‘It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness...’. The last two years have been a roller coaster ride for those in the blockchain. People have raised millions of pounds through crowdsourcing initial coin offerings (ICO’s) to fund their ideas. Some building upon ‘castles in the sand’, whilst others crystallising their ideas into sustainable and robust business models.
According to Statis Group, 80% of ICO’s in 2017 constituted a scam. Cipher Trace reported in a recent survey that $1.7 billion was stolen or scammed in 2018 alone from crypto currency exchanges, infrastructure and investors. This tale is not about those who stole the crypto currency funds and rode into the sunset. It is about victims of cyber crime who were trying to run a legitimate business, but who got burnt in this fast-paced emerging technological world, aptly termed the wild west.
This is a tale of two organisations who became unknowing victims of a well organised cryptocurrency cybercrime. The primary organisation experienced a significant loss of funds raised from their ICO. They commissioned a third party to transfer cryptocurrency into fiat currency.
As with many cyber attacks, the story begins with a frantic call over the weekend. The mission: to gather facts for an event where trust levels on all sides were low. An independent perspective was required to unravel the what, how, who, when and where of the heist. This account of events has additions and omissions to protect the innocent and guilty.
Cryptocurrency crime and cyber security - the perfect blend
The intersection of cryptocurrency and cybersecurity has a fascinating history. Crypto currencies offer great advantages for cyber criminals as a means to realise the fruits of their labour. This is due to their perceived anonymity (similar to cash); highly distributed nature and a lack of jurisdictional control.
The bad guys also like crypto currencies because of the ease by which they can be transferred once sufficient unauthorised access has been obtained to a target’s wallet and / or credentials. Unfortunately for victims of cryptocurrency theft, the consumer has a lot less protection than those whose credit card or internet banking credentials have been compromised.
In the early years, cybercrime exploited cryptocurrencies as a payment mechanism for blackmail and ransomware attacks. Such attacks, once successful, require the victim to pay a fee that will allegedly take the blackmail threat away or enable victims to recover their files that have been locked down by ransomware.
However, paradoxically, cyber criminals also experienced challenges receiving payments, just like legitimate users, due to the complexity involved in accessing crypto currencies. Many ransomware victims simply had a hard time obtaining cryptocurrencies therefore criminals left a lot of potential gains on the table - victims were unable to pay even if they wanted to.
Blackmail and ransomware attacks were therefore hard work and relied heavily on the victim’s ability to pay and respond to these attacks in a timely manner. Therefore, other avenues were pursued. Instead of getting paid in cryptocurrency, cyber criminals decided to create their own digital currencies. This led to a wave of attacks known as crypto jacking - victims’ computers were covertly pressganged into doing the CPU intensive maths necessary to discover new Bitcoins, for example.
A popular crypto currency for crypto jacking is Monero which adds additional data privacy measures to its blockchain for anonymity and traceability purposes.
Still more astute attackers took advantage of the miners themselves and simply stole the digital money from the miners once the coins had been created - rather than mining the coins themselves. As adoption of cryptocurrency in the mainstream continued, the wave of attacks moved on to targeting aggregated online wallet providers and exchanges (analogous to watering hole attacks). Here, attackers were able to steal coins collected by these organisations on behalf of their clients.
Sadly, for the criminals, they didn’t have it all their own way. They had three hurdles to overcome: Traceability, cashing out and anonymity.
Attacking the blockchain - theory and reality
Blockchain technologies are still relatively new. Despite their perceived security, there are various ways these systems can be attacked. Yes, the transactions stored on the blockchain are secured by strong cryptographic principles. However, learning from previous experience, the implementation of any computing system - whether hardware or software - can create vulnerabilities. Therefore, key blockchain components such as the infrastructure and eco-system may still be exploited.
Successful attacks have focussed on:
- Manipulating data before it gets codified in the blockchain
- Targeting user access (private key compromises) for those who access the chain
- Exploiting software vulnerabilities within the blockchain’s logic (smart contract vulnerabilities)
- Compromising interfaces / intermediaries that sit between the internet and the blockchain.
Criminal case study
Once cryptocurrency funds are raised, many ICO organisations face an unexpected liquidity challenge. Whilst some staff and providers are happy to receive cryptocurrency, most still want their pay cheques in fiat currency. Crypto funds need to be converted into cash, bringing its own set of risks.
In our story, management contracted with a trusted agent, who had been vetted by a regulatory body for ordinary payments and could carry out a fund transfer at a favourable rate. Their decision was constrained by choosing from a limited number of legitimate payment providers in an unregulated environment.
