Cryptocurrencies are a Target for Cybercriminals – The New Risks of Innovation (part 1)

 

Cryptocurrency HackerAll cryptocurrencies are a target for cybercriminals.  Anywhere there is value, criminals, fraudsters, and charlatans will soon follow.  It is the Willie Sutton principle.  Willie, a famous bank robber in the 20’s-30’s, was asked why he robbed banks.  He was quoted as saying “that’s where the money is”.  The simplicity rings true.  That same age-old principle still applies today in the digital world.

Cryptocurrencies have been targeted since the early days of Bitcoin as it gained in notoriety and power.  Popularity fuels growth and increased valuation.  Since the introduction of Bitcoin, hundreds of different cryptocurrencies have emerged.  According to coinmarketcap.com the Total Market Cap exceeds $11 billion, with Bitcoin holding a majority stake of about $9 billion dollars.  This amount of money is a strong lure for all kinds of malicious activity.

Attacks on Cryptocurrency

Although cryptocurrency architecture is designed to be secure, it is not infallible.  Once stolen, digital funds can be electronically laundered, obscured from authorities, and disappear into the electronic ecosystem with their new owners.

There have been many hacks and frauds over the past few years targeting cryptocurrencies, causing significant losses.  MtGox lost a staggering $350 million in 2014, Bitcoinica for $28 million in 2012, and in 2016 a string of incidents has already occurred, starting with Cryptsy losing $10 million, The DAO $50 million, and Bitfinex for $65 million.

Most of the big attacks thus far have focused on the technical aspects of account control and the ability to transfer funds without the owner’s consent. Some of the attacks were perpetrated by external threats, while others were inside jobs by trusted personnel.

Many people unfamiliar with cryptocurrencies ask “why don’t governments put a stop to this?”.  These systems are new and even the basic legal structures we consider the norm in our lives, have not caught up.  Separation from government oversight is largely viewed as a good thing by the community, but there are drawbacks.  Cryptocurrencies suffer from a lack of regulation to establish consistent controls, legal responsibility, and accepted business practices. In the corporate world, laws and regulations establish clear boundaries to define legal responsibility, forbid situations where conflicts of interest may arise, and establish accountability to support informed decisions by investors.  Most of the cryptocurrency enterprises operate only on a level of trust in the proprietors or the code.  Sadly, technology is fallible to exploitation, users can be rash, gullible, and manipulated by attackers, and many times owners of the systems are the very culprits behind the losses.  The right balance has yet to be struck.  Until then, criminals have a window of opportunity to run rampant, with much less risk as compared to highly regulated monetary services.

Cryptocurrency-Hacker2-400x266

Threats targeting cryptocurrencies

Most cryptocurrencies are focused on being used as a monetary instrument for decentralized asset exchange.  That is just a fancy way of saying they act as a form or money.  One which is purely digital, can easily cross borders, be concealed, and transferred seamlessly between parties.  Bitcoin and many like it, are largely anonymous.  The transactions are public, contained the open blockchain ledger, but in most cases the sender and receiver cannot be easily identified.

Attacks tend to target the control of assets via transactions.  The security of these systems are based upon Private keys, which are an identity verification system. If an attacker compromises a victim’s private key, they can control the funds of the account without recourse.  Many attacks focus on gaining access to accounts or tampering with transactions to siphon off assets, from the victim to the attacker’s accounts.

Cryptocurrencies are also widely used in criminal activities.  Ransomware extortions are largely paid in Bitcoin, as per the attackers demands. Due to the nature of these transactions, once money is transferred, it cannot be revoked.  The tracking of money to people is near impossible due to the anonymity of these systems.

Cryptocurrency-ethereum-150x150Cryptocurrencies and blockchains are being used for more than just money. Technologists and entrepreneurs are creating innovative foundational structures for use in digital services.  The decentralized nature can make the capability extremely robust. The open transparency of the transactions builds trust in the system, and coupled with a monetary element, such services can play a powerful role in business, communication, and non-transmutable record-keeping.  Powerful tools, but they also represent new opportunities for theft, fraud, and misuse.

Ethereum is a currency and public blockchain which features “smart contract” technology.  This runs programs across the widely distributed user base which maintains no central control.  Basically, code is created and then run by the masses, with no administrative oversight.  The trust is in the code.  All operations and transactions are transparent.  As long as actions do not violate the code it is allowed and therefore correct.  But there have been problems.  People are the ones who come up with the rules which the code is created to enforce.

Recently The DAO, an Ethereum Decentralized Autonomous Organization (DAO) project setup to be an investment fund where contributors would vote on what companies to fund, got into trouble.  Money was transferred from many accounts into an “attacker’s” account.  But this was done based upon the functions allowed by the code.  Many screamed theft, but others simply stated the rules were followed therefore it must stand.  It remains a mess, but one thing is clear, $50 million dollars was siphoned from users, against their desires.


In Part 2 of 2: Cryptocurrencies are a Target for Cybercriminals – Social Platforms are Next

We discuss the risks when cryptocurrencies merge with social media platforms and how attackers will gain new advantages.

 

Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

 

Published on Categories SecurityTags , , , ,
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.