Posted on

Report: Two Israeli Brothers Arrested for Hack of Bitfinex Crypto Exchange

Two Israeli brothers have reportedly been arrested for phishing attacks and a successful hack of cryptocurrency exchange Bitfinex.

Two Israeli brothers have been arrested in connection with the hack of cryptocurrency exchange Bitfinex and other crypto-related phishing attacks, finance news outlet Finance Magnates reports on June 23.

An Israeli police spokesperson reportedly told Finance Magnates that Eli Gigi and his younger brother Assaf Gigi netted tens of millions of dollars. The two are suspected of being responsible for long-term systematic theft of cryptocurrencies by maliciously obtaining access to other users’ accounts.

The two allegedly created credential-stealing clones of major online cryptocurrency exchanges and wallets and sent links to those phishing sites on Telegram groups and other cryptocurrency-related communities. The two are also accused of being responsible for the 2016 Bitfinex hack, which saw multiple accounts being compromised.

As Cointelegraph reported at the beginning of June, the funds stolen in the attack above have been recently moved.

The police noted that the alleged victims were mostly based out of the European Union and the United States, which resulted in the matter being investigated by multiple law enforcement agencies in several countries.

During the raid, the police reportedly found a cryptocurrency wallet containing significantly less funds than the amount that the two are believed to have stolen. Finance Magnates also notes that Eli Gigi is a graduate of an elite technological unit of the Israel Defence Forces that selects youth with outstanding academic capabilities.

As Cointelegraph reported earlier this week, a recent Firefox zero-day security flaw was used in attacks against major crypto exchange and wallet service Coinbase. The flaw was purportedly merged with another zero-day flaw targeting Coinbase employees, meaning that there were two separate attacks.

While Coinbase was affected, the exchange’s security researcher Philip Martin stated that Coinbase was not the only crypto-related company targeted in the campaign and that there was no evidence of the campaign targeting exchange customers.

Posted on

Grand Theft Crypto: The State of Cryptocurrency-Stealing Malware and Other Nasty Techniques

In 2019, centralized exchanges and individual hodlers are losing record-breaking sums of digital money to hackers and scammers.

Much of digital assets’ appeal stems from the fact that many of them are not affiliated with or controlled by governments, central banks or transnational corporations (at least, not yet). The price paid for the independence from institutions of global capitalism, though, might sometimes be extremely high, as, in the event of cryptocurrency theft, there is no one to appeal to for recourse. Further still, the irreversible nature of blockchain transactions renders it extremely difficult to get the money back once its gone.

The villains of the internet love cryptocurrencies for the same reasons. In the last few years, marked by the spike of popularity for digital money, hackers and scammers of all sorts have perfected the art of pilfering it from unwitting users, many of whom are newcomers to the space.

Roughly a year ago, Cointelegraph had already compiled a lengthy overview of many popular crypto-stealing tricks and tips on how to avoid falling prey to them. While the list remains relevant as ever, the time has come to revisit the subject to see if there are new threats to your crypto assets to beware of.

Aggregate dynamics

A recent report by cryptocurrency intelligence firm CipherTrace estimated losses from digital currency theft and scams in the first quarter of 2019 at $356 million, with additional fraud or misappropriated fund losses amounting to $851 million in the same period. Alarmingly, this Q1 total of $1.2 billion constituted 70% of the total losses to crypto crime in all of 2018, indicating intensified hacking activity in the first months of 2019.

Cryptocurrency Mining Malware Detections from 2014-2015, Courtesy of Several CTA Members

At the same time, a study conducted by a security company Positive Technologies registers a change in the structure of attacks. The share of cryptojacking — or, hidden cryptocurrency mining — in the overall volume of cyberattacks seems to be declining: Having reached a peak in early 2018, this type of criminal activity dropped to just 7% in the first quarter of 2019. The analysts noted, however, that the observed trend merely reflects the way malware previously used primarily for cryptojacking has become smarter and more versatile. If the virus recognizes that the machine it took over lacks processing power, it may divert to other modes of operation, such as clipboard jacking.

