Which is the easiest crime to implement, with the largest potential return, and with virtually no chance of being caught?
I remember hearing that, in the UK, for the first time in a single year, there were no actual physical bank robberies. Why? Because there are often much better pickings for criminals if they can hack their way into a bank. As we move into a crypto world, the opportunities for cyber criminals will increase by the day.
While cryptocurrencies are safe in themselves, the major problem seems to be with the places which hold the wallets. In 2014, for example, Mt. Gox - a Japanese cryptocurrency exchange - filed for bankruptcy after a hacker drained the exchange of 100s of thousands of Bitcoins.
So which is the "crime" that is the easiest to implement (just running a script), most likely to gain you the most in return (a gain of 10s of millions), and have virtually no chance in getting caught (where money transfers are almost impossible to trace for their origin)? Crypto wallet and/or ICO (Initial Coin Offering) hacking!
It must be remembered, that in cryptocurrencies you do not have any physical or electronic tokens. All you have is a wallet with a public and a private key. If you lose your private key, then someone can sign a transaction to move money from your account to theirs. I've included a short introduction at the end of this article if you are interested in the operation of cryptocurrencies.
Youbit
This week Youbit, which is based in South Korea, became the latest cryptocurrency exchange to be hacked, and where they lost 17% of its holdings. This was their second hack and have now filed for bankruptcy. In April it lost 4,000 bitcoins ($73m). Another South Korean based exchange - Bithumb - was also recently hacked. It is thought that users of Youbit will be able to claim up to 75% of their wallet values.
In earlier in the year, Bithumb, one of the largest Bitcoin/Ethereum cryptocurrency exchanges in the world, was hacked with a loss of more than $1 million. At the time, Bithumb was 4th largest Bitcoin exchange in the world and 1st for Ethereum. It was trading at around 20% of the global bitcoin business, and 10% of the conversion into Won (South Korea's currency):
It is thought that the hack happened in July 2017, and involved a breach of around 31,800 user accounts, and where billions of Won were taken (which represents around 3% of Bithumb's user account base). In one example over 10 Million Won worth of bitcoins were taken (approx $86,000).
There are also reports of over 1.2 billion Won's being stolen, and it is thought that an employee's home computer was hacked. This resulted in a breach of many user accounts. A report from the company identifies the usage of "disposable passwords" as the root cause.
Another crypto-wallet company - Parity - recently lost around $280 million in ether because a user deleted the code library within the infrastructure.
$7 million in 15 minutes?
Remember when you watched all those movies about safe crackers, and where some large men blew-up bank vaults? Well, stealing money doesn't quite happen that way anymore, and it is more likely to be a bunch of crypto-analysts who are more likely to create a bank heist than from explosives.
In July 2017, hackers managed to syphon off $7 million from the Israeli start-up CoinDash, just as it was setting up its ICO (Initial Coin Offering) and part its fundraising activity. This year, alone, ICOs have generated over $540 million, and are one of the most popular ways for new businesses to generate funding.
With an ICO, the company trades tokens for cryptocurrency (typically with the Ethereum currency). The companies then convert this back into dollars, and have investment for their company. Tech-savy people love this form of fund raising, especially as it gives direct support for companies without the overall of business support for fund raising.
CoinDash started to sell its own digital tokens for Ethereum currency at 9am on Monday. By 9:13am they reported that their site had been hacked and replaced by a fake one, which redirected millions of dollars in investments.
CoinDash still managed to raise $6.4 million (out of the $12 million they aimed to raise), but it is thought that the hacker managed to redirect $7millions into their own account. CoinDash, though, has said that anyone who subscribed to the offering will get their tokens, but have said that they are still under attack, and for users to not send them any cypto-currency. Those who sent funds to the hacked site can claim from [here]:
The hack brings back memories of the DAO hack:
Scanning for wallets
What was worth $200 two years ago, and is now worth over $16,000 today? Yes, you've guessed it ... a single Bitcoin (1 BTC). It's the cryptocurrency that just won't go away, even though several nations of the world won't accept any form of trading with it. And those who thought that they should have bought some a few years ago, sink further into their seat.
But for a crime, the stealing of the private key (hosted on a wallet) is one of the most lucrative and unlikely to ever result in any criminal activities. The legal system is light years away from ever understanding the details involved in hacking a wallet. Basically, someone sneaks a peak in your wallet and sees the private key you use, and within 10 minutes, your money has gone.
So finding wallets is now a major focus of criminal gangs, and the Internet is full of bots scanning systems for bitcoin and Ethereum wallets. The most popular scans on systems are:
wallet - Copy.dat wallet.dat wallet.dat.1 wallet.dat.zip wallet.tar wallet.tar.gz wallet.zip wallet_backup.dat wallet_backup.dat.1 wallet_backup.dat.zip wallet_backup.zip
The scans are aiming to find wallets placed on open systems, and also from backups. In the following, we see a scan on a Web server and the search for anything related to bitcoin wallets and services:
Along with there are scans on servers which are providing Ethereum JSON RPC endpoints, and the host could be hosting wallets. Slamaris recently detecting a scan on the JSON-RPC interface on Ethereum nodes:
This API interface does not support any form of authentication (and is meant to be a local and could be used to transfer funds to a remove wallet. Slamaris has already detected the stealing of 8 Eth (worth over $3K), and traced it to this account:
Conclusions
Protect your wallet!
Setup logging on your machines, and watch for keywords in searches.
Automate lock-down on scanning.
Disable incoming JSON-RPC requests, and only approve valid ones.
So will the courts understand the technical details of the crime? If someone uses a weak password to protect their private key, are they liable, or it is the exchange who allow user details to be stolen?
Lecturer/Researcher of Exploration & Environmental Geophysics at Université Cheikh Anta Diop de Dakar (UCAD)
6 年This is a well-elaborated blog which highlights, with examples, the security flaw of the Wallet system. From this article, one could understand why it is important for the regulators to be trained and be fully involved in this sphere in order to protect the customers.
Master of Security (MInfoSysSec) & Project Manager (MAIPM)
6 年A great way to fund my PhD -- should I give it a try?
Thank you for sharing Prof Bill Buchanan OBE, PhD, FBCS Agree, we are going to see a whole new "crime wave" with cyber mafia targetting cryptocurrency holders and ICOs. It's best to use hardware wallets as individuals and minimising counter-party risk by moving crypto off exchanges to a private wallet. As hardware wallets go, any preference ie Trezor vs Nano?
Enterprise Architect : Requirements Engineer : Systems Integration : Knowledge Operations : Solutions Consultant
6 年scanning is one of the timeless tools of the criminal profession Prof Bill Buchanan OBE, PhD, FBCS, now the digital age makes it even easier...
Chief Information Security Officer (CISO)
6 年"for the first time in a single year, there were no actual physical bank robberies." - That is a very interesting fact. Thanks for sharing.