Updated: Dec 28, 2022
As the price of the cryptocurrencies has skyrocketed over the last few years, the theft of cryptocurrencies has soared right along with it. It appears that hackers have decided it is much easier and more lucrative to steal the cryptocurrencies than the traditional, government-issued fiat currencies ($, pounds, Euros, etc.) and the possible consequences, more remote or even negligible.
We at Hackers-Arise have seen a concomitant rise in our Digital Forensic Investigation requests regarding the theft of cryptocurrencies as the price of these currencies has risen. We have had a burgeoning backlog of cases requesting help investigating and recovering stolen cryptocurrencies and we would like to share some of our insights here.
Major CryptoCurrency Thefts in Recent Years
As the value of the cryptocurrencies have soared and the law enforcement threat crippled or non-existent, the theft of cryptocurrencies has been one of the prime targets of hackers of in recent years. Some of these thefts are so large as to boggle the mind. If these thefts had happened with traditional government fiat currencies, they would be front page news on every newspaper in the world. They would be making movies about them and every law enforcement would chasing their tails to deliver the thieves to justice. Instead, these thefts are footnotes in financial and information security blogs and law enforcement simply shrugs their shoulders, except in the largest and most egregious cases and, even in those, most cases are left unsolved.
The following are just a sampling of some of the largest cryptocurrency thefts in recent years. Millions of people have lost the contents of their wallets in this same time and it does not even raise a blimp on the cryptocurrency crime radar.
The Silkroad is probably the most famous of the dark web marketplaces. It was famous for offering drugs, weapons, documents and just about anything you can imagine for a price. When the FBI took down the Silk Road in 2014, they seized nearly 30,000 bitcoins from the site and another 144,000 that belonged to Silk Road founder, the Dred Pirate Roberts aka Ross Ulbricht. This amounts to about $1.7B at today's exchange rate. It should also be noted that two of the Secret Service agents involved in the Silk Road raid, Shaun Bridges and Carl Force, personally stole over $16m worth of bitcoin. They were both prosecuted and are now serving prison time.
Probably the most famous cryptocurrency heist was Mt. Gox. This Japanese based cryptocurrency exchange was the world's largest (handling nearly 70% of the world's bitcoin transactions when it went down in 2014.. Although the details are bit fuzzy, it appears that hackers were able to use one user's account to hack into Mt. Gox's exchange and make off with over 850,000 bitcoin. At today's exchange rate, that amounts to about $8.5B! Not a bad take for a day's work. The thief has never been apprehended, but their IP address has been traced to Hong Kong.
Tokyo-based cryptocurrency exchange, Coincheck, had 500m NEM stolen by hackers just this past January, 2018. This hack supplanted Mt. Gox as the largest cryptocurrency heist in history--so far. Hackers apparently breached Coincheck's servers and removed currencies from CoinCheck's online, hot wallets.
How Do Hackers Steal Your Cryptocurrencies?
From our experience investigating these cases and from reports from others within our industry, we can now report on the primary ways that hackers are stealing cryptocurrencies.
Copying the keys
Bitcoin and the other cryptocurrencies are basically just a private cryptographic key to unlock a specific address that stores bitcoins. The private key is just a long string of number and letters that you have probably seen on multiple web sites, email and social media sites. This key is often stored on the users phone, hard drive or online service.
If the hackers can gain access to that string, they can send the cryptocurrencies to their or others' wallets. From our experience, the most common cryptocurrency thefts are taking place at online services that store the string and the currencies. These act very similarly to online banking services. If the hacker can gain access to your username and password at those service such CoinBase and others, they often can access your account directly and send out bitcoins or other currency. The hack is little more than a username and password hack.
To make these systems more secure, many of these online services have two factor (2FA) authentication, where an email or SMS message (One Time Password or OTP) is sent to confirm authentication. Unfortunately, SS7 attacks are common and the attacker can intercept this message (see our upcoming tutorial on SS7 attacks). In addition, many of these online services also check authentication by IP address. When they detect that someone is trying to access the account from a new IP address, they send an email or SMS message to confirm. Once again, if the hacker has access to the user's email password or can intercept the confirming SMS message, this form of authentication breaks down.
Many people who have had cryptocurrency accounts for more than just a few years can have substantial wealth in these accounts. For instance, some who had just 100 BTC in 2011 who have had their wealth grow to $1.9million just this pass December. It would take long for hackers to accumulate significant wealth by hacking just a few of these accounts.
Like other Trojans, cryptocurrency Trojans find their way to computers masquerading as an innocuous program or file. From there, they are able to monitor all your activities. Many of the cryptocurrency Trojans simply watch your Internet traffic and when you try make a transfer to another crypto account to purchase a product or service, it simply replaces the intended account number with their own. In this way, your transfer doesn't go to the intended account, but rather to the hacker's account.
Hacking the Bitcoin Miners
Thousands of Bitcoin and other cryptocurrency miners are operating 24 hours a day generating bitcoin. Many of these miners are unsecured or minimally secured as the people setting them up are relatively unaware of IT security. Hackers have been compromising these miners and re-directing there output to their wallets, instead of the wallets of the owners.
As mentioned above, many of the cryptocurrency trading sites rely upon two factor authentication (2FA). To hack these accounts, the hacker only needs the user's username (usually email address) and password. Then, if they are using 2FA, the trading platform then sends a request via email or SMS to confirm. As the hackers already have the email address and password, they will need to hijack the SMS. This can be done by hijacking the SS7.
The Internet is rife with stories of hackers compromising systems, collecting them into botnet and using them to mine bitcoin. These hackers are using your computer and resources to mine (generate) bitcoin and other cryptocurrencies. These botnets generate millions of dollars worth of cryptocurrency daily. Other hackers have then attacked the command and control centers of these botnets--usually through IRC-- to re-direct their output to their own wallets.
Spoofing Tech Support
We have recently encountered a number cases where the hackers/scammers have spoofed tech support of exchanges. When you user asks questions on social media, the scammers respond. Equipped with a web server than mimic the trading exchanges website exactly, they ask the user to enter their address and credentials. Trusting victims do so and before they know it, the scammers have transferred all their bitcoin or other currencies to the scammers accounts and the victim is left with nothing but regrets.
Project Internal Flaws
Unlike commercial software being used in so many industries, the software being used in the servers of the exchanges and botnets is usually home grown. This means that it's security has not gone through the rigorous security validations that typical commercial software has gone through (and we know that even after those rigorous tests, many still have glaring flaws). As a result, these cryptocurrency systems often have easily exploitable vulnerabilities in their internal systems. These type of internal flaws likely played a role in both the Mt. Gox and Coincheck hacks.
Like nearly all hacks, there is a element of social engineering to the theft of cryptocurrencies. Many of the investigations of cryptocurrency theft we have worked on are a result of phishing attacks where the victim clicks on a seemingly legitimate link or document. The hacker then takes control of the target's computer by implanting a rootkit and gains access to the target's wallet or account at one of the cryptocurrency exchanges. From there, they simply transfer the cryptocurrency to their or their colleagues wallets.
These are just a few of the ways that hackers are stealing bitcoin and other cryptocurrencies and we expect more and innovative ways to arise in coming months and years. We will follow up with additional articles on both the exact techniques and any new techniques as we find them.