Funds, running into millions of Euros were transferred to the agent who used a well known global crypto currency exchange for the conversion. Unfortunately, the funds never made it to the end destination and were illegally re-directed to an unknown source - yet to be recovered.
When cryptocurrency funds are moved, users experience inherent delays in the blockchain and also within the banking system. Large movements attract attention and may get caught up, blocked or reversed. Transfers may flow through multiple systems only to surface hours or days after their origination, lengthening the window for identifying problems and increasing the risk that funds may be stolen whilst in transit. It took two days to realise that a successful attack had taken place giving criminals plenty of time to execute their crypto heist and clean up effectively.
The investigation captured evidence through interviews with key witnesses and forensic analysis of computers. The team required a combined skillset of digital forensics, cybersecurity and cryptocurrencies. They captured and analysed evidence so that the results could unlock uncertainty in the case and be presented in a court of law.
Evidence collection for ISPs, email providers and cryptocurrency exchanges proved challenging. These parties did not want to engage with victims or investigators. One ISP would not engage with the investigation at all and unhelpfully, did not retain their logs for a sufficient period.
Counter intuitively, they notified the account holder of a suspicious IP address identified in the attack - thereby tipping off potential perpetrators and losing critical evidence. It was only through co-operation and collaboration with law enforcement that further information was ultimately obtained for all parties - regrettably a few months after the attack was reported.
Interviews unravelled a chain of events where poor security practices were discovered. Several vulnerabilities were exploited on modern technology. Some were cutting edge, while others could have been easily avoided by leveraging basic good security hygiene.
Gaining a foothold
The attack’s planning phase took place a month prior to the decision to transfer the funds. The agent was targeted as part of a wider campaign, compromising companies in the cryptocurrency space. A spear-phishing email campaign was launched, which coincidently, stopped the moment a file-less malware payload was successfully uploaded and installed on the agent’s primary workstation - a fully patched Windows 10 computer.
File-less malware (using the Empire power shell framework) has become increasingly popular. It does not leave any trail on the file system, making it harder to detect by traditional anti-virus and investigate, often executing Windows native commands.
The malware was launched after a user opened a word document or excel worksheet containing a macro or viewed a trojanised pdf file in a vulnerable reader. Using unauthorised powershell commands, the malware downloaded further malware retrieved from a remote website protected by ‘bullet hosting services’ - historically difficult to take down by law enforcement.
Following the phishing phase, the attackers gained remote access to the workstation. They had roughly two weeks’ of reconnaissance to capture workstation, email and cryptocurrency exchange passwords (stored in memory of a password manager). They read emails, changed email filters and modified firewall rules.
The attackers also bypassed two-factor authentication mechanisms by temporarily disabling them and created a set of customised email filtering rules to hide specific exchange email communications. With knowledge of cryptocurrency funds coming into the agent’s account and information about the agent’s cryptocurrency exchange, the next attack wave was finalised.
In order to release ICO funds to the agent, the organisation used a multi-signature wallet that required eight signatures from their management team. Conversely, the agent receiving the funds, relied on a single software key for protection.
Crypto funds extraction
The cryptocurrency attack was over within 40 minutes. It was seamlessly executed once all the pieces were in place: the agent’s crypto exchange account credentials; agent’s outsourced business email credentials and the logical access of the agent’s computer used when interacting with the exchange.
In the early hours of the morning, unauthorised logins were made to the crypto exchange, from the agent’s workstation and another device configured to appear like the workstation. Remote access to the workstation and remote logins to the exchange were launched from IP’s hidden behind internet proxies and VPN services. These obfuscated the original source IP addresses the attackers were using for their attack. This is where full co-operation from the ISP would have been valuable.
A request was made to create a new cryptocurrency wallet within the exchange. This is analogous to setting up a new payee in internet banking. Within seconds, the request was approved via email. All email warnings and correspondence from the exchange were filtered out of the mailbox following specific email rules set up beforehand, drawing any attention away from the agent monitoring their emails.
Once the new wallet was approved by the attackers, requests were made to transfer funds from the agent’s exchange account address into the newly created wallet in chunks. These funds were then moved within minutes to another wallet known to be linked to other cryptocurrency thefts.
A clean-up exercise then took place to meticulously hide the activity trail securely deleting files, clearing audit logs, registry entries and exchange wallets.
Looking back and forward
As the picture of how the attack took place became clearer, our attention moved onto the blockchain. We hoped to follow the trail of stolen funds. It was clear that the agent was also a victim in this crime, although still accountable for some serious security control failures.
