11.1.18

Tank-traps versus trappings in virtual currencies: A cybersecurity minefield

Virtual currencies have been the talk of the town of late — including that of the ‘online town’, judging by 2017’s top-trending search terms on Google. And, in a way, rightly so, given the genuine bumper crop of events that 2017 yielded in this burgeoning – but all too often murky and muddy – field. We saw cryptocurrency splits, bankruptcies, the launch of futures contracts by the world’s biggest derivatives exchange operator, an explosion in initial coin offerings (ICOs) along with some fraud involving ICOs, Japan’s approval of bitcoin as legal tender, regulatory rumblings from governments, crackdowns on bogus digital currencies, fake trading apps, arrests of suspected scammers, and the kidnapping of a cryptocurrency industry insider.
Importantly, 2017 witnessed a bevy of cyberattacks against providers of infrastructure that caters to virtual currencies and their users, including high-profile thefts of users’ virtual assets. Last year was also notable for a boom in surreptitious cryptocurrency mining. To be sure, this is by no means an exhaustive list of calamities to have befallen this space last year – all against the backdrop of the gravity-defying appreciation of the cryptocurrency market.
Bitcoin, the progenitor of the entire cryptocurrency boom and still the most popular virtual currency, experienced a truly heady run-up in value. Its price surge was punctuated with a crescendo midway through December, when a single bitcoin approached $20,000. Bitcoin’s value had thus risen twenty-fold from the beginning of the year, wildly outflanking the ‘meager’ more-than-doubling in its price in 2016. While the digital currency has since retreated from these lofty heights, it continues to trade at levels that has many officials and pundits concerned that bitcoin is a bubble waiting to pop. The markets continued to shower their love on bitcoin and its ilk, notwithstanding reports of various cybersecurity disasters that struck a number of cryptocurrency services and its users last year.
“Last year was also notable for a boom in surreptitious cryptocurrency mining”
With the value of digital currencies, to use a technical term, going nuts, the ‘money’ and related services are becoming ever more irresistible catnip for a slightly unsavory clowder of clued-in cats. Indeed, Europol, the European Union’s law enforcement agency, noted in its 2017 Internet Organised Crime Threat Assessment (IOCTA) that “[b]itcoin remains a key facilitator for cybercrime”, but was quick to add that “other cryptocurrencies such as Monero, Ethereum and Zcash are also gaining popularity within the digital underground”.
In addition to targeting providers of online crypto-wallets, trading and mining exchanges and other services focused on digital currencies, the attackers are also taking aim at investors and industry insiders. They commonly rely on familiar social engineering tactics for scams involving phishing, website spoofing, fake mobile apps and wallets and others, all with the ultimate aim of cyber-heists. Indeed, nearly a million bitcoin in total is reported as stolen since 2011.
High-profile incidents in 2017
Let us now review some of the notable cybersecurity incidents that occurred amid the hustle and bustle of the cryptocurrency markets in 2017. The cryptocurrency arena has resembled something of a mosh pit of late, with the craze about 2017’s smash hit continuing despite the many bruises suffered by a number of its cheerleaders, speculators, and various infrastructure providers. The ICO frenzy in particular – which yielded $4 billion to the start-ups last year alone – provided a perfect storm of conditions for cyberlarceny.
·         In February, attackers broke into a home computer belonging to an employee of South Korean exchange Bithumb, one of the world’s busiest exchanges for bitcoin and Ether. The personal details of more than 30,000 of Bithumb’s customers were compromised, acting as a springboard for scams that ultimately led to the siphoning of bitcoins worth over $1 million.
·         In July, hackers flew off with some $7.4 million worth of ether, a currency similar to bitcoin. The cyberheist was perpetrated during the ICO of an Israeli cryptocurrency trading start-up called CoinDash. Investors were tricked into sending their money in ether to a fraudulent Ethereum deposit address controlled by the hackers.
