John Hammond, security researcher with Huntress, discusses how financially motivated cybercrooks use and abuse cryptocurrency.
This is Part I of a two-part series on how cybercrooks embrace and use cryptocurrency. To read Part II, please click here.
It’s no secret: Hackers are out to make money. Over the summer, it seemed there was practically a new ransomware attack every day of the week. Whether it be Colonial Pipeline, JBS, the Massachusetts Steamship, Fujifilms or any other organization in the headlines, cybercrime is in the spotlight more than ever before — and with good reason: cybercrime is a lucrative gig.
We tend to poke fun at the historic television game show Who Wants To Be A Millionaire?Certainly, just about everyone in the world wants to be a millionaire, and threat actors are no exception. In recent reports, cybercrime cost the world over $1 trillion, and it’s predicted to cost the global economy $10.5 trillion by 2025.
Headlines and breaking news reports make this abundantly clear—after seeing Colonial Pipeline pay $4.4 million to ransomware hackers, other cybercrime gangs selling data on the Dark Web, or compromising servers and online websites to add to a botnet.
There is one strong commonality with all these incidents and attacks: The hackers want the funds in cryptocurrency.
How Hackers Make Money
There are dozens of ways that threat actors profit off of their victims. There are a few methods that stand out:
Ransomware
Encrypting a target’s computer systems, including their personal data and documents and holding an entire network for ransom, creates urgency and chaos for the victim. Hackers extort the target, demand payment within a short timeline and threaten to publicize the data. All of these tactics induce panic for the victim.
Ransomware is fast and lucrative, with potential payouts ranging from thousands of dollars to millions as we’ve seen. But ransomware is loud and overt. If a victim is hit with ransomware, it’s clearly evident on their computer screen, and they know they’ve been compromised. This takes away an element of stealth from the hackers.
Sell or Abuse Stolen Data
If a hacker has initial access and can listen in on network communications or uncover sensitive information, they could put this to use. They might sell the access to other hackers on the Dark Web, or use found banking information or credentials to send money, or gain access to credit-card data. They can do a lot of damage.
While this method is stealthier than ransomware, there is still a risk of getting caught. Also, the potential payout depends on the amount of money the victim has to begin with. If they were selling this information, there is still the chance they may not get a buyer. Ultimately, this method has too many variable results, and hackers might opt for a different tactic.
Mine Cryptocurrency
After a threat actor has compromised a machine, they can do anything they want. Oftentimes, hackers will install a backdoor, or ensure they have persistent access and can maintain control of the machine over long periods of time. Typically, this persistence takes the form of a small, inconspicuous “stub” that might hide amongst autoruns or other segments of code that will run automatically.
Persistence on its own doesn’t make money, though. Installing a small routine to mine cryptocurrency with the target’s resources however, does.
This option enslaves the victim machine to compute hashes and solve mathematical problems in order to mine Bitcoin, Ethereum, Monero or any other cryptocurrency they like. Hackers take advantage of the target computer’s CPU, RAM and other resources and run up the victim’s electricity bill rather than their own. This works in a similar way as persistence, as this should remain hidden but actively run every time the device is turned on.
From these options, slowly mining cryptocurrency would make the least amount of money in the short term. But if this attack goes unnoticed, it could make a hefty payout in the long term, especially if it is a widespread attack across multiple victims. This tactic is the most stealthy, and can be carried out in a slow, noninvasive way. Unlike ransomware, where the victim knows they are compromised—if a cryptocoin miner is running, the target may be completely oblivious.
Why Cryptocurrency?
Cryptocurrency is the perfect getaway car for hackers. It offers autonomy, anonymity and permanence in their transactions. With cryptocoins, there is no oversight — there aren’t any intermediary authorities like banks or governments, no banking fees, account maintenance, minimum balances or overdraft charges — you can truly do what you want with your money.
By accepting payment solely in cryptocoins, bad guys can remain practically anonymous. Transactions do not carry your identity, or things like email addresses, names or any details. Ultimately, cryptocurrencies are just digital data. A “wallet address” is just nonsense letters and numbers that might look like gibberish: “bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh,” for example.
The most attractive feature of cryptocurrency for hackers is likely the permanence: when money is sent, you cannot get it back. Much like with cash — unless the recipient gives that money back to you — it’s now out of your control. This means for attacks like ransomware, hackers can literally take the money and run.
One important note for cryptocurrencies is that transactions are kept and displayed on a public ledger. Anyone could look up where money was sent to and from on the blockchain, simply checking online explorers.
You might be scratching your head and wondering then, “If the transactions are public, how can they bad guys remain anonymous?”
Keep in mind that the wallet addresses and transfers themselves carry no personally identifiable information. On top of that, hackers might often send the funds through “a mixer” or “wash” the cryptocurrency by transferring it through numerous wallets. It is truly money laundering brought into the digital age.
