Senior Research Analyst
Courtney Falk is a senior research analyst for Optiv’s Global Threat Intelligence Center (gTIC). Courtney analyzes tools, standards and intrusion sets in order to improve state of the art threat intelligence and help Optiv clients stay ahead of potential attacks.
The Risk of Cryptocurrencies
Cryptocurrencies are a libertarian ideal: a monetary system outside the control of big government. The modern digital world provides the necessary components for a cryptocurrency to succeed. Computing power has advanced sufficiently to lower the processing burden of cryptography. Now systems are both powerful enough and affordable enough that there is a sufficiently large audience for a cryptocurrency system. But where cryptocurrencies solve some of the fundamental problems of centralized currencies, they also introduce some new problems while still falling victim to other, age-old problems.
Bitcoin is synonymous with cryptocurrency for a lot of people. It was an early cryptocurrency system, and the first to achieve a large scale of adoption. Since 2007 when Bitcoin appeared, the cryptocurrency space has increased exponentially. Special-purpose cryptocurrencies add new features. But Bitcoin includes two pieces of technology that are applicable to a wide variety of cryptocurrencies: block chain and proof-of-work functions.
Figure 1: Market capitalization for the largest cryptocurrencies as of November 15, 2017.
Block chain is what enables several cryptocurrencies to exist outside of centralized, third-party control. It is a distributed ledger that records all transactions of a currency with guarantees of cryptographic integrity. The block chain is append-only, which means that the records in the ledger cannot be altered once they’re written.
Once enough transactions are available, volunteers collect them and begin computing. These volunteers operate on a proof-of-work function that shows the transactions were validated. The transactions and the function’s output become a new block in the block chain. Volunteers are incentivized to perform the computations with rewards of the actual cryptocurrency itself.
Figure 2: A basic diagram on how currency flows through a cryptocurrency system.
There are additional pieces of technology required to make a cryptocurrency work as well: Protocols that specify how the network traffic functions, accounts for storing amounts of currency, and associated services for facilitating the use of a currency. All these components increase the attack surface for someone looking to exploit a cryptocurrency system.
Follow the Money
Cryptocurrency has become associated with deep web and dark net sites. When ransomware prompts a victim to pay, the amount demanded is sometimes given in Bitcoin. Cryptocurrencies are attractive to hackers because they appeal to the early adopters who work with technology, and they provide some amount of anonymity in their transactions. But traditional law enforcement is quickly learning how to exploit these tools as Ross Ulbricht of Silk Road notoriety would know.
Coin tumbling is digital money laundering. If a user is concerned about a particular coin being traced back to him/her then they can tumble it, sending it off to a service that randomly swaps around coins for a fee.
Tumbling, like cryptocurrency in general, is a service intended to improve the privacy and security of everyone. But law enforcement are looking at tumbling services for their role in concealing illicit profits.
Tumbling is popular enough that some cryptocurrency systems incorporate it directly while others look to improve anonymity for the end user first and foremost.
When a user converts real-world currency into cryptocurrency, or receives cryptocurrency as payment, they store those coins in special-purpose software called a “wallet.” The wallet is just one point at which an attacker can steal cryptocurrency belonging to someone else. If an attacker is able to access your wallet, just as if they were able to access your bank account, they would be able to transfer your coins to themselves.
Gaining access to wallets, like gaining access to bank accounts, requires a certain amount of social engineering. Cryptocurrency wallets, like traditional online backing applications, look to solutions like multi-factor authentication in order to better secure their user’s accounts. Even nation-state actors like Lazarus Group (North Korea) are getting in on the action, stealing Bitcoin out of victims’ wallets.
The Big Heist
To steal the most money at one time, a criminal must go to where the largest amounts of money are kept. For cryptocurrencies this means the coin exchanges. Exchanges are where one currency gets changed into another like dollars for Bitcoin, pounds for Monero, or Litecoin for Ether.
Mt. Gox is notorious for the size and scope of the cryptocurrency theft it suffered. Mt. Gox went bankrupt in 2014 when it found that hundreds of millions of dollars’ worth of Bitcoin went missing from the site. Subsequent investigations suggest that the theft started as far back as 2011. The situation remains mired in multiple legal proceedings.
The DAO was a distributed autonomous organization, a smart contract able to exist in the Ethereum infrastructure. DAO was an investment fund intended for venture capital funding. At time of inception, the DAO was worth $150 million. A successful hack was able to divert $50 million worth of the currency. In order to remediate the situation, the Ether cryptocurrency was forked much like how an open source software project might be forked. The result was a large drop in the value of Ether and two different cryptocurrency systems: Ethereum and Ethereum Classic.
Installing Coin Miners
Coin miners are the pieces of software that grind through the proof-of-work functions. When a miner finds a solution, the person running the miner is rewarded with a certain amount of the cryptocurrency in question. The product of coin mining serves as the basis for the cryptocurrency system.
Hackers are good about monetizing the computers they compromise. It is not a case of, “I don’t have anything worth stealing.” Some hackers are content to focus on stealing sensitive information like bank account credentials in order to gain direct access to money. But a computer with a network connection is benefit enough to a hacker. A networked machine is a viable component in a larger botnet and useful for sending spam emails or conducting DDoS attacks.
There are multiple ways for an attacker to get a coin miner onto a system. Kaspersky Lab has data showing millions of such infections in recent years with 2017 on track to top previous records.
But if a hacker installs a coin miner on a compromised computer then they can literally turn the victim’s electricity into money. This is just another way for an attacker to monetize a compromised system. There is a downside in terms of operations security because coin mining is computationally intensive and the slowdown of the infected system may alert system administrators to the anomaly.
At the time of writing there were already too many web sites compromised with cryptocurrency miners for it to be practical to list them all. But not all web sites hosting cryptocurrency miners are necessarily compromised. The intended use of software like Coinhive is for web site monetization. The Pirate Bay tried monetizing with Coinhive but neglected to tell its user base beforehand.
A few of the compromised sites:
- Ultimate Fighting Championship
- Cristiano Ronaldo’s personal site
Sites that tested cryptocurrency monetization:
- Pirate Bay
- Iridium (Chrome extension, YouTube interface)
Monero is an attractive cryptocurrency to criminals because it has a feature called “stealth addresses.” A stealth address insulates a Monero user’s wallet from being associated with a transaction. Instead, a random address is generated and the transaction is sent to that stealth address instead of to the Monero wallet directly. For a criminal, this is a useful way to prevent illegally mined coin from being traced back to yourself.
This post describes different kinds of attacks on different parts of the cryptocurrency. Each attack requires a different type of remediation. Some basic advice applies as well: keep your systems patched and up-to-date, and use a host-based anti-virus solution.
Any cryptocurrency wallet, software or hardware, should feature multi-factor authentication. Along with multi-factor authentication, user awareness is of tantamount importance. Unsolicited emails, texts, or voicemails that suggest an unplanned password reset are likely phishing attempts.
There are multiple remediation steps to help secure systems against coin miners. First, have anti-virus on all endpoint systems with up-to-date signatures. Second, block known domains associated with coin mining activity. Finally, if you find yourself running a coin miner in your web browser then you can easily stop it by browsing to a different web site or shutting down the web browser entirely.
Cryptocurrency is a double-edged sword like many other technical developments. It promises to expand the boundaries of discourse and finance around the globe. But it does so equally for all who participate, and this includes criminals. Cyber criminals are quick to adapt new tools and techniques that will help them earn the most money in the least risky way possible.