Tank-traps versus trappings
in virtual currencies: A cybersecurity minefield
By Tomáš Foltýn
Virtual currencies have been the talk of the town
of late — including that of the ‘online town’, judging by 2017’s
top-trending search terms on Google. And, in a way, rightly so,
given the genuine bumper crop of events that 2017 yielded in this burgeoning –
but all too often murky and muddy – field. We saw cryptocurrency splits, bankruptcies, the launch of futures contracts by the world’s biggest derivatives exchange
operator, an explosion in initial coin offerings (ICOs) along with some fraud involving
ICOs, Japan’s approval of bitcoin as legal tender, regulatory rumblings from
governments, crackdowns on bogus digital currencies, fake trading apps, arrests of suspected scammers, and the kidnapping of a cryptocurrency industry insider.
Importantly, 2017 witnessed a bevy of cyberattacks
against providers of infrastructure that caters to virtual currencies and their
users, including high-profile thefts of users’ virtual assets. Last year was
also notable for a boom in surreptitious cryptocurrency mining. To be sure,
this is by no means an exhaustive list of calamities to have befallen this
space last year – all against the backdrop of the gravity-defying appreciation
of the cryptocurrency market.
Bitcoin, the progenitor of the entire
cryptocurrency boom and still the most popular virtual currency, experienced a
truly heady run-up in value. Its price surge was punctuated with a crescendo
midway through December, when a single bitcoin approached $20,000. Bitcoin’s
value had thus risen twenty-fold from the beginning of the year, wildly
outflanking the ‘meager’ more-than-doubling in its price in 2016. While the
digital currency has since retreated from these lofty heights, it continues to
trade at levels that has many officials and pundits concerned that bitcoin is a
bubble waiting to pop. The markets continued to shower their love on bitcoin
and its ilk, notwithstanding reports of various cybersecurity disasters that
struck a number of cryptocurrency services and its users last year.
“Last year was also notable
for a boom in surreptitious cryptocurrency mining”
With the value of digital currencies, to use a
technical term, going nuts, the ‘money’ and related services are becoming ever
more irresistible catnip for a slightly unsavory clowder of clued-in cats. Indeed,
Europol, the European Union’s law enforcement agency, noted in its 2017 Internet Organised Crime Threat Assessment (IOCTA) that
“[b]itcoin remains a key facilitator for cybercrime”, but was quick to add that
“other cryptocurrencies such as Monero, Ethereum and Zcash are also gaining
popularity within the digital underground”.
In addition to targeting providers of online
crypto-wallets, trading and mining exchanges and other services focused on
digital currencies, the attackers are also taking aim at investors and industry
insiders. They commonly rely on familiar social engineering tactics for scams
involving phishing, website spoofing, fake mobile apps and wallets and others, all with the ultimate
aim of cyber-heists. Indeed, nearly a million bitcoin in total is
reported as stolen since 2011.
High-profile incidents in 2017
Let us now review some of the notable cybersecurity
incidents that occurred amid the hustle and bustle of the cryptocurrency
markets in 2017. The cryptocurrency arena has resembled something of a mosh pit
of late, with the craze about 2017’s smash hit continuing despite the many
bruises suffered by a number of its cheerleaders, speculators, and various
infrastructure providers. The ICO frenzy in particular – which yielded $4 billion
to the start-ups last year alone – provided a perfect storm of conditions for
cyberlarceny.
·
In February,
attackers broke into a home computer belonging to an employee of South Korean
exchange Bithumb, one of the world’s busiest exchanges for bitcoin and Ether.
The personal details of more than 30,000 of Bithumb’s customers were
compromised, acting as a springboard for scams that ultimately led to the
siphoning of bitcoins worth over $1 million.
·
In July,
hackers flew off with some $7.4 million worth of ether, a currency similar to
bitcoin. The cyberheist was perpetrated during the ICO of an Israeli
cryptocurrency trading start-up called CoinDash. Investors were tricked into
sending their money in ether to a fraudulent Ethereum deposit address
controlled by the hackers.
