You can hardly call cryptocurrency an anonymous means of payment. After all, since all transactions (well, almost all; more on that below) are written to the blockchain, the movement of cryptocurrency is fairly easy to trace. There are specialized analytical tools that make it relatively convenient and easy to locate show more ...
both the source and destination of such funds. Aware of that, some ransomware victims assume that the best strategy is to pay the ransom, regain control over their corporate resources, and then go to law enforcement and simply wait while the investigation proceeds — leading, hopefully, to the funds eventually being returned back to their accounts. Unfortunately, its not that simple. Cybercriminals invented various tools, techniques and services to compensate for the excessive transparency of blockchains. Those methods make it difficult or even impossible to trace cryptocurrency transactions. Thats what well talk about today. Intermediary crypto wallets The simplest thing for cybercriminals to do with dirty crypto is spread it to fake wallets. In the case of very large-scale operations, such as the BitFinex hack or the Sky Mavis heist, we could be talking several thousand fake wallets. But since all transactions are written to the blockchain anyway, using fake wallets doesnt solve the problem of tracing funds. As such, this technique is usually deployed only in the early stages of laundering in order to, first, muddy the trail, and, second, break up large sums into smaller ones, which can then by laundered more easily in other ways. Dirty crypto can often lie in those fake wallets for a long time. This is sometimes due to greedy cybercriminals waiting for the exchange rate to improve. In the case of transactions large enough to attract the attention of law enforcement, the reason is caution. Attackers try to keep a low profile until the scrutiny dies down and the funds become easier to withdraw. Crypto mixers Crypto mixers were invented with the express aim of solving the abovementioned problems of excessive blockchain transparency and insufficient privacy. They work as follows: incoming cryptocurrency transfers are poured into one pot and thoroughly mixed with funds coming in from other users of the service. At the same time, outgoing transfers of random amounts are made according to a random schedule and to completely different wallets, rendering it impossible to match incoming and outgoing amounts and identify transactions. Clearly, this is a very effective method of dealing with dirty crypto. And although far from all crypto-mixer users are cybercriminals, illegal funds do account for a significant portion of the flows coming into crypto mixers; so significant, in fact, that in 2022 US regulators finally went after them, issuing sanctions on not one but two popular crypto mixers. Large crypto exchanges The overwhelming majority of transactions on crypto exchanges take place between internal client accounts, and are recorded in detail exclusively in these exchanges own databases. Only the summarized results of a whole bunch of such internal transactions ends up in the blockchain. Of course, this is done to save both fees and time (blockchain bandwidth is limited, after all). But this means that any crypto exchange is a kind of natural crypto mixer: incoming and outgoing transfers cant be matched using blockchain analysis alone. The thread by which the movement of funds can be traced is cut when a transaction enters an exchange. On the one hand, this facilitates illegal activity. On the other, it adds considerable risks: by transferring funds to a major crypto exchange, cybercriminals no longer have full control over them. And since such exchanges generally cooperate with regulators and law enforcement, the chances of losing the spoils are well above zero. In addition, bona fide crypto exchanges always have a Know Your Customer (KYC) verification procedure, which only adds to the risks and difficulties associated with laundering funds. Small crypto exchanges An alternative option for cybercriminals is to use small crypto exchanges that are less inclined to meet regulatory requirements and define themselves as anonymous. Oftentimes, such exchanges turn into full-fledged crypto-laundering platforms. But the more popular an exchange is with cybercriminals, the more likely it is to attract the unwanted gaze of law enforcement. What usually happens in the end is that the authorities patience wears thin, and they find a way to take the platform down. For example, earlier this year U.S. authorities arrested the owner of Bitzlato Ltd., an exchange that handled hundreds of millions of dollars of dirty crypto. And a significant part of that dirty crypto came from ransomware operators and crypto scammers. European police also seized and disabled the exchanges infrastructure, thus putting an end to its activities. Nested exchanges Besides full-fledged crypto exchanges, there are also many so-called nested exchanges. These are essentially crypto-exchange intermediaries that allow users to trade cryptocurrency without the need to register exchange accounts. Such services resemble brokers from the world of traditional finance, only in the crypto universe theyre used to ensure privacy – in particular, by bypassing KYC, which is mandatory for all clients of large crypto exchanges. Theoretically nested exchanges work not only for the benefit of cybercriminals, but the opportunity to elude unwanted questions naturally attracts the attention of those looking to launder ill-gotten gains. DeFi: decentralized protocols Lastly, another option for cryptocurrency launderers is to use decentralized finance protocols (DeFi). These lie at the heart of automated decentralized crypto exchanges that operate on the basis of smart contracts. The advantages for cybercriminals are obvious: decentralized exchanges (DEX) perform no client checks and dont require account registration. Another plus of DEX is that