Grand Theft Crypto: The State of Cryptocurrency-Stealing Malware and Other Nasty Techniques

Much of digital assets’ appeal stems from the fact that many of them are not affiliated with or controlled by governments, central banks or transnational corporations (at least, not yet). The price paid for the independence from institutions of global capitalism, though, might sometimes be extremely high, as, in the event of cryptocurrency theft, there is no one to appeal to for recourse. Further still, the irreversible nature of blockchain transactions renders it extremely difficult to get the money back once its gone.

The villains of the internet love cryptocurrencies for the same reasons. In the last few years, marked by the spike of popularity for digital money, hackers and scammers of all sorts have perfected the art of pilfering it from unwitting users, many of whom are newcomers to the space.

Roughly a year ago, Cointelegraph had already compiled a lengthy overview of many popular crypto-stealing tricks and tips on how to avoid falling prey to them. While the list remains relevant as ever, the time has come to revisit the subject to see if there are new threats to your crypto assets to beware of.

Aggregate dynamics

A recent report by cryptocurrency intelligence firm CipherTrace estimated losses from digital currency theft and scams in the first quarter of 2019 at $356 million, with additional fraud or misappropriated fund losses amounting to $851 million in the same period. Alarmingly, this Q1 total of $1.2 billion constituted 70% of the total losses to crypto crime in all of 2018, indicating intensified hacking activity in the first months of 2019.

Cryptocurrency Mining Malware Detections from 2014-2015, Courtesy of Several CTA Members

At the same time, a study conducted by a security company Positive Technologies registers a change in the structure of attacks. The share of cryptojacking — or, hidden cryptocurrency mining — in the overall volume of cyberattacks seems to be declining: Having reached a peak in early 2018, this type of criminal activity dropped to just 7% in the first quarter of 2019. The analysts noted, however, that the observed trend merely reflects the way malware previously used primarily for cryptojacking has become smarter and more versatile. If the virus recognizes that the machine it took over lacks processing power, it may divert to other modes of operation, such as clipboard jacking.

Researchers at Positive Technologies predicted an increase in the overall number of attacks in the second quarter of the year. Their report pointed out malware and social engineering as attackers’ most widely used tactics and recorded the increasing prominence of ransomware attacks. These findings are further corroborated by ransomware recovery company Coveware, whose analysis revealed a 89% increase in an average ransom from the fourth quarter of 2018 to the first quarter of 2019.

Related: Round-Up of Crypto Exchange Hacks So Far in 2019 — How Can They Be Stopped?

Although perpetrators of ransomware attacks demand payments in cryptocurrency, nearly always, this type of criminal activity is not specific to the crypto sphere, targeting companies from a wide range of industries. This type of intrusion entails infecting the victim’s device with a piece of code that denies the owner access to their system or data, and demanding payment to regain access. Since these attacks usually prey on fairly large corporate entities, we will skip over to those that seek to part individual crypto investors with their digital funds.

Malware or social engineering?

One intuitive way to classify attacks that target users’ digital assets could be to juxtapose those that seek to find weak spots in software (say, secretly infecting victim’s computer with an ingenious virus) and those aimed at exploiting errors in human judgement (fooling a person into handing over their wallet’s private key).

Yet, in fact, these two modes exist on a spectrum rather than on a binary scale. The most successful thefts entail some degree of participation on behalf of the victim — such as opening a phishing email, using public Wi-Fi to check a crypto wallet or willingly installing a shady app — and a piece of malicious code, whether it is a Trojan or a scam bot on Slack.

Breaking the variety of threats down according to the attack vector is perhaps a more meaningful strategy. It is also far from optimal, though, as many known viruses these days can alter their behavior according to circumstances, and are capable of both installing hidden miners and simply stealing keys as needed. The following topology is therefore highly contingent.

Clipboard hijacking

Because no one wants to manually type in long strings of random alphanumeric characters that are also case-sensitive, we all use the copy/paste function to indicate the addresses we send our coins to. Clipboard hijackers (aka clippers) are pieces of malware that detect an event of clipboard use to store a crypto wallet address then trigger a script that replaces the correct address with that of an attacker. As a result, often without the victim realizing what happened, the digital currency flows straight to the thief’s pocket. Using the same technique, clippers are capable of stealing passwords and keys as well.

Related: Crypto Crime Trends Evolving as Users Wise Up: Exchange Hacks, Darknet and Money Laundering

Perhaps the most sinister specimen of clipper malware uncovered so far in 2019 is the one that made it on the Google Play Store disguised as the mobile version of MetaMask, a popular client used to access decentralized applications (DApps) from a web browser — except, there is no MetaMask version for mobile. Although it was taken down soon after discovery, the very fact that the app managed to make it past Google Store’s defenses is impressive and it reminds us that even the authenticity of software found in major stores should not be taken for granted.

Cryptojacking

Cryptojacking, also known as hidden mining, is the covert exploitation of other users’ devices to mine cryptocurrency. Usually, a targeted computer gets infected by a Trojan that installs a miner. Victims do not get stripped of their crypto assets directly, yet the losses they sustain may be quite unpleasant, from footing enormous electricity bills to having an overloaded computer break down.

The number of detected attacks of this type exhibits a curious pattern of strong correlation with crypto prices. As the aforementioned reports suggested, the overall share of cryptojacking attacks appears to be declining this year — however, the ingenuity of their perpetrators is only growing. Some hidden mining operations may reach extraordinary scale, too: As Cointelegraph recently reported, a campaign using cryptojacking malware to mine the privacy-focused cryptocurrency turtlecoin (TRTL) was found to have infected more than 50,000 servers worldwide.

Just a few days ago, two browser extensions that secretly sponged their users’ central processing units (CPUs) to mine privacy-focused cryptocurrency monero were discovered on the official Google Chrome store. Previously, such malware was found to be hiding in legitimate Adobe Flash updates and convincingly posing as Windows installation packages.

Infection Chain

Researchers from cybersecurity firm Trend Micro have uncovered a fascinating tactic employed by cryptocurrency hackers to smuggle monero miners onto Oracle enterprise servers. In order to obfuscate the malicious code, the program hides it in certificate files. This way, they go unnoticed by antivirus software that automatically treats certificate files as reliable.

Website clones

Having originated in the remote corners of the darknet, where online stores selling illicit substances have long been “cloned” by scammers seeking to trick drug users into transferring bitcoin to their accounts, the technique is well and alive as of June 2019. The latest example is the case of the crypto trading website Cryptohopper, whose malicious copy facilitated in the infection of the computers of unwitting crypto traders who visited it. The victims had both mining and