Grand Theft Crypto: The State of Cryptocurrency-Stealing Malware and Other Nasty Techniques

Much of digital assets’ appeal stems from the fact that many of them are not affiliated with or controlled by governments, central banks or transnational corporations (at least, not yet). The price paid for the independence from institutions of global capitalism, though, might sometimes be extremely high, as, in the event of cryptocurrency theft, there is no one to appeal to for recourse. Further still, the irreversible nature of blockchain transactions renders it extremely difficult to get the money back once its gone.

The villains of the internet love cryptocurrencies for the same reasons. In the last few years, marked by the spike of popularity for digital money, hackers and scammers of all sorts have perfected the art of pilfering it from unwitting users, many of whom are newcomers to the space.

Roughly a year ago, Cointelegraph had already compiled a lengthy overview of many popular crypto-stealing tricks and tips on how to avoid falling prey to them. While the list remains relevant as ever, the time has come to revisit the subject to see if there are new threats to your crypto assets to beware of.

Aggregate dynamics

A recent report by cryptocurrency intelligence firm CipherTrace estimated losses from digital currency theft and scams in the first quarter of 2019 at $356 million, with additional fraud or misappropriated fund losses amounting to $851 million in the same period. Alarmingly, this Q1 total of $1.2 billion constituted 70% of the total losses to crypto crime in all of 2018, indicating intensified hacking activity in the first months of 2019.

Cryptocurrency Mining Malware Detections from 2014-2015, Courtesy of Several CTA Members

At the same time, a study conducted by a security company Positive Technologies registers a change in the structure of attacks. The share of cryptojacking — or, hidden cryptocurrency mining — in the overall volume of cyberattacks seems to be declining: Having reached a peak in early 2018, this type of criminal activity dropped to just 7% in the first quarter of 2019. The analysts noted, however, that the observed trend merely reflects the way malware previously used primarily for cryptojacking has become smarter and more versatile. If the virus recognizes that the machine it took over lacks processing power, it may divert to other modes of operation, such as clipboard jacking.

Researchers at Positive Technologies predicted an increase in the overall number of attacks in the second quarter of the year. Their report pointed out malware and social engineering as attackers’ most widely used tactics and recorded the increasing prominence of ransomware attacks. These findings are further corroborated by ransomware recovery company Coveware, whose analysis revealed a 89% increase in an average ransom from the fourth quarter of 2018 to the first quarter of 2019.

Related: Round-Up of Crypto Exchange Hacks So Far in 2019 — How Can They Be Stopped?

Although perpetrators of ransomware attacks demand payments in cryptocurrency, nearly always, this type of criminal activity is not specific to the crypto sphere, targeting companies from a wide range of industries. This type of intrusion entails infecting the victim’s device with a piece of code that denies the owner access to their system or data, and demanding payment to regain access. Since these attacks usually prey on fairly large corporate entities, we will skip over to those that seek to part individual crypto investors with their digital funds.

Malware or social engineering?

One intuitive way to classify attacks that target users’ digital assets could be to juxtapose those that seek to find weak spots in software (say, secretly infecting victim’s computer with an ingenious virus) and those aimed at exploiting errors in human judgement (fooling a person into handing over their wallet’s private key).

Yet, in fact, these two modes exist on a spectrum rather than on a binary scale. The most successful thefts entail some degree of participation on behalf of the victim — such as opening a phishing email, using public Wi-Fi to check a crypto wallet or willingly installing a shady app — and a piece of malicious code, whether it is a Trojan or a scam bot on Slack.

Breaking the variety of threats down according to the attack vector is perhaps a more meaningful strategy. It is also far from optimal, though, as many known viruses these days can alter their behavior according to circumstances, and are capable of both installing hidden miners and simply stealing keys as needed. The following topology is therefore highly contingent.

Clipboard hijacking

Because no one wants to manually type in long strings of random alphanumeric characters that are also case-sensitive, we all use the copy/paste function to indicate the addresses we send our coins to. Clipboard hijackers (aka clippers) are pieces of malware that detect an event of clipboard use to store a crypto wallet address then trigger a script that replaces the correct address with that of an attacker. As a result, often without the victim realizing what happened, the digital currency flows straight to the thief’s pocket. Using the same technique, clippers are capable of stealing passwords and keys as well.

Related: Crypto Crime Trends Evolving as Users Wise Up: Exchange Hacks, Darknet and Money Laundering

Perhaps the most sinister specimen of clipper malware uncovered so far in 2019 is the one that made it on the Google Play Store disguised as the mobile version of MetaMask, a popular client used to access decentralized applications (DApps) from a web browser — except, there is no MetaMask version for mobile. Although it was taken down soon after discovery, the very fact that the app managed to make it past Google Store’s defenses is impressive and it reminds us that even the authenticity of software found in major stores should not be taken for granted.

Cryptojacking

Cryptojacking, also known as hidden mining, is the covert exploitation of other users&r