funds remain under the full control of their owners (unless theres an error in the smart contract). True, theres one big minus: all DEX-based transactions are written to the blockchain, so with some effort they can still be traced. As a result, the number of cybercriminals who resort to DeFi is quite low. That said, DeFi can be an effective component of more complex multistage money-laundering schemes. Dark-web laundering services In case youre hoping that not every extortionist knows how to properly cover their financial tracks, we have bad news. Modern cybercrime is highly specialized. And theres been a growing trend of late for cybercriminals to use underground services dedicated exclusively to laundering dirty crypto. They provide what can be called laundering-as-a-service: variants of the above schemes to obfuscate the movement of cryptocurrency, thus unburdening their clients of this task. Laundering services advertise themselves on the darkweb and communicate with clients through secure messengers; everything is geared toward complete anonymity. According to even conservative estimates, such services last year raked in US$6 billion. Cashing out As you may already know, a paradox of cryptocurrency is that it can buy you an expensive picture of a monkey, but not a loaf of bread. Therefore, the end goal of any illegal cryptocurrency operation is to cash out. This represents the final stage of any laundering scheme: once cryptocurrency has been turned into ordinary fiat money, clearly it can no longer be traced by means of blockchain analysis. There are many options here, and some of the above schemes provide such an outlet to the real world. When it comes to cashing out, both large and small crypto exchanges, nested exchanges that allow trading without opening an account, and dark-web laundering services that specialize in aiding cybercriminals (without specifying exactly how) can all be used. What this means for ransomware victims As you can see, cybercriminals have a wide range of means for laundering dirty crypto. And theyre not limited to using only one of above-mentioned methods at a time. On the contrary, most cybercriminals employ sophisticated, multistage laundering operations that use crypto mixers, intermediary wallets, exchanges and various cash-out methods all at once. As a result, despite the best efforts of law enforcement, its often difficult to recover most of any stolen funds, even if an investigation is successful. So, in brief, dont hope to see again any money you paid as a ransom. As always, prevention is the best form of defense: install a reliable security solution on all devices — one whose anti-ransomware capabilities have been demonstrated in independent tests.
Episode 298 of the Transatlantic Cable Podcast kicks off with news that ChatGPT recently suffered a data-breach, raising concerns about the amount of information we hand over to the AI chatbot. From there, the team discuss a recent story around QR scams in South Korea. Moving on from QR codes, the team spoke to show more ...
Seongsu Park about the infamous Lazarus groups recent activities. To wrap up, the team looked at two final stories, one around hackers impersonating META and Google on Facebook and another story around how social media and dating apps have become a hotbed for scammers. If you liked what you heard, please consider subscribing. ChatGPT Confirms Data Breach, Raising Security Concerns QR codes used in fake parking tickets, surveys to steal your money Scammers hack verified Facebook pages to impersonate Meta and Google Banks warn of big increase in online scams Following the Lazarus group by tracking DeathNote campaign
As a way to enhance the security of MFA, Microsoft will require users to authorize login attempts by entering a numeric code into the Microsoft Authenticator app.
The Technology Innovation Institute’s year-long cryptographic challenges invite participants to assess the concrete hardness of McEliece public-key encryption scheme.
CERT-UA has issued a cautionary statement regarding an ongoing phishing operation that employs invoice-related tactics to spread the SmokeLoader malware. The attached ZIP archive is a polyglot file, meaning it is a single file that can be interpreted as multiple file formats.
By the end of March 2023, Sucuri researchers started noticing a new wave of SocGholish injections that used the intermediary xjquery[.]com domain. It appeared to be another evolution of the same malware.
Founded in 2020 and hosted by the Linux Foundation, OpenSSF is a cross-industry organization focused on improving the security of the open-source software supply chain through collaboration between tech companies.
Industrial and IoT cybersecurity firm Claroty on Thursday disclosed the details of five vulnerabilities that can be chained in an exploit potentially allowing threat actors to hack certain Netgear routers.
ESET tracked a series of attacks, dubbed Operation ChattyGoblin, against Southeast Asian gambling companies. The operation has been ongoing since October 2021 and leverages chat apps. The campaign is believed to be used to target organizations in the industrial, technology, healthcare, insurance, manufacturing, and telecom sectors in Europe and North America.
Recently, researchers have observed malicious advertisement campaigns in Google’s search engine with themes that are related to AI tools. For example, malicious ads are served when a user searches for the keyword "midjourney" in Google.
The vulnerability, tracked as CVE-2023-27532, exposes encrypted credentials stored in Veeam Backup & Replication. It could lead to unauthorized access to backup infrastructure hosts, says the HHS' HC3 in an alert.
In 76% of the ransomware attacks targeting surveyed organizations, the adversaries successfully encrypted the data. Those who paid a ransom for a decryption key ended up doubling their recovery costs. The highest payment rate was observed among organizations with revenue over $5 billion.