Researchers at Positive Technologies predicted an increase in the overall number of attacks in the second quarter of the year. Their report pointed out malware and social engineering as attackers’ most widely used tactics and recorded the increasing prominence of ransomware attacks. These findings are further corroborated by ransomware recovery company Coveware, whose analysis revealed a 89% increase in an average ransom from the fourth quarter of 2018 to the first quarter of 2019.

Related: Round-Up of Crypto Exchange Hacks So Far in 2019 — How Can They Be Stopped?

Although perpetrators of ransomware attacks demand payments in cryptocurrency, nearly always, this type of criminal activity is not specific to the crypto sphere, targeting companies from a wide range of industries. This type of intrusion entails infecting the victim’s device with a piece of code that denies the owner access to their system or data, and demanding payment to regain access. Since these attacks usually prey on fairly large corporate entities, we will skip over to those that seek to part individual crypto investors with their digital funds.

Malware or social engineering?

One intuitive way to classify attacks that target users’ digital assets could be to juxtapose those that seek to find weak spots in software (say, secretly infecting victim’s computer with an ingenious virus) and those aimed at exploiting errors in human judgement (fooling a person into handing over their wallet’s private key).

Yet, in fact, these two modes exist on a spectrum rather than on a binary scale. The most successful thefts entail some degree of participation on behalf of the victim — such as opening a phishing email, using public Wi-Fi to check a crypto wallet or willingly installing a shady app — and a piece of malicious code, whether it is a Trojan or a scam bot on Slack.

Breaking the variety of threats down according to the attack vector is perhaps a more meaningful strategy. It is also far from optimal, though, as many known viruses these days can alter their behavior according to circumstances, and are capable of both installing hidden miners and simply stealing keys as needed. The following topology is therefore highly contingent.

Clipboard hijacking

Because no one wants to manually type in long strings of random alphanumeric characters that are also case-sensitive, we all use the copy/paste function to indicate the addresses we send our coins to. Clipboard hijackers (aka clippers) are pieces of malware that detect an event of clipboard use to store a crypto wallet address then trigger a script that replaces the correct address with that of an attacker. As a result, often without the victim realizing what happened, the digital currency flows straight to the thief’s pocket. Using the same technique, clippers are capable of stealing passwords and keys as well.

Related: Crypto Crime Trends Evolving as Users Wise Up: Exchange Hacks, Darknet and Money Laundering

Perhaps the most sinister specimen of clipper malware uncovered so far in 2019 is the one that made it on the Google Play Store disguised as the mobile version of MetaMask, a popular client used to access decentralized applications (DApps) from a web browser — except, there is no MetaMask version for mobile. Although it was taken down soon after discovery, the very fact that the app managed to make it past Google Store’s defenses is impressive and it reminds us that even the authenticity of software found in major stores should not be taken for granted.


Cryptojacking, also known as hidden mining, is the covert exploitation of other users’ devices to mine cryptocurrency. Usually, a targeted computer gets infected by a Trojan that installs a miner. Victims do not get stripped of their crypto assets directly, yet the losses they sustain may be quite unpleasant, from footing enormous electricity bills to having an overloaded computer break down.

The number of detected attacks of this type exhibits a curious pattern of strong correlation with crypto prices. As the aforementioned reports suggested, the overall share of cryptojacking attacks appears to be declining this year — however, the ingenuity of their perpetrators is only growing. Some hidden mining operations may reach extraordinary scale, too: As Cointelegraph recently reported, a campaign using cryptojacking malware to mine the privacy-focused cryptocurrency turtlecoin (TRTL) was found to have infected more than 50,000 servers worldwide.

Just a few days ago, two browser extensions that secretly sponged their users’ central processing units (CPUs) to mine privacy-focused cryptocurrency monero were discovered on the official Google Chrome store. Previously, such malware was found to be hiding in legitimate Adobe Flash updates and convincingly posing as Windows installation packages.

Infection Chain

Researchers from cybersecurity firm Trend Micro have uncovered a fascinating tactic employed by cryptocurrency hackers to smuggle monero miners onto Oracle enterprise servers. In order to obfuscate the malicious code, the program hides it in certificate files. This way, they go unnoticed by antivirus software that automatically treats certificate files as reliable.

