November has been a rollercoaster month for the crypto landscape after we witnessed FTX, one of the largest exchanges collapse, unleashing all hell onto the cryptocurrency community. However, while this has held the focus, amongst this noise there have been some innovative threats to the sector questioning the importance of anonymity, communication and security testing. This month we also saw a steady growth in the number of tracked cryptocurrencies by coinmarketcap.com, reaching a new total of 21,888, an increase of 298 tokens since the end of October.
In this report, we will discuss some of the most impactful threats to the cryptocurrency space that occurred in November.
Derebit Exchange hacked for $28 million
Deribit is the world’s largest Bitcoin and Ethereum Options exchange. It works by enabling investors to speculate on future prices of both currencies. The exchange suffered an incident this month, where around $28 million was stolen from its hot wallet.
The company released a series of tweets detailing the hack, where it was explained that while the hot wallet was compromised, client funds were safe, as Deribit by procedure hold all client funds in cold storage to help mitigate against these kinds of threats. Since the attack a series of security checks have been undertaken, with the CCO saying in an interview with CoinDesk that “Deribit remains in a financially sound position and ongoing operations will not be impacted”.
Hot and cold wallet storage is one of the most important safety issues for a crypto project to manage, ensuring that client funds are protected and safe. However, this is not only relevant for smaller projects, as back in 2019, we witnessed Binance have over 7,000 BTC stolen from a hot wallet, after an attacker was able to bypass the organisation’s security mechanisms. It is vital that when such security procedures are set, they are adhered to if they are not to become a prime target for malicious actors.
Gala Games token drained by bridge project
Web3 Gaming has become a recent trend as normal technology is adopted into the Web3 landscape. One such Web3 gaming project is Gala Games, which boasts a 16,000-strong player base. The games use $GALA, which operates as a utility token. However, on 3 November, a malicious actor minted around $2 billion worth of $GALA and proceeded to unload the tokens onto exchanges.
According to tweets from Gala’s CEO it appears that the activity was caused due to pNetwork conducting “white hat” testing on their own bridge. This meant that they felt that they should drain the funds from the bridge before a malicious exploiter could do so. Interestingly, however, the cryptocurrency exchange Huobi claimed that the attack that was conducted was not “white hat” in nature and that “pNetwork earned more than 4.5 million US dollars”.
Since then, pNetwork has responded to the accusations, explaining that they have proof that they were acting in good faith and had agreed all actions with the Gala Games team. The security team at SlowMist Security released a report into the attack explaining that it may have been caused by a leaked plaintext private key being discovered on GitHub, which would enable control of an admin contract.
Among this confusing mess of allegations is a serious point about the impacts “white hat” testing can have on networks and chains. While this attack appears to have legitimate and honest intentions, many others use this pseudo-white-hat defence to protect against the consequences of their actions. This has become a recent trend, alongside the increase in “Backwards Bounties” in the cryptocurrency space, where attackers conduct a malicious attack and offer to return portions of stolen funds for it to be considered “white hat”. It is important that cryptocurrency organisations conduct regular security testing against their networks and that appropriate safety measures are in place to protect customers and the integrity of the chain.
50,000 BTC recovered from 2012 theft from Silk Road
One of the first large modern dark-web marketplaces, Silk Road operated as a Tor hidden service offering a variety of illicit services. It was taken down in 2013 after the founder, Ross Ulbricht, was arrested. Since then, further seizures have taken place, with the most recent one being of around 50,000 BTC from James Zhong.
How Zhong acquired the Bitcoin is relatively simple: by using a series of fake accounts to trick the platform into thinking it should release large amounts of money into his accounts. He then transferred this money into his personal accounts and proceeded to sit on his stolen funds for around ten years. At the time of the theft these coins were worth around $10 million dollars, but when the FBI raided his house, the value was notionally around $3.3 billion dollars – even more ironic was that it was stored on a hardware wallet found inside a popcorn tin.
Since the arrest, the US States Attorney Office has released a statement detailing the seizure and conviction. It shows that not only had 50,000 BTC been recovered from Zhong’s address, but more coins including BTC had been handed over to the authorities by him. The document finally states that Zhong has pleaded guilty to one count of wire fraud, which holds a potential sentence of up to 20 years imprisonment. While the original case is an older one, it highlights the effectiveness of cryptocurrency investigation. Despite many people believing crypto to be an anonymous transaction, highly skilled investigators can track down these kinds of funds to identify malicious payments on the chain.
