Discovery of a massive whaling operation
In what cybersecurity experts are calling one of the most sophisticated crypto-targeted phishing campaigns of 2025, threat actors have been systematically impersonating The Big Whale, a prominent French cryptocurrency newsletter, to harvest credentials and sensitive information from high-net-worth crypto investors across Europe and North America.
The campaign, first detected in early June, has already compromised over 3,000 email accounts and potentially exposed millions of dollars in cryptocurrency assets. What makes this attack particularly dangerous is its advanced use of email header manipulation techniques that successfully bypass traditional security measures.
"This isn't your typical phishing attempt. The attackers demonstrate deep knowledge of email authentication protocols and have crafted their messages to pass SPF checks while exploiting DKIM vulnerabilities. It's a masterclass in social engineering combined with technical sophistication."
— Marcus Chen, Chief Security Officer at CryptoDefense Labs
Technical anatomy of the attack
Our investigation revealed a multi-layered approach that combines several attack vectors to maximize success rates. The phishing emails arrive with seemingly legitimate headers that can fool even experienced users.
Email header manipulation techniques observed:
- SPF bypass using subdomain spoofing: Attackers registered domains like "thebig-whale.io" and "the-bigwhale.com" with valid SPF records
- DKIM signature injection: Valid DKIM signatures from compromised mail servers to pass authentication
- DMARC policy exploitation: Targeting organizations with "p=none" DMARC policies
- Return-path manipulation: Using legitimate-looking return addresses to avoid suspicion
Attack infrastructure:
- Command & Control servers: Located in 7 different countries
- Phishing domains registered: Over 45 typosquatted variations
- Email templates identified: 12 unique variations in 4 languages
- Estimated victims: 3,000+ confirmed, potentially 10,000+ targeted
Deep dive: Email header forensics
Analysis of captured phishing emails reveals sophisticated header manipulation that would pass casual inspection. Here's a breakdown of the techniques employed:
1. SPF record manipulation
The attackers created SPF records that technically pass validation but originate from malicious infrastructure:
Received-SPF: pass (google.com: domain of noreply@thebig-whale.io designates 185.156.177.234 as permitted sender)
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of noreply@thebig-whale.io designates 185.156.177.234 as permitted sender)
2. DKIM signature analysis
While the legitimate Big Whale uses specific DKIM selectors, the phishing emails show compromised or fabricated signatures:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mailservice-provider.com; s=selector2048;
h=from:to:subject:date:message-id;
bh=xjN4Kf9rPt8kJYJXKLDkDkK6Uk=;
b=dGhpcyBpcyBhIGZha2Ugc2lnbmF0dXJl...
3. X-Originating-IP exposure
Several phishing emails inadvertently exposed their true origins through X-Originating-IP headers, revealing connections to known cybercriminal infrastructure in Eastern Europe and Southeast Asia.
Impact on the crypto community
The Big Whale newsletter, known for its in-depth crypto market analysis and reaching over 100,000 subscribers, has become an attractive impersonation target for cybercriminals. The phishing campaign specifically targets:
- High-net-worth individuals: Crypto whales holding significant Bitcoin and Ethereum positions
- DeFi protocol users: Targeting wallet connections and seed phrase harvesting
- Institutional investors: Corporate email accounts with access to exchange APIs
- Newsletter subscribers: Exploiting trust in the Big Whale brand
Victims report receiving emails that perfectly mimic The Big Whale's design aesthetic, including their signature navy blue color scheme and minimalist French typography. The emails typically contain urgent calls-to-action related to "exclusive investment opportunities" or "security updates" for crypto portfolios.
Defending against advanced email spoofing
The sophistication of this campaign highlights critical vulnerabilities in how organizations implement email security protocols. Here are essential defense mechanisms:
For organizations:
- Implement strict DMARC policies: Move from "p=none" to "p=quarantine" or "p=reject"
- Regular SPF record audits: Ensure all legitimate sending sources are properly configured
- DKIM key rotation: Implement quarterly key rotation to minimize compromise impact
- Header analysis tools: Deploy automated tools to inspect email headers for anomalies
- User awareness training: Educate users on identifying sophisticated phishing attempts
For individual users:
- Verify sender addresses carefully: Look for subtle typosquatting variations
- Check email headers: Use "Show Original" feature to inspect authentication results
- Never click urgent links: Legitimate services rarely require immediate action
- Use hardware wallets: Never enter seed phrases online
- Enable 2FA everywhere: Additional protection even if credentials are compromised
Indicators of compromise (IoCs)
Security teams should monitor for the following indicators associated with this campaign:
Malicious domains (partial list):
- thebig-whale[.]io
- the-bigwhale[.]com
- bigwhale-newsletter[.]eu
- thebigwhale-crypto[.]com
- newsletter-bigwhale[.]org
IP addresses associated with C2 infrastructure:
- 185.156.177[.]234 (Moldova)
- 45.142.212[.]100 (Netherlands)
- 193.42.33[.]210 (Russia)
- 103.75.119[.]157 (Singapore)
Email subject patterns:
- "🐋 Alerte Exclusive: Opportunité Bitcoin Limitée"
- "URGENT: Security Update Required for Your Crypto Portfolio"
- "The Big Whale Special Report: Act Now"
- "Exclusive Airdrop for Big Whale Subscribers"
Ongoing investigation and response
Law enforcement agencies across multiple jurisdictions are coordinating efforts to track down the perpetrators. The legitimate Big Whale newsletter has issued warnings to its subscriber base and is working with email security providers to implement additional authentication measures.
"We are appalled that criminals are exploiting our brand to target the crypto community. We're implementing BIMI (Brand Indicators for Message Identification) and working with major email providers to ensure our legitimate emails are clearly marked."
— Statement from The Big Whale editorial team
The investigation has revealed connections to previously identified cybercriminal groups specializing in cryptocurrency theft, with potential links to the Lazarus Group's recent activities in the crypto space. However, attribution remains challenging due to the use of compromised infrastructure and false flag operations.
Implications for email security in crypto
This campaign represents an evolution in crypto-targeted phishing, demonstrating that attackers are investing significant resources to bypass modern email security measures. The crypto industry faces unique challenges:
- High-value targets: Crypto holders represent lucrative targets for cybercriminals
- Irreversible transactions: Unlike traditional banking, crypto transactions cannot be reversed
- Pseudonymous nature: Difficulty in verifying legitimate communications
- Rapid ecosystem changes: New protocols and platforms create fresh attack surfaces
The industry must adopt a zero-trust approach to email communications, particularly for high-value transactions or sensitive operations. This includes implementing out-of-band verification for critical requests and educating users about the evolving threat landscape.