Airline Brands Exploited as Launchpads for Phishing and Cryptocurrency Scams

Cybercriminals Leverage Airline Brands for Phishing and Cryptocurrency Scams

Cybercriminals are leveraging the trust associated with well-known airline brands to launch phishing and cryptocurrency scams. Between September and December 2025, researchers identified 1,799 suspicious domains linked to over 35 airline brands. The broader dataset reveals more than 11,600 malicious domains targeting the airline industry across multiple categories.

Phishing and Cryptocurrency Scams

Attackers are using high-volume keyword combinations, such as “flight,” “airline,” and “private jet,” to attract broad search traffic. Many domains combine multiple airline brand names under a single site to capture users searching for deals or booking information. These domains often mimic booking portals, check-in pages, and loyalty account logins to harvest credentials and payment information.

Brand Impersonation

Brand impersonation is a dominant theme, with attackers creating fake job portals and onboarding systems to solicit resumes, identity documents, and login credentials. Vendor impersonation is also on the rise, with attackers targeting airlines’ extensive vendor networks across cargo, catering, and airport operations.

Campaign Timing and Coordination

During service disruptions, malicious help center domains appear, referencing the affected airline and incident, and requesting booking references, payment details, and account credentials. Campaign timing suggests coordination with public incidents, allowing attackers to capitalize on the attention.

Cryptocurrency-Themed Scams

Airline branding has also entered cryptocurrency-themed scams, with fake airline coins and tokens suggesting a loyalty program expansion into digital assets. Domains referencing airlinecoin, airdrop, or branded tokens attempt to capture investments from users who believe a carrier launched a crypto initiative.

Travel Payments and Advance Fee Fraud

Another pattern involves travel payments using bitcoin or other digital currencies, with domains advertising alternative payment options for flights and packages. This infrastructure can support advance fee fraud, wallet connection theft, and business compromise activity linked to invoice manipulation.

Other Threats

Airline brand names are also being used in gambling and betting domains, promoting casino platforms and luring users into depositing funds or connecting crypto wallets. SEO manipulation drives traffic from users seeking travel deals or airline updates.

Defense and Logistics Targeting

Defense and logistics targeting is also a concern, with certain domains blurring lines between commercial aviation and defense terminology. Keywords referencing air force, airport transfers, cargo, couriers, and pets indicate interest in logistics and government-linked transport.

Combating Threats

To combat these threats, companies like BforeAI are using network metadata aggregated over time to identify malicious infrastructure before it becomes active. The system decodes patterns associated with criminal DevOps practices to classify future threat infrastructure.

Financial Impact

The financial impact of these scams varies by category, with crypto-themed fraud carrying a direct monetary objective and often generating immediate losses. Fake support portals that collect credentials can lead to long-term impersonation fraud and downstream account compromise. Hiring scams continue to expand and serve as entry points for social engineering campaigns aimed at infiltrating organizations.

About Author

Vaibhav

See author's posts