Website clones

Having originated in the remote corners of the darknet, where online stores selling illicit substances have long been “cloned” by scammers seeking to trick drug users into transferring bitcoin to their accounts, the technique is well and alive as of June 2019. The latest example is the case of the crypto trading website Cryptohopper, whose malicious copy facilitated in the infection of the computers of unwitting crypto traders who visited it. The victims had both mining and clipboard hijacking Trojans installed, resulting in an aggregate loss of almost $260,000.

Cryptocurrency trading platforms and exchanges appear to be the area of crypto sphere most vulnerable to hacking attacks, as they present shortcuts to swaths of centrally stored digital assets. Sky Guo, CEO and co-founder of Cypherium, told Cointelegraph that this has to change in order for the industry to be able to cope with rising security threats:

“Security threats happen on the level of the software, the infrastructure. But our industry needs to realize that there are dangers attached to presenting something as ‘decentralized’ in order to cash in on the security advances of blockchain tech. Projects like Facebook’s Libra and some other major projects already leading in our industry still have central points of failure by virtue of their highly permissioned network structures, and they need to be more transparent about the security implications of such systems.”

Related: What Is Libra? Breaking Down Facebook’s New Digital Currency

Social engineering as a separate trend

The term “social engineering” refers to a broad scope of malicious activities whereby wrongdoers use human interactions to accomplish their goals. These attacks usually rely on less sophisticated technical solutions, seeking to exploit the victims’ lack of attention, literacy or understanding of the context in order to obtain sensitive information or extort digital assets. As more people without much technical sophistication flock into the crypto space, simple schemes that didn’t stand a chance with old-school crypto buffs might suddenly become efficient.

Matthew Finestone, the director of business development at Loopring, an open-source protocol for building decentralized exchanges, observed to Cointelegraph:

“I really see attacks drawing on human inattention becoming more prevalent. It’s dangerous because newcomers to the space aren’t aware of these threats, and they often fail to realize that there is no recourse after cryptocurrency is sent, unlike traditional financial systems that can bail you out in worst case scenarios. Being careful, and learning from resources such as your article are a good starting point.”

Finestone also recalled his recent experiences with two rather simplistic social engineering schemes: one that came with an aggressive threat to release some harmful or embarrassing information if a crypto ransom was not sent to them shortly and another pretending to come from a friend or colleague asking for some coins. He concluded that both, like the majority of social engineering schemes, could be easily combated with vigilance and a healthy dose of common sense.

In fact, these universal principles apply to any type of potential attack aimed at your digital money. While a few of them are incredibly sophisticated, the majority count on the victim’s disregard of telltale signs apparent to the naked eye. It is always a good idea to double-check wallet addresses when performing transactions and to scrutinize the spelling of trading-related domains you visit. Making sure that your antivirus software is up to date is another useful habit that could save you some bitter regrets over digital money lost forever.

Posted on

Report: Android Phishing Malware Impersonates Turkish Cryptocurrency Exchange

New Android malware sidesteps Google’s SMS permissions restrictions to get hold of two-factor authentication codes received via SMS.

The cybersecurity company behind major antivirus software NOD32, ESET, reported on June 17 that new Android malware sidesteps Google’s SMS permissions restrictions to get hold of two-factor authentication (2FA) codes received via SMS.

Per the report, some malicious apps are capable of accessing one-time-passwords sent to users via SMS by circumventing the restrictions recently implemented by Google. Furthermore, the same technique reportedly also allows for accessing email-based codes.

According to the author, the apps in question impersonate Turkish cryptocurrency exchange BtcTurk and phish for login details to the service. The malware, “instead of intercepting SMS messages to bypass 2FA protection on users’ accounts and transactions, these malicious apps take the OTP from notifications appearing on the compromised device’s display.” The app also takes measures to prevent the user from noticing the ongoing attack:

“Besides reading the 2FA notifications, the apps can also dismiss them to prevent victims from noticing fraudulent transactions happening.”

The first app to act as such was uploaded onto Google’s Play Store on June 7 under the name BTCTurk Pro Beta by developer account BTCTurk Pro Beta and has been installed by over 50 users before ESET allegedly reported it to Google. After this first instance, another two versions of the app were uploaded and then subsequently removed from the store.

