{"id":11434,"date":"2018-02-09T13:11:08","date_gmt":"2018-02-09T21:11:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/02\/09\/news-5205\/"},"modified":"2018-02-09T13:11:08","modified_gmt":"2018-02-09T21:11:08","slug":"news-5205","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/02\/09\/news-5205\/","title":{"rendered":"Bank robbers 2.0: digital thievery and stolen cryptocoins"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Fri, 09 Feb 2018 19:57:07 +0000<\/strong><\/p>\n

Imagine running down the street (and away from law enforcement) with 2,000 pounds of gold bars. Or 1,450 pounds in $100 bills. With both of these physical currencies amounting to roughly US$64 million, you’d be making quite a steal…if you could get away with it.<\/p>\n

That’s exactly what the next generation of thieves\u2014bank robbers 2.0\u2014<\/a>did in December 2017, when they stole more than $60 million in Bitcoin* from the mining marketplace NiceHash<\/a>. It turns out stealing Bitcoin is a lot less taxing on the body.<\/p>\n

*Disclaimer: I used the value of Bitcoins as they were at the time of the robbery. Current values are volatile and change from minute to minute.<\/em><\/h6>\n

Crime these days has gotten a technical upgrade. By going digital, crooks are better able to pull off high-stakes sting operations, using the anonymity of the Internet as their weapon of choice. And their target? Cryptocurrency.<\/p>\n

Old-school bank robbers<\/h3>\n

The amount of money stolen from NiceHash is comparable to arguably the biggest physical heist to date, the theft of nearly $70 million from a Brazilian bank in 2005. Noted in the Guinness Book of World Records,<\/a>\u00a0the robbers managed to get away with 7,716 pounds of 50 Brazilian real notes. There were 25 people involved\u2014including experts in mathematics, engineering, and excavation\u2014who fronted a landscaping company near the bank, dug a\u00a078-meter (256-foot) tunnel underneath it, and\u00a0broke through 1 meter (about 3.5 feet) of steel-reinforced concrete to enter the bank vault.<\/p>\n

The largest\u00a0bank robbery in the United States<\/a>, meanwhile, was at the United California Bank in 1972. The details of this bank robbery were described by its mastermind, Amil Dinsio, in the book Inside the Vault<\/em>. A gang of seven, including an alarm expert,\u00a0explosives expert, and burglary tool designer, broke into the bank’s safe deposit vault and made off with cash and valuables with an estimated value of $30 million US dollars.<\/p>\n

What these robberies have in common is that, in order to pull them off, there were large groups of criminals involved with various special skills. Most of the criminals of these robberies were either caught or betrayed\u2014physical theft leaves physical traces behind. Today’s physical robbers run the risk of getting hurt or hurting others, or leaving behind prints or DNA. And they are often tasked with moving large amounts of money or merchandise without being seen.<\/p>\n

\"heavy<\/p>\n

Bank robbers 2.0<\/h3>\n

So here comes the bank robbers 2.0. They don\u2019t have to worry about transporting stolen goods, fleeing the crime scene, digging or blowing things up. They are in no\u2014immediate\u2014physical danger. And if they\u2019re smart enough, they work alone or remain anonymous, even to their accessories. Their digital thievery has been proven successful through several methods used to obfuscate their identity, location, and criminal master plan.<\/p>\n

Social engineering<\/h4>\n

One of the most spectacular<\/a> digital crimes targeted 100 banks and financial institutions in 30 nations with a months-long prolonged attack in 2013, reportedly netting the criminals involved over $300 million. The group responsible for this used social engineering<\/a> to install malicious programs on bank employees\u2019 systems.<\/p>\n

The robbers were looking for employees responsible for bank transfers or ATM remote control. By doing so, they were able to mimic the actions required to transfer money to accounts they controlled without alerting the bank that anything unusual was going on. For example, they were able to show more money on a balance than was actually in the account. An account with $10,000 could be altered to show $100,000 so that hackers could transfer $90,000 to their own accounts without anyone noticing anything.<\/p>\n

The alleged group behind this attack, the Carbanak Group, have not yet been apprehended, and variants of their malware are still active in the wild.<\/p>\n

Ponzi schemes<\/h4>\n

Bitcoin Savings & Trust (BST), a large Bitcoin investment firm that was later proved to be a pyramid scheme<\/a>, offered 7 percent interest per week to investors who parked their Bitcoins there. When the virtual hedge fund shut down in 2012, most of its investors were not refunded. At the time of its closing, BST was sitting on 500,000 BTC, worth an estimated $5.6 million. Its founder, an e-currency banker who went by the pseudonym\u00a0pirateat40, only paid back a small sum to some beneficiaries before going into default. It was later learned that he misappropriated nearly $150,000 of his clients’ money<\/a> on “rent, car-related expenses, utilities, retail purchases, casinos, and meals.”<\/p>\n