·         A further $8.4 million worth of ether was stolen in the midst of another ICO a few days later, this time organized by an Ethereum platform known as Veritaseum. The hackers stole the platform’s tokens, known as VERI, before immediately dumping the loot by exchanging it for ether, thus making a quick profit while the ICO was still under way.
·         Still in July, a coding fault in Parity, a well-known Ethereum wallet, facilitated the theft of around 150,000 Ethereum cryptocurrency tokens. It was worth more than $30 million at the time.
·         In August, a devious scheme was devised to con prospective investors out of their money at Enigma, another Ethereum platform. While the platform was preparing for an ICO, scammers fooled unsuspecting traders into sending them $500,000 in ‘crypto-money’ with a ‘pre-sale’ of tokens.
·         In November, the Hong Kong-based operator behind a digital currency known as Tether, which is pegged to the US dollar at a 1:1 ratio, announced a theft of nearly $31 million worth of its tokens from its digital coffers.
·         An apparent coding blunder in the Parity wallet was reported as having resulted in the permanent ‘freezing’ of some $280 million worth of ether in November. The bug was triggered after a user – yes, a ‘mere’ user – mistakenly deleted the code library required for access to the digital wallets.
·         In December, hackers ransacked the payment system of Slovenia-based cryptocurrency mining marketplace NiceHash, stealing some 4,700 bitcoin, worth around $64 million at the time. The company described the breach as “a highly professional attack with sophisticated social engineering”, as the attackers entered the company’s system using the login credentials of one of its engineers.
However, this rundown doesn’t paint the whole picture, as cryptocurrency services, including exchanges Bitfinex and Coinbase, were also frequent targets of distributed denial-of-service (DDoS) attacks in 2017. Malicious actors also zeroed in on the potential users of a cryptocurrency trading app known as Poloniex, targeting them with two bogus credential-stealing apps on Google Play.
“Malicious cryptocurrency miners are also known to target unpatched Windows webservers and mobile devices”
In addition, increasing numbers of internet users have been hit by covert mining of digital coins, also known as cryptojacking, a practice that picked up extra steam with the launch of an in-browser mining service by Coinhive in September. This fired up an easy way for website owners to generate revenue using a method other than adverts. The practice involves gobbling up the untapped processing power of the visiting device by running a currency mining script in the browsers of website visitors, usually without their consent or knowledge. The code, which mines a digital currency called Monero, has been detected on tens of thousands of websites, including many legitimate but compromised websites, as well as in browser extensions and plugins, and on typo-squatted domains. Malicious cryptocurrency miners are also known to target unpatched Windows webservers and mobile devices.
Speaking of cryptocurrency mining – which is actually a process whereby the ‘coins’ come into existence – a different kind of threat made the rounds on the internet in December. It was reported that the mining of bitcoins, because it requires significant computational processing power, consumes more energy than 159 individual countries. If the bitcoin network were to retain its current growth in energy use, it could reportedly use up all of the world’s energy by 2020 – an estimate disputed by some energy and IT researchers, however.
Where does this leave us?
The relaxed – or non-existent – checks and balances in the cryptocurrency arena and concerns about the use of virtual money being used as a vehicle for all manner of illicit endeavors, such as extortion, money laundering and tax dodging, have prompted authorities in a number of countries to take action. The list of nations that are planning to keep a more watchful eye on this space – or are already doing so – includes Japan, China, the United States, South Korea, Australia, Russia, and the United Kingdom and other European Union countries. At the same time, some countries are planning to dive into the uncharted waters of government-backed cryptocurrencies, which should also serve to put cybersecurity concerns on the front burner.
All told, virtual currencies – once the preoccupation of the technologically-minded – are looking to gain currency among ever broader sectors of society. The trappings come with many traps to ensnare the unwary, and even the wary. It remains to be seen how, over the long term, the morass of risks inherent in the newfangled currencies, the fundamental security-related challenges they face, and tighter regulation pan out for virtual ‘money’ and its fandom. That said, it is obvious already that – unless the myriad security concerns are addressed – more and more people invested in the superheated currency (or should we say ‘commodity’?) may face a cold and harsh reality further down the road.