Partnerships, deanonymization and transaction pattern analysis: What else do international police use to detect crypto cybercriminals?
2019 demonstrated that cyber-attacks are getting more numerous in the cryptocurrency industry, while hardware remains vulnerable and high-profile data leaks are becoming more common. Even worse, the trend is a continuing one.
Way back in June 2018, Kaspersky Lab security experts reported an increase in the amount of malware targeting the cryptocurrency market. They noted a trend toward the spread of two types of malware: for hacking cryptocurrency wallets and for malicious Bitcoin (BTC) mining.
As cybercrimes using digital money have begun to affect more countries and involve more advanced technologies, entire states and government organizations have come to grips with them. Cointelegraph found out what methods are used to combat the most sophisticated cryptocurrency cybercrimes at the international level and whether they produce positive results.
What’s that about Interpol?
On the world stage, most of the work on combating cryptocurrency-related crimes is carried out by Interpol and Europol. Organizations at this level not only have access to the entire cryptocurrency market infrastructure but also form relationships with exchanges, brokers, developers and other key industry players.
The fact that Interpol deals with international crypto crimes came to light back in 2015, when its representatives first warned of possible threats posed by digital assets and blockchain — in particular, the possibility of embedding malware into the chain. Since then, agencies have taken up cryptocurrency crimes in earnest, establishing the Interpol Global Complex for Innovation to explore new techniques that are being increasingly used by cybercriminals. Among them are cryptojacking and ransomware, which have become widespread tools for bad actors and an international concern for governments.
In September 2015, Europol reported that about 40% of all criminal-to-criminal transactions are made with Bitcoin. By that time, cryptocurrency ransomware attacks were the most widespread forms of crime, encrypting programs and blocking access to devices after an unsuspecting user had opened an infected site or software. To unencrypt the data, criminals demanded ransom in cryptocurrency.
An example of such activity is the criminal group DD4BC — DDoS for Bitcoin — whose members were arrested by Europol in January 2016. Hackers blackmailed online casinos and then moved on to attack financial institutions in Switzerland, New Zealand and Australia. Since cryptocurrency is not controlled by anyone, it quickly became an attractive tool for ransomware attackers. This sort of crime flourished as a new service offered by criminals — Ransomware-as-a-Service (RaaS) — opened the doors to attackers without technical experience.
As a result, private hackers united into groups, making corporations and government organizations the targets of their ransomware attacks. Many companies and states associate the infamous Lazarus Group with North Korean intelligence agencies. The Lazarus hackers allegedly carried out their first attack on the South Korean government back in 2009, and were also accused of attacks on large companies in the country, including Sony Pictures.
Furthermore, United States police consider Lazarus to be involved in the dissemination of the infamous WannaCry ransomware virus, which culminated in 2017. In a short time, the virus affected 500,000 computers owned by private individuals, companies and government agencies in 150 countries. The total damage was estimated at $1 billion.
Cryptojacking overtakes other crypto crimes
As law enforcement agencies found ways to detect cryptocurrency ransomware attacks, hackers found a new tool: cryptojacking, or hidden cryptocurrency mining. It allowed them to mine cryptocurrency using the computing power of their victims’ devices.
A relatively new phenomenon, cryptojacking has quickly turned into one of the most widespread online threats. According to Malwarebytes, hidden cryptocurrency mining has been steadily holding the lead among the most frequently detected malicious software since September 2017, as the number of affected Android devices increased by 4,000% in the first quarter of 2018 alone.
The crux of the issue is that cryptojacking can easily affect any device while also being a tough nut to crack. Users may not even suspect that they have become victims of malicious mining malware, as attackers use hidden links and programs that are difficult to distinguish from familiar ones.
“Some cryptojacking tools may choose to consume only 50% of the computer usage instead of 100%, and thus the user may not even notice that it is running particularly slowly,” Vijay Rathour, partner leading the digital forensics and investigations Group at Grant Thornton, told Cointelegraph.
When it comes to damages incurred, cryptojacking may not be as dangerous as ransomware, although its consequences are unpleasant. While for private users, this just results in a slowdown in computing speed, companies can face financial losses and disruption of business processes.