Hacking<\/h4>\n

Even though details are still unclear, the NiceHash hack<\/a> was reported as a security breach related to the website of the popular mining<\/a> marketplace. Roughly 4,732 coins were transferred away from internal NiceHash Bitcoin addresses to a single Bitcoin address controlled by an unknown party. The hackers appear to have entered the NiceHash system using the credentials of one of the company’s engineers. As it stands now, it is unknown how they acquired those, although it’s whispered to be an inside job.<\/p>\n

Stolen wallet keys<\/h4>\n

In September 2011, the MtGox hot wallet private keys were stolen<\/a>\u00a0in a case of a simple copied wallet.dat file. This gave the hacker access to not only a sizable number of Bitcoins immediately, but also the ability to redirect the incoming trickle of Bitcoins deposited to any of the addresses contained in the file. This went on for a few years until the theft was discovered in 2014. The damages by then were estimated at $450 million. A suspect was arrested in 2017.<\/p>\n

Transaction malleability<\/h4>\n

When a Bitcoin transaction is made, the account sending the money digitally signs the important information, including the amount of Bitcoin being sent, who it\u2019s coming from, and where it\u2019s going. A transaction ID, a unique name for that transaction, is then generated from that information. But some of the data used to generate the transaction ID comes from the unsigned, insecure part of the transaction.As a result, it\u2019s possible to alter the transaction ID without needing the sender\u2019s permission. This vulnerability in the Bitcoin protocol became known as “transaction malleability.”<\/p>\n

Transaction malleability was a hot topic in 2014, as researchers saw how easily criminals could exploit it.\u00a0For example, a thief could claim that his transactions didn\u2019t show up under the expected ID (because he had edited it), and complain that the transaction had failed. The system would then automatically retry, initiating a second transaction and sending out more Bitcoins.<\/p>\n

Silk Road 2.0<\/a> blamed this bug for the theft of $2.6 million in Bitcoins in 2014, but it was never proven to be true.<\/p>\n

Man-in-the-middle (by design)<\/span><\/h4>\n

In 2018, a Tor proxy was found stealing<\/a>\u00a0Bitcoin from both ransomware<\/a> authors and victims alike. A Tor proxy service is a website that allows users to access .onion domains<\/a> hosted on the Tor network without having to install the Tor browser. As Tor proxy servers have a man-in-the-middle (MitM)<\/a> function by design, the thieves were able to replace the Bitcoin address that victims were paying ransom to and insert their own. This left the ransomware authors unpaid, which in turn left the victims without their decryption key.<\/p>\n

Cryptojacking<\/h4>\n

Also known as drive-by mining, cryptojacking is a next-generation, stealthy robbing trick that covers all mining activities completed on third-party systems without the users’ consent. Stealing little amounts from many can amount to large sums. There are so many methods to achieve this that Malwarebytes’ own\u00a0J\u00e9r\u00f4me Segura<\/a>\u00a0published a whitepaper<\/a> about it.<\/p>\n

Unlike drive-by downloads that push malware, drive-by mining focuses on utilizing the processing power of visitors\u2019 computers to mine cryptocurrency, especially those that were designed to accommodate non-specialized processors<\/a>. Miners of this kind come to us in advertisements, bundlers<\/a>, browser extensions, and Trojans. The revenues are hard to guess, but given the number of blocks Malwarebytes records on\u00a0Coinhive and similar sites<\/a>\u00a0daily, criminal profit margins could be potentially record-breaking.<\/p>\n

Physical stealing of digital currency<\/h4>\n

This last one brings us full circle, as someone actually managed to steal Bitcoins the old-fashioned way. In January 2018, three armed men attempted to\u00a0rob a Bitcoin exchange<\/a>\u00a0in Canada, but failed miserably as a hidden employee managed to call the police. However, others have had more success. The Manhattan District attorney is looking for the accomplice of a man that robbed his friend<\/a> of $1.8 million in Ether at gunpoint. Apparently this \u201cfriend\u201d got hold of the physical wallet and forced the victim to surrender the key needed to transfer the cryptocurrency into his own account.<\/p>\n

Summary<\/h3>\n

As we can conclude from the examples above, there are many ways for cybercriminals to get rich quick. With a lot less risk of physical harm and even less hard labor, they can score larger amounts for less risk than the old-fashioned bank robbers. The only pitfall to robbing digital currency is how to turn it into fiat money without raising a lot of suspicion or losing a big chunk to launderers.<\/p>\n

While the diminished use of violence is reassuring, it’s still beneficial to think about how we can avoid becoming a victim. Much of it has to do with putting too much trust in the wrong people. We are dealing with a very young industry that doesn’t have a lot of established names. So how can you avoid getting hurt by these modern thieves? Here are a few tips:<\/p>\n