Unlike cash movements and even banking transactions, every transaction on the blockchain - including fraudulent ones - are publicly available. This makes it hard for the fraudsters to simply run away with the funds.
At first glance, this should help the investigation because of the visibility of where the funds were at any point in time. However, whilst the location of funds could be tracked, attributing them to owners of the wallets and addresses in the real world was a much harder task - as we were about to find out.
If we were living in a more mature, governed and centralised world like the traditional banking world, blocking illicit funds, marking fraudulent wallets and sharing information within a controlled ecosystem would have been trivial. Not to say this is perfect in the banking system - just look at the proliferation of business email compromises in 2018. However, in an unregulated and decentralised world, this becomes extremely hard despite the willingness of parties involved (mostly more ‘regulated’ exchanges) to assist with the hunt for the funds.
Tracks covered and truths untold
Leveraging relationships with law enforcement was critical here to influence foreign exchanges to co-operate. Another challenge is a jurisdictional one and how to recover funds off the blockchain.
Due to its distributed nature, smart contract code, which is often used as part of the funnelling of funds from one place to another, is executed on nodes all over the blockchain. This makes it almost impossible to attribute any code or wallets involved in processing illicit funds to a specific region or jurisdiction. Seizing or blocking funds is also a challenge given the anonymity attributed to wallets and because it is unclear which jurisdiction these wallets reside in. Unlocking such funds would rely on keys to these wallets being obtained from their owners.
As the tracing of the funds continued using blockchain explorers, it became clear that those involved in this heist, whilst patient in moving the funds, were aware that their activities could be traced. We observed some fascinating and non-random patterns of funds moving with different quantities into a variety of wallets, exchanges, tumblers, mixers and foggers making it very difficult to trace.
Funds going into these systems are like wormholes, consuming funds on one side of the blockchain universe and appearing elsewhere. These services are very useful for those trying to hide their transactions. Funds go into these systems from one wallet and then get sprayed out in almost non-random sequences to a variety of other wallets which then magically appear to consolidate somewhere else on the blockchain, away from prying eyes.
To further complicate matters, movements of funds were also made into different cryptocurrencies each with their own blockchains requiring tracking and tracing. As technology is still evolving in this area, fraudsters still maintain the upper hand. However, this window of technical capability is shortening and unlike audit logs / trails on traditional systems, the flow of illegal funds on blockchains is recorded in perpetuity and very hard to erase or tamper with.
To cash out their winnings into real money, fraudsters will need to use exchanges and these are increasingly improving on their anti-money laundering (AML). This is where these criminals may ultimately get caught out. However, some of these funds may reside in dormant anonymous wallets for years before being re-activated. Due to fluctuations in cryptocurrency prices, these illicit funds may either diminish or explode in value depending on which way the cryptocurrency market develops in future.
There were also several missed opportunities to identify and respond to red flags in this case. Each were missed by both the exchange and agent as the attacks unfolded. The use of multi-signature wallets to secure crypto assets; two-factor authentication with multi-step authentication (different passwords for different transactions) on the exchange, enabled by default, would have made it harder to allow unauthorised transactions to take place and could have significantly reduced the impact of the fraud.
Moreover, a lack of monitoring had its part to play. Nobody saw activities taking place at unusual times of the day from unusual devices, large transfers being allowed to move into newly created wallets and large transfers moving into wallet addresses linked to other frauds. These should have all been picked up as anomalies and intercepted before the fraud took place.
As movements took place on the blockchain it would also have been helpful within the ecosystem to be able to publish a centralised list to mark dark wallets and warn others of these for future attacks and block future fund transfers further downstream. As the industry matures, each of these will become more common practice.
The book on investigating crypto currency fraud is still being written, but there are several lessons key parties, including exchanges, law enforcement and ICO start-ups can learn to mitigate and reduce the impact of these attacks taking place. It is only through the co-operation of parties within the eco-system that the impact of cyber crime can be reduced. Whilst regulation can be a double-edged sword, in the ‘Wild West’, developing governance and guidance is required and would be welcomed for most market participants.
To date no-one has taken accountability for the fraud that took place and the associated funds continue to make their way round the blockchain universe - this fraud is part of a wider fraud involving other companies. Hopefully, one day these funds will relocate somewhere in a part of the universe that has the foresight and ability to lock them down before they spread further and can be returned to their rightful owners.
ITNOW would like to thank Dalim Basu and the BCS North London Branch for helping to facilitate this article, which is based on a talk given recently by the author to BCS members.