Crypto.com accidentally sends $416 million to another exchange
While threats often take the shape of an attack or manipulation by threat actors, sometimes they can be the result of a simple mistake. Many people have made simple transactional mistakes, but not many of them have accidentally sent $416 million to the wrong recipient.
A researcher on Twitter noticed a movement of 320,000 Ethereum from Crypto.com wallets to another exchange known as Gate.io. More interestingly, the researcher further noted that only a week later, 285,000 ETH was returned to Crypto.com wallets. The prompted a response from the CEO of Crypto.com, Kris Marszalek, who explained that the funds had been sent by accident. The intention was to move the cash to a “new cold storage address”, however, it was instead sent to an “external exchange address”. Since this incident, the team at Crypto.com has worked to return all the funds and has confirmed that “All funds were returned. We have single digit USD million balance on Gate as of now”.
While this issue was resolved quickly, it highlights an interesting threat vector, often not explored by standard threat analysis. This is the danger posed by an innocent user to their own platform, either by lack of knowledge or lack of attention. While often disregarded, this is the second instance of this happening to Crypto.com this year alone, with reports earlier this year that the organisation was suing a woman who accidentally received around $7 million dollars from the exchange. It is important that appropriate technological and educational controls are put in place around these transactions, such as defining internal and external transactions so that transactions to cold wallet storage cannot mistakenly be sent externally. With a combination of more effective controls and better attitudes around large transactions, this kind of threat can be mitigated before it is seen as an opportunity to be targeted by threat actors.
Tokensoft publishes users’ information to rat out “Bad Actors”
Anonymity is something which is highly valued in security, but much more so within the crypto space. One of the core components of cryptocurrency is the detached model of ownership, which highlights that anyone can see a wallet’s transaction history but does not necessarily know the individual who made those transactions. This model has been adapted and since the introduction of large-scale audited exchanged coming onto the market, the popularisation of Know-Your-Customer (KYC) has become a staple. While often used for good, one project has recently been involved in a scandal where KYC data was leaked in order to expose “bad actors” within a community.
The project known as Tokensoft markets itself as a launchpad for cryptocurrency assets that enables projects to be launched with a reduced risk of being exploited or “gamed”. Because of this the group had been able to acquire a dataset of individuals who they believed were gaming large numbers of airdrops. An airdrop in cryptocurrency is where amounts of currency are dropped to users in order to gain traction, often around new start-ups. Tokensoft named this list of users their “bad actor list” and posted it onto their Discord Server, as was noted by Twitter user cryptogle.
This list reportedly contained almost 5,000 users’ full names, wallet addresses and real addresses in what most saw as an attempt to dox the potential bad actors using KYC data. As documented on Twitter, leaked messages between doxed users and employees show that when a user asked why their information was leaked, an admin responded with “if you made it on the naughty list…yes, shame on you…I shared your info, better luck next time”.
Since the incident, the company has reportedly deleted the Discord message and has claimed that it never existed. However, all this backlash led to Tokensoft releasing a statement explaining that “information was mistakenly posted in Tokensoft’s social media channels”, and that they are “taking all steps necessary to ensure the technical error is resolved”.
Whether this is true or not, it highlights a key issue around the importance of validating who holds KYC data on customers. By giving away personal information to specific projects, doxing incidents can occur either accidentally or deliberately. This puts a spotlight on both crypto organisations and users, who need to ensure that KYC is handled correctly. As an organisation, this may constitute appropriately using access controls to sensitive information and identifying whether the need to hold this kind of data is vital to the operation of the project. For consumers, this means identifying the validity of a project’s need to hold your cryptocurrency, especially as threat actors may see this as a potential method to gain full information (fullz) on individuals to either profit from directly or sell to others.
“Pig Butchering” domains siezed by US authorities
In last month’s crypto threat landscape report, we discussed the rising trend of “Pig Butchering” scams that are taking place targeting cryptocurrency holders. The scam works by using fake accounts to build a relationship with the victim, evolving into asking them to invest or send cryptocurrency to the threat actor. This month the US authorities have stepped in and acted against these “Pig Butchering” actors’ infrastructure.
This action has been taken against a specific campaign which was in operation from May to August 2022. On 21 November the US Department of Justice announced that they had seized seven domain names used within the campaign. Each of the domains started with the prefix “simex”, attempting to impersonate the Singapore International Monetary Exchange (SIMEX). This action came after five US victims were targeted by this attack and had been lured to one of the above domains, with the victims losing a total of over $10 million dollars combined.