As Cointelegraph reported earlier this month, peer-to-peer (P2P) cryptocurrency exchange BitMEX has reported an influx of attacks on user account credentials. In a message to clients, the exchange stressed the importance of property security measures

Also in June, cyber security researchers found a Trojan-spreading website masquerading as that of Cryptohopper, a site where users can program tools for automated cryptocurrency trading.

Posted on

US Blockchain Investor Terpin Awarded Over $75 Million in SIM Swapping Case

United States-Based investor Michael Terpin won $75.8 million in a civil case against 21-year-old Nicholas Truglia, who allegedly defrauded him of crypto assets.

United States blockchain and crypto investor Michael Terpin has won $75.8 million in a civil case against 21-year-old Nicholas Truglia, who reportedly defrauded him of crypto assets. Reuters reported the news on May 10.

Per the report, the California Superior Court last week ordered Manhattan resident Truglia to pay the amount above in compensatory and punitive damages. The amount is reportedly one of the largest court judgments awarded to an individual in the crypto space thus far, Reuters notes.

As previously reported, Terpin filed the complaint against Truglia in particular in late December, after first filing a lawsuit against AT&T last August. Terpin accused the firm of negligence that allegedly allowed the suspect to gain control over Terpin’s phone number and steal almost $24 million worth of crypto.

Truglia and other participants allegedly took control over Terpin’s tokens by transferring his phone number under their control, resetting passwords and accessing his online accounts. Truglia was reportedly arrested in November for stealing $1 million in crypto also via SIM swapping.

As Cointelegraph reported yesterday, the U.S. Department of Justice released a fifteen-count indictment on May 9 that charges a hacking group labeled “The Community” with SIM swapping in order to steal cryptocurrencies.

Posted on

German Police Seize Six Figures in Crypto From Suspects Involved in Dark Web Site

The Wall Street Market, the world’s second largest dark web market, was shut down with six figures in crypto seized by police.

German police, along with Europol, have shut down servers of a dark web marketplace and seized six figures in crypto from the arrested suspects, Europol announced on May 3.

The Wall Street Market, reportedly the world’s second-largest dark web market, has been shut down by the German Federal Criminal Police under the authority of the German Public Prosecutor’s office.

According to the report, German authorities arrested three suspects and seized over 550,000 euros ($615,000) in cash  along with bitcoin (BTC) and monero (XMR) in six figure amounts (actual value unspecified) as well as several cars, computers, hard drives and other items.

Europol noted that the Wall Street Market had more than 1.15 million registered users, with 5,400 of them registered as sellers of drugs, stolen data, fake documents and malicious software.

In the same announcement, Europol also officially announced that Finnish Customs also staged a takedown of dark web marketplace Valhalla, also known as Silkkitie. According to Helsinki Times, the authorities have also made a “significant bitcoin seizure,” from the website, which was operational in the anonymous Tor network since 2013.

In other crime news, two men recently plead guilty in the United States for illicitly selling steroids and controlled substances and laundering millions of dollars in cryptocurrencies and Western Union payments.

As well, in early April a court in Toronto ordered an online drug dealer to pay his entire $1.4 million bitcoin holdings to the state in what is reportedly Canada’s largest ever forfeiture.

Posted on

Consumer-Targeted Cryptojacking Is ‘Essentially Extinct’: Research

Illicit “cryptomining against consumers is essentially extinct,” declares a report released by cybersecurity company MalwareBytes.

Illicit crypto mining — or cryptojacking — against consumers “is essentially extinct,” declares a report released by cybersecurity company MalwareBytes on April 23.

Per the report, after in-browser mining service CoinHive shut down in early March — when the team claimed that the project had become economically inviable — cryptojacking against consumers has sharply decreased. At the same time, the number of such attacks targeting businesses increased from the last quarter.

Furthermore, MalwareBytes also notes that bitcoin (BTC) holders who use Electrum wallets on a Mac have lost over $2.3 million in stolen coins to a Trojanized version of the wallet in Q1 this year.

