Amar Jeer

Why Crypto chooses dope.security

May 19, 2026
5
 MIN READ
Why Crypto chooses dope.security

Crypto companies don’t get “mainstream” threats.

You see the newest, most sophisticated campaigns early,  often before tooling and threat feeds catch up, because the incentive is enormous and the targets are high value.

That’s the backdrop for a familiar crypto security moment: your detection team spots a brand-new campaign, and the first question isn’t “How do we investigate?” It’s: “How do we block the whole pattern right now without breaking the business?”

A large crypto firm (exchange/operator) ran into exactly that. They were targeted by a lookalike-domain campaign using rotating names like:

usa####webzoom.us
(where #### is a 2–4 digit number, and the pattern keeps changing)

Blocking one domain at a time would be whack-a-mole. Blocking *.us is obviously not an option. So they asked the practical question every crypto SOC eventually asks:

Can we block by pattern? Like regex?

The attack trick: “dotless lookalike” domains that fool humans (and static rules)

This campaign uses a simple but effective impersonation technique:

  • Legitimate-looking format: usa123.webzoom.us (subdomain + dot + domain)
  • Malicious lookalike: usa123webzoom.us (no dot — but it reads the same at a glance)

Why this works?

  • Humans skim. Your brain fills in the dot.
  • Attackers rotate the digits endlessly.
  • The domain looks “regional” and believable.
  • It’s hard to cover with single-domain blocks.

For crypto orgs, these campaigns can be the first domino to credential capture, SSO/session theft, malware delivery, or redirect chains into something worse.

What the crypto firm needed: block the family of domains, not one IOC

Their team asked for regex-style blocking because they weren’t dealing with one bad domain. They were dealing with a repeatable pattern. And this is where dope.security’s SWG becomes the lever with its fast policy changes, broad coverage, and control that can target patterns safely and effectively. 

Even without full regex, dope.security can solve this class of problem today using wildcard controls.

How dope.security solved it

dope.security shared a simple workaround that achieves the same practical outcome as a regex block for this use case.

Step 1: Block the pattern with a domain wildcard

Block: *webzoom.us

In dope.security, *webzoom.us will block anything that appears before webzoom.us, including:

  • usa123webzoom.us
  • usa712webzoom.us
  • other rotating variations

That means you stop the entire attacker naming scheme with one control  without touching *.us.

Step 2: Allow only what you actually want to function

Depending on what “legitimate” looks like in your environment, you can:

  • Allow a specific domain (exact allow), or
  • Allow legitimate subdomains using subdomain wildcard allow:

Allow: *.webzoom.us
This allows domains like:

  • usa123.webzoom.us
  • usa712.webzoom.us

While still blocking:

  • usa123webzoom.us (no dot)

This is the key distinction, you can allow true subdomains while blocking dotless lookalikes.

Why this is a crypto story 

Crypto SOCs run into this kind of campaign constantly because the threat model is different: attackers rotate infrastructure aggressively, campaigns are targeted and “quiet”, the goal is access, not noise, and the blast radius can be existential

So the security requirement is also different. Detection needs a control surface that can move at the same speed as the adversary, and that’s exactly what wildcard pattern blocking enables.

Why Fly Direct matters: no layovers between detection and enforcement

In crypto, time-to-control matters.

If your SWG depends on routing traffic through a cloud point of presence, you can run into:

  • coverage gaps (roaming users, split tunnels, weird apps)
  • Long polling windows for policies and urgent rules to update
  • latency and user workarounds

dope.security’s Fly Direct SWG enforces on the endpoint, so:

  • policy follows the user everywhere
  • new blocks and guardrales take effect instantly
  • There are no security gaps

The takeaway

This crypto firm didn’t just ask for a feature. They described the reality of crypto security where attacks arrive early, infrastructure rotates fast, and blocking single domains is not enough.

dope.security solved the immediate request through wildcard pattern control that was enforced instantly on the device thanks to the fly direct architecture:

  1. block the entire lookalike family (*webzoom.us)
  2. allow legitimate usage (*.webzoom.us or exact allow)
  3. enforce quickly and consistently with Fly Direct

Secure Web Gateway
Secure Web Gateway
Technology Solutions
Technology Solutions
back to blog Home

Related Posts

May 18, 2026
7
 MIN READ

Deploying a Cloud SWG via Intune and Jamf: A Practical MDM Playbook for Mid-Market IT

May 18, 2026
6
 MIN READ

Sanctioned vs Unsanctioned SaaS: How to Actually Govern Both Without Pretending the Line Holds

May 18, 2026
7
 MIN READ

How to Replace Cisco Umbrella in 14 Days: A Migration Playbook for IT Teams

Check
Dope Security logo - links to the home page.
It’s not that we’re mad at yesterday’s cybersecurity.  Just disappointed.  So we made it better.  We made it easier.

We made it dope.
sales@dope.security
Call Us
about
Our Story
Our Crew
Newsroom
Events
Partners
compare
Forcepoint
Zscaler
Cisco Umbrella
Netskope
Testimonials
documentation
Support
User Manual
[ DOPE.FOOTER ]
© 2025 dope.security Inc.
Made with
in California
EULAPRIVACYLEGALmanage cookies