It is also worth noting that this kind of crime has been given a variety of names since we last covered it, also being known as CryptoRom (standing for Cryptocurrency Romance Scam). A report from Sophos details many of the tactics used by these scammers to specifically manipulate people into giving away their money. Their main advice is that users must always be wary when online conversations turn to talk about money, especially with recent contacts. One other interesting point highlighted is that one should never give administrative control of their mobile device to another person without a genuine reason. With remote management software being commonplace within the scammer’s toolkit, it is not surprising we have seen this being implemented into ways to enhance the effectiveness of a “Pig Butchering” scam.
TeamViewer used to bypass 2FA on popular crypto applications
TeamViewer is a remote management software that enables people to remotely access and effectively manage devices. As is inevitable when a tool is developed, scammers have been using TeamViewer for their own benefit by remotely managing victims’ devices. Most commonly this is conducted by scammers operating a “Tech Support Scam” where victims are tricked into communicating with a fake malicious tech support agent. Often these scammers instruct the victim to install a remote management software such as TeamViewer to make conducting the scam significantly easier. For cryptocurrency scams, however, the use of TeamViewer is fairly unheard of, but a group of scammers have been using the software to help bypass 2FA on popular cryptocurrency wallet applications.
Researchers at PIXM originally wrote an initial report on a group of threat actors using a combination of phishing emails and two-factor authentication relays to hijack Coinbase wallets. This worked by sending the victim a phishing email that would redirect them to a fake Coinbase login page which would ask for a username and password, and then for the user’s 2FA token sent to their phone. This would be proxied to the actual Coinbase website, allowing them to access the victim’s wallet. While this happens, the threat actors will use the live chat feature to distract the victim while their money is stolen from the wallet.
Since this report, the researchers have found that the campaign has escalated, and now includes a series of new techniques to target a wide range of other platforms. This is due to the now commonplace “device verification” checks that require the user to click a verification link to allow new devices to access the account. The new adaption uses TeamViewer to masquerade as a technical support to help fix the issue the victim is having logging in. This issue is obviously a fake one generated by the threat actors, which instructs the target to contact them via the chat feature, as discussed above. Once the user installs TeamViewer, the victim is instructed to go to the wallet site and log in. However, as the user tries to log in. the attacker adds one extra character to their password, so the log in fails again, and the victim is then told to send the attacker their username and password. After this the threat actor will log in to the site and use the control over the victim’s computer to receive the device confirmation link and verify their login session.
While this scam is intricate with multiple steps, the key element is the initial phishing page used to lure in the victim. It is important that all cryptocurrency users are aware of these attempts to trick them by double checking all URLs received in any emails, to ensure the legitimacy of the request and report all discovered attempts.
Crypto-oriented malware delivered by cracked software
Cryptocurrency-oriented malware has been a favourite of malware developers ever since cryptocurrency became a valuable asset for threat actors to target. Common types of malware include cryptojackers which aim to steal resources to mine cryptocurrency; pastejackers that focus on attempts to modify wallet addresses within clipboards; and crypto-stealers that use traditional stealer techniques to target cryptocurrency secrets. One such malware has been discovered targeting users through cracked software.
The malware known as ViperSoftX has been reportedly delivered through cracked software installations on torrenting and sharing sites. It is known as a stealer, which attempts to find and harvest credentials and other sensitive information on target devices. What makes this malware special is that it has specifically targeted cryptocurrencies including Bitcoin, Ethereum, Dogecoin and more. It does this by monitoring the clipboard of target devices such that it can conduct further pastejacking attacks.
The malware also operates a browser extension component known as VenomSoftX, which is deployed by the standard malware onto the Google Chrome browser. It is also used to steal cryptocurrency but works by intercepting API requests made by the browser. When specific API requests are made, the VenomSoftX malware modifies the request to include the threat actor’s wallet address. This includes API requests for large crypto exchanges such as Binance, Coinbase, Blockchain.com, and Kucoin. The extension is also able to trick targets by modifying the page the user can see to show the victim’s wallet address while it is actually the threat actor’s. This, combined with password stealing features for sites such as Blockchain.com, make it a powerful malware that users should be wary of.
Cryptocurrency-themed malware is becoming a major trend within malware development and one that is difficult to hinder. Due to the often complex looking wallet addresses, the prominence and effectiveness of pastejackers is high, with many users failing to check the address entered. It is vital that cryptocurrency companies make their users aware of the threat that cryptocurrency malware can pose to them. This includes ensuring that appropriate endpoint detection and antivirus services are installed on devices that are used to mine or access cryptocurrency assets, alongside taking steps to identify any potential signs of infection.