Cryptojacking is the use of a computing device for mining cryptocurrency without the knowledge of the device’s owner. Common effects experienced by users are slowdown, more heat generation and shorter battery life. Arguably, the cryptocurrency which is seemingly preferred for such attacks is privacy-centric coin monero (XMR), thanks to the ability to mine it on lower-tier hardware.

As Cointelegraph reported in May last year, a researcher claimed at the time that the Coinhive crypto mining script had been detected on more than 300 government and university websites worldwide.

Earlier this week, United States-based cybersecurity firm Symantec found a spike in a new crypto mining malware that mainly targets enterprises.

Posted on

Microsoft Korea: Country Faces Growing Threat From Stealth Crypto Mining Attacks

Microsoft Korea has said the country is facing an increase in crytojacking incidents, according to their new report.

Microsoft Korea has claimed the country is facing an increase in cryptojacking incidents, according to a report from local English-language daily The Korea Times, published on April 22.

The findings were announced by Microsoft security program manager Kim Gwi-ryun during a press conference in Seoul today, which accompanied the release of the annual Microsoft Security Intelligence Report.

As previously reported, cryptojacking is the practice of using a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.

According to The Korea Times, South Korea’s cryptocurrency mining incident rate in 2018 was 0.05% —  reportedly 58% lower than the world average.

Nonetheless, Kim Gwi-ryun isolated the malicious practice from among other cybersecurity attack vectors detected in the country — such as supply chain malware and phishing attempts. The representative noted that Microsoft has detected market correlations in the fluctuating prevalence of cryptojacking, stating that:

“We have noticed that as the value of cryptocurrency rises and falls, so does the mining encounter rate.”

As the report notes, stealth cryptojacking is difficult to detect and largely manifests itself in compromised system performance due to the intensive drain on processing power that crypto mining presents.

As Cointelegraph has reported, cryptojacking was cited in a recent criminal conviction of two Romanian alleged cybercriminals, who had been tracked in a joint investigation by the United States Federal Investigation Bureau and the Romanian National Police.

A March 2019 report from AT&T Cybersecurity revealed that cryptojacking was one of the most prevalent objectives of hackers targeting businesses’ cloud infrastructures, despite the crypto bear market.

That same month, reports surfaced of a new strain of Trojan malware for Android phones. The malware reportedly targets worldwide users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet, as well as banks including JPMorgan, Wells Fargo and Bank of America.

Posted on

Man Accused of Stealing Over $9 Million Worth of Dash Indicted in Israel

An indictment has been filed against Afek Zard in Israel over the alleged theft of 74.990.74 Dash from his roommate.

An indictment has been filed against Afek Zard in Israel over the alleged theft of 74.990.74 Dash (over $9 million) from his roommate, local media News1 reports on April 18.

According to CoinMarketCap data, the amount of coins stolen is equivalent to over 0.85% of the total circulating supply of Dash. News1 states that the reported victim, Alexei Yaromenko, was reportedly an early cryptocurrency investor who has accumulated crypto assets since 2013.

Yarmolenko reportedly taught Zard about cryptocurrencies and trading them himself before the theft allegedly took place. Per the indictment document filed by attorney Giora Hazan, Zard was in possession of a key to Yaromenko’s apartment and had access to the residence in Yaromenko’s absence.

Per the report, the coins were present in Yaromenko’s wallet until March 1, when Dash was worth $82.5 per unit. The prosecutors claim that at the beginning of the month, the defendant used the alleged victim’s computer to steal the credentials to the crypto wallets.

At this point, Zard reportedly stole the contents of Yarkomenko’s wallets — either himself or with the help of unspecified others — and sent them to four of his own wallets. Lastly, the report specifies that Zard is accused of theft in aggravated circumstances, money laundering and penetration of a computer to commit an offense.

As Cointelegraph recently reported, the Manhattan district attorney has indicted a group of individuals with allegedly selling drugs and laundering millions of dollars with bitcoin (BTC).

Also, at the beginning of the current month, a 33-year old Danish man has been sentenced to four years and three months in jail for laundering over $450,000 in bitcoin.

Posted on

Android Malware Targets Users of 32 Crypto Apps, Including Coinbase, BitPay

A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet.