Several high profile cases include crypto jackers penetrating the technological network of the European water supply control system and nuclear center employees using one of Russia’s largest supercomputers to mine Bitcoin. A miner was also embedded by hackers into the popular web plugin for the vision-impaired, BrowseAloud.
Another criminal scheme was uncovered by French cyber police officers who detected a fraud group that used a network of 850,000 computers to mine Monero (XMR). Similarly, 300 sites around the world were infected through the Drupal Content Management System, including those of San Diego Zoo, the U.S. National Board of Labor Relations, the cities of Marion and Ohio, and the administration of the Mexican city of Chihuahua.
How do government agencies fight cryptojacking and ransomware?
Due to its pseudo-anonymity, cryptocurrency can be easily used by cybercriminals, but it also allows government organizations to track illicit transactions. However, the more sophisticated and widespread that crimes using crypto become, the more seriously police need new ways to respond to them.
Although law enforcers keep their methods of fighting cyber crimes secret, Cointelegraph managed to get some facts from leading experts. Jarod Koopman, director of cybercrime at the U.S. Internal Revenue Service, commented to Cointelegraph on the matter:
“The main aspects of combating cybercrime these days centers around attribution and understanding who is behind the activity.”
He added that government agencies utilize a host of tools such as blockchain analytics, dark web research, open-source information, and financial or in-house data to identify parties involved and potential areas of fraud while technical crimes, such as hacks and DDoS attacks, require more technical capabilities and expertise in these areas.
The uncovered crypto crimes demonstrate that law enforcement’s success in catching cybercriminals primarily hinges on collaboration with cryptocurrency market players such as brokers, exchanges and internet security firms.
In particular, cooperation with the latter helped Interpol detect 20,000 hidden miners in South-East Asia. As reported by Cointelegraph on Jan. 9, Japanese cybersecurity company Trend Micro, which assists the police, has reduced the number of affected routers by 78%. The groups worked for five months to locate the affected routers, notify the victims, and use Trend Micro’s guidance document to patch the bugs and stop the hackers.
As Koopman explained to Cointelegraph, additional work between law enforcement agencies, regulatory agencies and governing bodies across the globe leads to effective communication and strategies for future success. Such collaboration includes “working directly with exchanges in the U.S. or third party tool developers to offer insight as to the typologies and methods used by criminals.” This, according to Koopman, helps provide new tools, procedures or contacts for suspected fraud.
Along with cybersecurity experts, Europol representatives work with crypto companies that assist them in detecting suspicious activity. Being the most frequent target for attacks, more aboveboard cryptocurrency exchanges and platforms prioritize maintaining good relationships with the police and provide necessary records to law enforcement bodies to minimize the likelihood of dealing with such attacks in the future.
Training and prevention
Ransomware attacks — in particular, those using cryptocurrencies — have received much attention from government organizations. In 2014, the German and Austrian governments created joint research project BitCrime, aimed at developing effective and internationally applicable measures to reduce the number of cryptocurrency crimes committed by organized crime groups.
In 2015, the Interpol Global Complex for Innovation created its own cryptocurrency and simulation training game for employees to study scenarios of cryptocurrency use and misuse. One year later, Cyber Threats Reports by the European Union Agency for Network and Information Security started to include ransomware as a separate online threat from malware, offering relevant information and statistics.
To share their professional knowledge with companies and users, the Federal Bureau of Investigation, the National Cyber Security Center and Europol released documents and guidelines on how to deal with crypto and to protect from such attacks.
Educational conferences are part of this program. Every year, Europol holds the Virtual Currencies Conference, a meeting closed to the public designed to let police and crypto experts discuss sensitive matters frankly.
The conferences seem to have produced results. With the support of law enforcement, crypto platforms have developed and improved Know Your Customer procedures to meet the security standards of the traditional financial sector. As a result, most of the platforms that work with digital assets request proof of identity and address before granting access.
Another goal of such programs is to teach organizations how to prevent cases of crypto cybercrimes. As such, the FBI warned that prevention is the most effective defense against ransomware, and it is critical to comply with the rules of internet security and information stored on devices.