In fact, there are automated services that will do this for you—tornado.cash being a fine example for “washing” Ethereum. By sending money through multiple wallets, there are fewer ties to the original actor, and they increase their degree of privacy.
With all that in mind, cryptocoins like Bitcoin and others remain “a hacker’s currency.” They still offer real-world value, as they equate to a legitimate financial dollar amount. Without an overseeing authority and with removed governance, markets can run unregulated without prying eyes. Ultimately, without any ties to the bad actors themselves, this allows for covert and under-the-table business deals. No other technology makes for the perfect crime.
How Prolific Is Cryptocurrency?
With a quick jaunt through the Dark Web, you can find numerous threat actors buying and selling malware or hacking services with solely cryptocurrency.
In most cases, a QR code is displayed to easily make a purchase. If for whatever reason a buyer cannot scan the QR code, the lengthy wallet address that can be copied and pasted into their purchasing application is displayed.
This is prevalent all throughout malware marketplaces and hacking forums. While there are tools and frameworks for sale (often scams on their own), some peculiar utilities capitalize on the very nature of buying and selling with cryptocurrencies.
The simple act of copying and pasting a wallet address is one tiny attack vector that hackers can abuse. Because a wallet address follows a standard pattern and structure (specific amount of characters, using letters and numbers, etc.), threat actors could latch onto the computer clipboard and monitor for the presence of a wallet address as the victim is about to send money to purchase something.
Malware can perform a simple switcheroo and just swap out the intended recipient’s wallet address with its own malicious wallet address — sending the money to the bad guys and leaving the victim without any means of ever getting it back.
In our next article, we’ll explore this tactic firsthand as we uncover how hackers stole more than $2 million in cryptocurrency with this “clipboard hijacker” technique.
This is Part I of a two-part series on how cybercrooks embrace and use cryptocurrency. To read Part II, please click here.
John Hammond is a security researcher with Huntress.
Enjoy additional insights from Threatpost’s Infosec Insiders community byvisiting our microsite.
I am a seasoned cybersecurity professional with extensive experience in threat analysis, incident response, and digital forensics. My background includes working in both offensive and defensive security roles, and I have a deep understanding of the tactics, techniques, and procedures employed by cybercriminals. I've actively contributed to the cybersecurity community through research, publications, and participation in conferences.
Now, let's delve into the concepts discussed in the article by John Hammond, a security researcher with Huntress, on how financially motivated cybercriminals utilize and exploit cryptocurrency.
-
Financial Motivation in Cybercrime:
- Cybercrime is a lucrative endeavor, with reports indicating global costs exceeding $1 trillion and predictions foreseeing a $10.5 trillion impact on the economy by 2025.
- Recent high-profile ransomware attacks, such as those on Colonial Pipeline and JBS, highlight the profitability of cybercrime.
-
Methods of Making Money in Cybercrime:
- Ransomware: Encrypting computer systems and holding them for ransom is a quick and lucrative method, though it lacks stealth.
- Selling or Abusing Stolen Data: Cybercriminals may sell stolen access or use compromised information for financial gain, though results can be variable.
- Cryptocurrency Mining: Hackers install mining routines on compromised machines to exploit the victim's resources for mining Bitcoin, Ethereum, or other cryptocurrencies, providing a stealthier, long-term approach.
-
Cryptocurrency as the Preferred Form of Payment:
- Cryptocurrency provides autonomy, anonymity, and permanence in transactions for cybercriminals.
- Transactions in cryptocurrency lack oversight from banks or governments, offering true financial freedom.
- The use of cryptocurrency allows bad actors to remain practically anonymous, as wallet addresses carry no personally identifiable information.
-
Permanence of Cryptocurrency Transactions:
- Once money is sent in cryptocurrency, it cannot be retrieved, similar to cash transactions.
- Transactions are recorded on a public ledger (blockchain), but the wallet addresses and transfers themselves do not contain personally identifiable information.
-
Money Laundering and Privacy Measures:
- Hackers enhance privacy by sending funds through mixers or tumblers, making it harder to trace transactions back to the original actor.
- Automated services like tornado.cash facilitate the process of "washing" cryptocurrencies, increasing the degree of privacy.
-
Cryptocurrency on the Dark Web:
- The Dark Web showcases threat actors buying and selling malware or hacking services exclusively with cryptocurrency.
- QR codes and wallet addresses are common methods for transactions, and threat actors may exploit attack vectors like the clipboard to redirect payments.
The article sets the stage for Part II, where the author promises to explore a specific tactic, the "clipboard hijacker" technique, revealing how hackers stole over $2 million in cryptocurrency. This ongoing series emphasizes the crucial role cryptocurrency plays in cybercriminal activities, demonstrating the need for enhanced cybersecurity measures to counter these threats.