·
A further
$8.4 million worth of ether was stolen in the midst of another ICO a few days later, this
time organized by an Ethereum platform known as Veritaseum. The hackers stole
the platform’s tokens, known as VERI, before immediately dumping the loot by exchanging it for ether, thus making a
quick profit while the ICO was still under way.
·
Still in July,
a coding fault in Parity, a well-known Ethereum wallet, facilitated the theft
of around 150,000 Ethereum cryptocurrency tokens. It was worth more than
$30 million at the time.
·
In August, a
devious scheme was devised to con prospective investors out of their money at
Enigma, another Ethereum platform. While the platform was preparing for an ICO,
scammers fooled unsuspecting traders into sending them $500,000 in
‘crypto-money’ with a ‘pre-sale’ of tokens.
·
In November,
the Hong Kong-based operator behind a digital currency known as Tether, which
is pegged to the US dollar at a 1:1 ratio, announced a theft
of nearly $31 million worth of its tokens from its digital coffers.
·
An apparent
coding blunder in the Parity wallet was reported as having resulted in the permanent ‘freezing’ of some $280 million worth of ether in
November. The bug was triggered after a user – yes, a ‘mere’ user – mistakenly
deleted the code library required for access to the digital wallets.
·
In December,
hackers ransacked the payment system of Slovenia-based cryptocurrency mining
marketplace NiceHash, stealing some 4,700 bitcoin, worth around $64 million at the time. The
company described the breach as “a highly professional attack with
sophisticated social engineering”, as the attackers entered the company’s
system using the login credentials of one of its engineers.
However, this rundown doesn’t paint the whole
picture, as cryptocurrency services, including exchanges Bitfinex and Coinbase, were also frequent targets of distributed
denial-of-service (DDoS) attacks in 2017. Malicious actors also zeroed in on
the potential users of a cryptocurrency trading app known as Poloniex,
targeting them with two bogus credential-stealing apps on Google Play.
“Malicious cryptocurrency
miners are also known to target unpatched Windows webservers and mobile
devices”
In addition, increasing numbers of internet users
have been hit by covert mining of digital coins, also known as cryptojacking, a
practice that picked up extra steam with the launch of an in-browser mining
service by Coinhive in September. This fired up an easy way for website owners
to generate revenue using a method other than adverts. The practice involves
gobbling up the untapped processing power of the visiting device by running a
currency mining script in the browsers of website visitors, usually without
their consent or knowledge. The code, which mines a digital currency called
Monero, has been detected on tens of thousands of websites, including many legitimate but
compromised websites, as well as in browser extensions and plugins, and on typo-squatted
domains. Malicious cryptocurrency miners are also known to target unpatched Windows webservers and mobile devices.
Speaking of cryptocurrency mining – which is
actually a process whereby the ‘coins’ come into existence – a different kind
of threat made the rounds on the internet in December. It was reported that the
mining of bitcoins, because it requires significant
computational processing power, consumes more energy than 159 individual countries. If the bitcoin network were to
retain its current growth in energy use, it could reportedly use up all of the
world’s energy by 2020 – an estimate disputed by some energy and IT researchers,
however.
Where does this leave us?
The relaxed – or non-existent – checks and balances in the cryptocurrency arena and concerns
about the use of virtual money being used as a vehicle for all manner of
illicit endeavors, such as extortion, money laundering and tax dodging, have
prompted authorities in a number of countries to take action. The list of
nations that are planning to keep a more watchful eye on this space – or are
already doing so – includes Japan, China, the United States, South Korea, Australia, Russia, and the United Kingdom and other European Union countries. At the same time, some countries are
planning to dive into the uncharted waters of government-backed cryptocurrencies, which should also serve to
put cybersecurity concerns on the front burner.
All told, virtual currencies – once the
preoccupation of the technologically-minded – are looking to gain currency
among ever broader sectors of society. The trappings come with many traps to
ensnare the unwary, and even the wary. It remains to be seen how, over the long
term, the morass of risks inherent in the newfangled currencies, the
fundamental security-related challenges they face, and tighter regulation pan
out for virtual ‘money’ and its fandom. That said, it is obvious already that –
unless the myriad security concerns are addressed – more and more people
invested in the superheated currency (or should we say ‘commodity’?) may face a
cold and harsh reality further down the road.