The year thus far has brought with it a slew of publicity regarding large scale exchange hacks and exit scams, and we’re only in February. With that said, something rarely is reported on is the hacking of individual-owned crypto assets, through a variety and ever more complex set of methods employed by nefarious actors exploiting the immutability and pseudonymity of cryptocurrency transactions. These features, while extraordinary in their ability to financially empower individuals, allow bad actors to avoid much chance of repercussion for the theft of cryptocurrency, which acts as an enormous deterrent for victims to ever consider using public blockchains in the future. The methods employed to separate legitimate crypto owners from their assets have evolved with the blockchains themselves, so it is worth examining some of the most common hacks people are being targeted with at present with explanations for how these might happen. Below is a list of four such methods, which all see bad actors utilize in 2019.
The most common individual crypto hack is that done by phishing — attempting to trick individuals into providing their passwords and/or second-factor authentication for exchanges, or the private keys for their crypto wallets themselves. These attempts vary from crude and obvious — sending emails with links to forms requesting this information, to complex — developing websites which look almost identical to legitimate exchanges and requesting login details. This is not unique to cryptocurrencies — phishing existed long before Bitcoin, and is used to extract online banking access or more commonly for third party payment platforms like Paypal. Some hackers attempt both — a recent Medum post goes into remarkable detail as to the methods used by one Binance and Paypal phisher. The post shows that a number of people were caught with this scam by erroneously providing their full Binance credentials, including their 2FA codes (although this particular method involved the attacker contacting Binance support to access the account without 2FA).
2. Dusting
A newer attack made possible by Bitcoin and other pseudonymous cryptocurrencies is “dusting” — sending tiny amounts of a cryptocurrency to wallets and tracking transactions from that point on. Although most people tend to think of Bitcoin as anonymous, given the lack of personal identifiers in addresses and wallets, the ability to track transactions through the blockchain allows individuals with considerable time on their hands to make the connections between the original wallets and exchanges with identifying information. It is referred to as dusting because of the tiny amounts sent to potential victims — typically hundreds of Satoshis or less. If the attackers are able to connect a wallet to an individual, they can attempt to extort the person or attempt social engineering (targeted phishing) to get access to the funds. Binance Academy has a writeup of this hacking method and some ways to avoid it (by not spending these dust amounts) here.
3. Malicious phone apps
Another method which has been abused by nefarious actors is an attempt to steal cryptocurrency by submitting apps to the Google Play and iOS App Store, which may trick unwitting downloaders into submitting their private keys, then forwarding these to the hacker. There was a boom for this type of exploit in 2018, when research showed 661 apps had been blacklisted for this exact reason across platforms like the App Store and Google Play. Similarly, a devious app was discovered on Google Play last week that interferes with the phone’s native clipboard, replacing a user’s copied crypto address with that of the attacker upon pasting. The result would be obvious — sending funds to the hacker instead of the intended recipient. This highlights the need to obviously verify the trustworthiness of any app which will deal with your crypto, but also to double-check addresses where possible both on phone and computer, as it is infinitely more difficult to replicate a clipboard attack on both simultaneously, and the PC browser allows you to verify the address is correct on the phone, and vice versa.
Anatomy of an Android clipboard attack. Credit: Lukas Stefanko
4. Secret mining or “cryptojacking”
Lastly, more of an annoyance or an intrusion than a direct theft of funds, some websites and apps run hidden crypto mining processes on the devices of users, who regularly see spikes in their CPU usage as a result. The most infamous infringer of this type is likely The Pirate Bay, which has been running Monero mining in-browser on and off for the past several years. TPB has been surprisingly open about this, notifying users of the process and giving them the opportunity to close the page or install an adblocker to prevent this (although this was a later addition, initially users found this out the hard way). The torrenting client uTorrent similarly was discovered exploiting CPU for this purpose in 2015. There are, however, two reasons to be concerned about this particular attack despite its comparably subdued negative effects. First, all indications suggest that “cryptojacking” is increasing enormously — research by the Cyber Threat Alliance found that such instances had increased by 400% in 2018. Secondly, the scope of these exploits has grown past just PCs and laptops — secret miners are now moving to smartphones and even internet-equipped devices like smart TVs. Running mining software on such devices will present an enormous strain on processing resources and be much more noticeable than on full computers.
Constant vigilance
As we regularly discuss here, cryptocurrencies have a tremendous ability to hand control to individuals over their finances, with their inability to be seized, devalued or otherwise impacted by governments or organizations. The addendum to this benefit is the reality that such control comes with inherent risks — principally, the risk that insufficient due diligence or security awareness leads to the loss of funds. As such, it’s highly recommended to stay abreast of common security risks, and understand the potential for bad actors to constantly adapt their methods to exploit any possible vulnerabilities. Given that blockchains themselves are absurdly difficult to hack, humans are almost always the vulnerability first targeted.
For information on some of the services provided by Viewnodes, including our Tezos delegate, click here.