In general, organizations should upgrade outdated programs, execute regular patching, apply the “least privileges” approach, segregate the network perimeter, and implement effective backup practices. Rathour believes that these two malware variants can’t really be stopped at a state level, but generally require good cyber hygiene at the user level:
“The challenge here is that this could be almost any activity by a typical lay user, so the general advice is be prudent when using a computer connected to the internet, and then have good system controls (like limited access, split your network up, have regular backups).”
Using the weaknesses of the criminals
Governments also use blockchain technology to trace cybercriminal activity. As claimed by Kathryn Haun, a general partner at Andreesen Horowitz and the Justice Department’s prosecutor for the infamous Silk Road case, blockchain is the only tool the police can use to catch cryptocurrency criminals. She added that if such crimes were committed using cash, it would be almost impossible to detect the people behind them.
According to Jarek Jakubchek, a Europol cybercrime analyst, many criminals think they remain untraced when actually, the use of BTC creates a paper trail and accelerates their detection. Despite the hackers’ advanced capabilities, the code they create can also contain bugs and vulnerabilities. One of them was used by the French police to uncover a large botnet network of cryptojackers, as reported by Cointelegraph.
Transaction screening and attack pattern analysis
Traceability of cryptocurrency transactions is not enough to catch a criminal. Police aren’t always able to immediately identify the parties involved in such activity, but they can trace and analyze patterns in the movement of digital assets to de-anonymize attackers.
In the search for suspicious transactions, law enforcers use monitoring tools developed by firms such as Elliptic, CipherTrace and Chainalysis. For example, a service created by Elliptic Enterprises is used by the international police to screen crypto transactions for links to illicit activity. The software detects suspicious transfers based on the patterns of the transactions previously linked to illegal cryptocurrency operations.
In an interview with Cointelegraph, Elliptic co-founder Tom Robinson said that widespread use of such tools “makes it difficult for criminals to cash out their crypto-assets because exchanges are alerted to the illicit origin of the funds and can notify law enforcement.”
Chainalysis, another cybersecurity firm, signed a contract with the IRS to provide transaction tracking software and access to bad actors. The company has provided similar services to a number of U.S. intelligence agencies, and it was with the help of Chainanalysis and its Know Your Transaction tool that the FBI detected illegal transactions on the infamous dark web platform Silk Road.
So, what are we supposed to do with it?
According to Juniper Research, the economic damage from cyberattacks could reach $8 trillion by 2022. Even worse, as predicted by Cybersecurity Ventures, ransomware will attack companies every 11 seconds, compared to every 14 seconds in 2019. So the question remains: Why, despite the actions of law enforcement agencies and governments’ efforts to regulate digital assets, the number of cryptocurrency crimes is still significant? Thomas Stubbings, chairman of the cybersecurity platform of the Austrian government, told Cointelegraph:
“It is convenient and it is anonymous. There is currently no better way to cash out. As long as there are countries where criminals can cash out cryptos such activity will happen.”
At the same time, according to him, the growing prices of cryptocurrencies and the demand for them does not affect the growth of such crimes. The fact is that criminals don’t use digital assets as a speculative investment and cash out no matter the current price. Furthermore, Stubbings believes that regulation is ineffective. He added that the main focus in fighting crypto-related crimes should be placed on their prevention:
“You cannot fight cryptos. You can only fight cybercrime and that’s the same old cumbersome job as ever: awareness, monitoring, preventive measures, cybercrime investigation units, etc.”
The IRS shares the same view. Koopman noted that even with both aspects — enforcement and regulation — criminals will continue to exploit the best avenues and opt to use digital currency. In his opinion, to significantly reduce cybercrimes involving crypto, it is necessary to focus on the improvement of technical capacities of law enforcement agencies and the large-scale implementation of user identification procedures:
“As infrastructure continues to build in terms of payment processors and legitimate exchanges with proper KYC/AML practices, businesses, the public and traditional financial sector will begin to implement crypto more into standard use. I believe 2020 will continue to see a refining of roles/responsibilities and increased use.”