A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet, as well as banks including JPMorgan, Wells Fargo, and Bank of America. The news was reported by technology news outlet The Next Web on March 28.

Based on research from prominent cybercrime analytics firm Group-IB, this is reportedly the first time the Trojan — now named “Gustuff” — has been reported or analyzed. The malware is described as being designed for mass infection and is spread by SMS messages with links to load malicious Android package kit files.

The malware’s creators have reportedly created “Automatic Transfer Systems” that aim to expedite and scale the thefts by triggering autofills of payment fields for legitimate Android apps to maliciously reroute transfers to the hackers.

The app is purported to issue a host of “web fakes” that mimic legitimate apps to phish for sensitive data from users — specifically targeting customers of as many as 32 different crypto apps. Push notifications using legitimate icons are a further device the malware uses to automate downloads of fake apps and trigger transaction autofills.

Group IB reportedly identified 27 fake crypto and banking apps specific to the United States, 16 for Poland, 10 for Australia, nine for Germany and nine for India. The malware also targets payment systems and messenger services such as PayPal, Revolut, Western Union, eBay, Walmart, Skype and WhatsApp.

In order to function, Gustaff reportedly exploits Android’s accessibility features designed for disabled users, with Group IB characterizing this as a relatively rare and effective trick:

“Using the Accessibility Service mechanism means that the Trojan is able to bypass […] changes to Google’s security policy introduced in new versions of the Android OS. Moreover, Gustuff knows how to turn off Google Protect; according to the Trojan’s developer, this feature works in 70 percent of cases.”

Reportedly first traced to hacker forums from April 2018, Group IB notes that Gustuff has been designed by a Russian-speaking cybercriminal nicknamed “Bestoffer,” yet targets customers of international firms primarily outside of Russia.

Android users are advised by Group IB to download apps strictly from the Google Play store and pay attention to the extensions of downloaded files.

As reported in February, decentralized app MetaMask was recently pulled from Google Play after researchers detected malware impersonating the tool to steal crypto from users.

Posted on

Report: Malware Targets Israeli Fintech Firms Working in Crypto, Forex Trading

According to a cybersecurity company, Israeli fintech companies are being targeted by malware.

Israeli fintech companies that work with forex and crypto trading are being targeted by malware, according to a blog post from threat research department Unit 42 of cybersecurity company Palo Alto Networks published on March 19.

Per the report, Unit 42 first encountered an older version of the malware in question, Cardinal RAT, in 2017. Since April 2017, Cardinal RAT has been identified when examining attacks against two Israel-based fintech companies engaged in developing forex and crypto trading software. The software is a Remote Access Trojan (RAT), which allows the attacker to remotely take control of the system.

The updates applied to the malware aim to evade detection and hinder its analysis. After explaining the obfuscation techniques employed by the malware, the researchers explain that the payload itself does not vary significantly compared to the original in terms of modus operandi or capabilities.

The software collects victim data, updates its settings, acts as a reverse proxy, executes commands, and uninstalls itself. It then recovers passwords, downloads and executes files, logs keypresses, captures screenshots, updates itself and cleans cookies from browsers. Unit 42 notes that it witnessed attacks employing this malware targeting fintech firms that engaged in forex and crypto trading, primarily based in Israel.

The report further claims that the threat research team discovered a possible correlation between Cardinal RAT and a JavaScript-based malware dubbed EVILNUM, which is used in attacks against similar organizations. When looking at files submitted by the same customer in a similar timeframe to the Cardinal RAT samples, Unit 42 reportedly also identified EVILNUM instances.

The post further notes that also this malware seems to only be used in attacks against fintech organizations. When researching the data, the company claims to have found another case where an organization submitted both EVILNUM and Cardinal RAT on the same day, which is particularly noteworthy since both those malware families are rare.

EVILNUM is reportedly capable of setting up to become persistent on the system, running arbitrary commands, downloading additional files and taking screenshots.

As Cointelegraph recently reported, a Google Chrome browser extension tricking users into participating in a fake airdrop from cryptocurrency exchange Huobi claimed over 200 victims.

Also, a report noted last week that cybercriminals are reportedly favoring unhurried approaches in attacks made for financial gains, with cryptojacking as a prime example of this shift.