Cybersecurity Week in Review: 11/2

Cryptocurrency hacks worth big money are the main theme of this week’s news. Our  news summary covers the $1 billion-dollar bitcoin seizure of the infamous “Silk Road” fortune by US federal agents and the $24 million-dollar cryptocurrency hack that was the result of a software engineering mistake. We also review how cybercriminals once again leveraged social anxiety and uncertainty to promote malware.

“Engineering” Mistakes and Mobile Attacks Enable Cryptocurrency Hacks

Hacking doesn’t always require elaborate malware. Threat actors are quickly realizing that money can be made by simply manipulating market effects or by using social media apps like Telegram.

In a move reminiscent of the iconic movie Office Space, in which the characters take advantage of flawed coding to embezzle a fraction of a cent off of each financial transaction (and then feel guilty and try to return their ill-gotten windfall). This past week hackers stole roughly $24 million (and then for reasons unknown returned $2.5 million) from a decentralized finance (DeFi) cryptocurrency service. In this instance, because of a software engineering mistake, the cryptocurrency assets were deposited into shared pools, enabling the hackers to take advantage of market effects, such as “impermanent loss, arbitrage, and slippage” by manipulating the cryptocurrency value through large volume market trades.

Unfortunately, this isn’t the first cryptocurrency hack that we’re hearing about. Reports have surfaced recently about threat actors launching mobile attacks to gain access to email addresses and Telegram messenger accounts of high-profile individuals in the cryptocurrency business. 

The cryptocurrency losses are adding up. In addition to the $24 million lost to the DeFi service, a hack in September against a different company drained bitcoin assets, ERC-20-based tokens and other tokens worth $150 million. That same month, a European crypto exchange lost $5 million in a targeted attack. 

One of the key takeaways here is that cryptocurrencies aren’t as ‘safe’ as everyone believes them to be. If there is money to be had, you can be sure that cybercriminals will find a way to steal it.

You can read more on the hack into the decentralized finance cryptocurrency service here.

Malware Exploits Election Anxiety 

While most of the US was anxiously glued to the news outlets for election updates, cybercriminals were taking advantage of the collective election angst by distributing malware via email with attached file names such as “ElectionInterference”. The email content requests that the recipient “Read the document and let me know what you think.” When extracted from a zip file, an Excel spreadsheet appears to contain a secure ‘DocuSign’ file. Using the tried and true method of malicious macros, recipients are then tricked into enabling the macros in order to ‘decrypt’ and read the document.

The Q-Bot Trojan is enabled via the macros and attempts to connect with its command and control servers to obtain instructions, which includes stealing data, information, and email addresses from its victims to further distribute the malware.

Exploiting social anxiety and uncertainty is an old, but proven cybercrime technique. In the past, criminals have used major weather events such as hurricanes, the Covid epidemic, and terrorist events as scare tactics to convince victims to download and install malware.

More on the US election “malspam” threat can be found here.

What to do with $1 BILLION dollars?

There was good news this week in the world of cryptocurrency hacks. After seven years of inaccessibility, the treasure from the dark web drug marketplace known as the “Silk Road”—69,370 bitcoins worth an estimated $1 billion dollars—has been seized by the U.S. Department of Justice (DOJ) from an unnamed person, referred to in court documents only as “Individual X”. Analysts that follow cryptocurrency transactions were the first to notice the movement of $1 billion dollars’ worth of Silk Road bitcoins on the evening of November 3.

The operator of the Silk Road, Ross Ulbricht, was arrested and jailed in 2013. However, at the time of the arrest federal investigators were only able to access a fraction of Ulbricht’s Silk Road bitcoin fortune. Who had ownership of the remaining bitcoins and where they were hidden became one of the big mysteries in the world of cryptocurrency.

On November 3, DOJ announced that a cybercriminal they named “Individual X” had hacked the Silk Road between 2012 and 2013, making off with the remaining drug money. The bitcoins had sat largely untouched in an account since 2013. A small transaction of 101 bitcoins took place late in 2015 with the now-defunct bitcoin exchange “BTC-e”. Since Ulbricht was already serving time in jail, with no access to the bitcoin keys, it was unlikely that he was the one in control of the bitcoin fortune, suggesting the work of a hacker.

The official DOJ court documents indicated that it is likely that Ulbricht knew who had stolen the bitcoins in 2012/2013 since it appears he had threatened the hacker to try to get the money returned.

At some point during the last seven years, agents from the IRS tracked down “Individual X” and demanded forfeiture of the remaining 69,370 bitcoins, which it appears Individual X agreed to on November 3. 

Questions on the bitcoin fortune, the hacker and the forfeiture itself remain. No one is clear on how the IRS found the hacker, how the IRS managed to convince the hacker to forfeit $1 billion dollars’ worth of bitcoins, or why the process took more than seven years. Some cryptocurrency analysts suggest that the movement of 101 bitcoins in 2015 to BTC-e may have helped the IRS, since after BTC-e went defunct, business records may have offered account ownership information.

It is currently unclear what the US government will do with the 69,370 bitcoins. However, after the partial seizure of the Silk Road treasure in 2013, US Marshals auctioned the captured bitcoins for an estimated $48 million in 2014 and 2015.

You can read more on the seizure of the Silk Road fortune here.

Final Words

It is no secret that cybercrime pays big money to criminals engaged in illegal activities. And cryptocurrency hacks offer some of the biggest payouts. 

While blockchain technologies offer tremendous benefits, such as enhanced security, reduced transactional costs and decentralization, it’s not perfect. With the right incentives, information and tenacity, threat actors can and will hack cryptocurrency accounts. It is likely we’ll begin to see an increase in these large-scale and large-payoff hacks more often.

However, there is hope. The seven-year investigation into the missing Silk Road fortune and the seizure of that fortune last week by U.S. federal agents suggests that governments and law enforcement are recognizing that they too can be the beneficiaries of long-term hacking investigations. Reports suggest that more law enforcement agencies are investing in blockchain analytical tools and experts believe that we’re probably going to read more in the future about the government seizure of illegally begotten cryptocurrencies.

Increased cryptocurrency hacking is going to require vigilance on the part of account owners. However, it is nice to see the “good guys” winning big for a change.

As always folks, security is an action. We get out what we put into it.