Senators are pushing to improve the cybersecurity of the national 988 Suicide & Crisis Lifeline and election infrastructure, after passing a bill to upgrade the resiliency of the aviation sector’s notification system for flight hazards.
A cyberattack campaign was observed against foreign government institutions in Kazakhstan and Afghanistan using decoy documents that impersonate real diplomats. Attackers used a new malware family dubbed DownEx by Bitdefender Labs. It can move laterally to traverse local and network drives to extract a wide range of show more ...
files from various formats, including Word, Excel, and PowerPoint documents, videos, images, PDFs, and compressed files.
In recent GULoader campaigns, researchers witnessed a rise in NSIS-based installers delivered via email as malspam that use plugin libraries to execute the GU shellcode on the victim system.
The tech giant's latest initiatives are aimed at protecting its users from cyber threats, including phishing attacks and malicious websites, while providing more control and transparency over their personal data.
By incorporating the encryption within a static library, the malware developers achieve better stealth and obfuscation, as the reliance on external libraries like one featuring the RC4 cipher algorithm is removed.
The company believes the threat actors have stolen customer account information, including names, email addresses, account passwords, phone numbers (where available), and school district names.
The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity advisory issued Thursday.
The exploitation of a critical vulnerability in the Essential Addons for Elementor WordPress plugin began immediately after a patch was released, WordPress security firm Defiant warns.
On May 10, the firm filed a notice of data breach with the Maine Attorney General after learning that an unauthorized party had gained access to the company’s IT network and accessed sensitive information belonging to current and former employees.
Rockwell Automation published six new security advisories this week and four of them have also been distributed by the US Cybersecurity and Infrastructure Security Agency (CISA). The advisories describe a total of more than a dozen vulnerabilities.
Tennessee’s Chattanooga State Community College has been responding to a cyberattack since Saturday, forcing the school to cancel classes on Monday and modify schedules for staff members. The school serves more than 11,000 students.
A group of cybercriminals based in Israel has launched more than 350 business email compromise (BEC) campaigns over the past two years, targeting large multinational companies from around the world.
The malware turns the devices into proxies which are used to steal and sell SMS messages, take over social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.
BleepingComputer has learned from multiple employees that the ransomware attack has affected its Active Directory, affecting hundreds of devices. Consequently, ABB terminated VPN connections with its customers to prevent the spread of the ransomware.
Ubuntu Security Notice 6073-3 - Jan Wasilewski and Gorka Eguileor discovered that Nova incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.
Ubuntu Security Notice 6073-1 - Jan Wasilewski and Gorka Eguileor discovered that Cinder incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.
Ubuntu Security Notice 6073-4 - Jan Wasilewski and Gorka Eguileor discovered that os-brick incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.
Ubuntu Security Notice 6073-2 - Jan Wasilewski and Gorka Eguileor discovered that Glance_store incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.
Debian Linux Security Advisory 5401-1 - Two security issues were found in PostgreSQL, which may result in privilege escalation or incorrect policy enforcement.
A security vulnerability has been disclosed in the popular WordPress plugin Essential Addons for Elementor that could be potentially exploited to achieve elevated privileges on affected sites. The issue, tracked as CVE-2023-32243, has been addressed by the plugin maintainers in version 5.7.2 that was shipped on May 11, 2023. Essential Addons for Elementor has over one million active
U.S. cybersecurity and intelligence agencies have warned of attacks carried out by a threat actor known as the Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the education facilities sector in the country. The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a
A previously undocumented and mostly undetected variant of a Linux backdoor called BPFDoor has been spotted in the wild, cybersecurity firm Deep Instinct said in a technical report published this week. "BPFDoor retains its reputation as an extremely stealthy and difficult-to-detect malware with this latest iteration," security researchers Shaul Vilkomir-Preisman and Eliran Nissan said. BPFDoor (
In today's interconnected world, where organisations regularly exchange sensitive information with customers, partners and employees, secure collaboration has become increasingly vital. However, collaboration can pose a security risk if not managed properly. To ensure that collaboration remains secure, organisations need to take steps to protect their data. Since collaborating is essential for
As many as five security flaws have been disclosed in Netgear RAX30 routers that could be chained to bypass authentication and achieve remote code execution. "Successful exploits could allow attackers to monitor users' internet activity, hijack internet connections, and redirect traffic to malicious websites or inject malware into network traffic," Claroty security researcher Uri Katz said in a
Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. "The attack campaign has been leveraging rather
es, you should be worried about the threat posed by external hackers. But also consider the internal threat posed by insiders and rogue employees - the people you have entrusted to act responsibly with the data of your company and your customers. Read more in my article on the Hot for Security blog.