The FTX Saga
While we see big stories each month, one like no other emerged in November. FTX was a cryptocurrency exchange and hedge fund that at its peak was the third largest exchange in the world. While this is true, due to a series of decisions made by FTX’s CEO, Sam Bankman-Fried, combined with external factors, this month saw the entire exchange fall into insolvency and face bankruptcy proceedings. This has sent ripples through the cryptocurrency landscape with users losing billions of dollars of funds, other cryptocurrency projects failing, and potentially highlighting the fraudulent/Ponzi style nature of an exchange’s operations. This situation is one that is highly complicated from a financial perspective, with many different experts and regulatory bodies weighing in on the issues. However, this event has opened a large can of worms, leading to the revelation of a series of new and interesting threats.
Most simple among them is the standard knock-on effect of scammers attempting to capitalise on the confusion and distress among the community. Reports have emerged of scammers impersonating the US Department of Justice and attempting to harvest credentials of users trying to gain compensation. An alert about this campaign was issued by the Singapore police, who claimed that the phishing sites were telling users they would be able to withdraw their funds from the now defunct platform. However, scammers have also been pulling out all the stops to attempt to harvest money from their victims. Researchers discovered deepfake videos of Sam Bankman-Fried being shared by verified accounts on Twitter offering compensation for the attack. One such video also included a deepfake voice used to produce dialogue for the video, where the fake Sam claims that “As compensation for the loss, we have prepared a giveaway for you in which you can double your cryptocurrency”. While this technique has previously been used in videos of Elon Musk with a variety of different promises and fake investment opportunities, the speed with which scammers were able to capitalise on this situation was alarming. Despite this, however, it appears that the scammers have not been totally successful; reportedly only making around $1,400 in total from the scam.
While many of these threats were targeted at users, the exchanges themselves were not totally safe from hackers looking to capitalise on the situation. The most interesting among them was FTX themselves, who claimed on 11 November that they had been hacked for over $600 million during the scramble to handle the ongoing insolvency problem. According to a report by CoinDesk, an administrator in the FTX Support Telegram chat wrote “FTX has been hacked. FTX apps are malware. Delete them. Chat is open. Don’t go on FTX site as it might download Trojans”. This was followed up by FTX’s General Counsel, Ryne Miller, who tweeted that they were “Investigating abnormalities with wallet movements”. Many people were quick to question the legitimacy of this hack, with a popular theory being that it was an inside job where Sam and his inner circle were attempting to use the confusion to exfiltrate leftover funds. While the legitimacy of theories has not been confirmed, more recent reporting has shown that there was an attempt to move at least $200 million of the funds after the attacker started to use bridges to get the stolen ETH into other currencies.
This situation is one that is ever evolving, with different information being discovered every day as to how users’ funds were being handled, and how one of the largest crypto exchanges could fail in such a way. However, while these reports show a dark view of how this specific exchange was being operated, it paints an even darker picture of the ever-changing threat landscape of cryptocurrency. Users need to be careful to avoid any potential scammers looking to profit from their loss and ensure they report any of these scams that they identify. FTX’s collapse has also shown the reliance not only that cryptocurrency holders have on exchanges, but that of other exchanges and projects too. The best example of this was the bankruptcy filings of companies such as BlockFi directly caused by the large loans they had from the FTX organisation. Since the implosion of FTX, other large exchanges including Binance have attempted to implement protection mechanisms such as their Proof-of-Reserves to help prove to the community that they cover all users’ assets with a minimum 1:1 ratio to their own reserves. It is advised that all cryptocurrency users and companies assess their reliance on the large players within the industry, as this incident has proven that despite being such a key element of the community, no-one is too big to fail.
This month will go down as one of the most memorable in history with the news of FTX’s collapse again throwing crypto into the mainstream financial spotlight. This is a double-edged sword, with the increased attention potentially leading to further legislation and legal protections being put in place to help protect members of the cryptocurrency community. However, this attention can also lead to panic and distrust within the community, with many reporting the “crypto crash” of November.
However, while this news has dominated the mainstream, a variety of other attacks have been conducted in the background, with one highlighted trend this month being the continued effectiveness of utilising social engineering techniques to carry out attacks. While we highlighted this in last month’s report, this has been further consolidated by seeing attackers directly communicating with victims using applications such as TeamViewer.
Importantly, however, it remains a fact that many cryptocurrency holders are the last line of defence against these kinds of threats, and users must be aware of those targeting them, whether that be through double-checking wallet addresses to identify clipboard hijacking attempts, or through questioning potential “Pig Butchering” attempts. While this is difficult to tackle, it is important that users do not allow situations such as the FTX collapse to cloud their judgement, and follow the guidance around traditional and transactional safety to help ensure that they do not become a victim.