpartners[.]com), offering to “assist all SVB customers”. This company has registered these domains recently, likely with the intention of capitalizing on SVB’s notoriety.
svbdao[.]xyz claims to be a Decentralised Autonomous Organization (a member-run organization controlled using a blockchain) set up “to invest in Silicon Valley Bank (SVB) as part of a syndicate to take it private.” As with many new cryptocurrency projects, it is sometimes difficult to distinguish between good intentions and scams. However, the latest update on its Twitter account states that members have voted to disband following the FDIC announcement that all funds will be made whole.
cash4svb[.]com offers to buy claims from companies affected by the SVB news and will “pay out 65%-85% of the claim value”. The page states it is not affiliated with Silicon Valley Bank and that they are “a private investment group based out of Stanford, California”. Following the FDIC announcement, they have posted an update on the page that they will be “reversing any purchases made and suspending offers going forward”.
bigpatriots[.]com does not impersonate SVB directly, but is taking advantage of the news to promote “Trump TRB Checks… …Former President Trump predicted Silicon Valley Bank, Now he is giving a chance to everyone to protect from the disaster which is coming very soon”. The ‘Trump TRB Checks’ are billed as pieces of memorabilia. This website makes specific claims that these checks carry a monetary value, and can be deposited in any bank account. Like other cryptocurrency investment scams, the page makes use of the illusion of celebrity endorsement. In this case, a spoof video of Donald Trump endorsing these checks.
Suspicious social media sites
In terms of social media:
- twitter[.]com/svb_support, joined February 2023, claims to be “official support” for SVB bank.
- twitter[.]com/silliconvalleiy (note the spelling), joined May 2021, is an account with 272 followers clearly impersonating SVB, and claiming to give away cryptocurrency.
What can we expect to see next?
We are mainly seeing communications from various companies, reassuring their customers that they are not impacted by the SVB incident. However, we expect that cybercriminals, impersonating legitimate companies, will start to send phishing emails urging customers to “update their billing” details to avoid being impacted by the SVB event. The new account’s details given will (of course) be controlled by the cybercriminal.
How can Netcraft help?
Netcraft is the world leader in cybercrime detection, disruption, and takedown, and has been protecting companies online since 1996. We analyze millions of suspected malicious sites each day, typically blocking an attack within minutes of discovery.
Netcraft provides cybercrime detection, disruption and takedown services to organizations worldwide including 12 of the top 50 global banks. We perform takedowns for around one third of the world’s phishing attacks and take down 90+ attack types at a rate of 1 attack every 15 seconds.
The Netcraft browser extension and mobile apps block fraudulent sites, such as those exploiting news of SVB’s demise. Our malicious site feeds protect billions of people around the world from phishing, malware, and other cybercrime activities.