Published: June 30th, 2020
A threat group that was recently detected is estimated to have scammed cryptocurrency exchanges of about $200 million. The group operating for about two years achieved the feat in a little over 20 months.
CryptoCore, a cyber-crime organization whose wicked and cruel acts only recently came to light, is estimated to have scammed cryptocurrency exchanges of more than $200 million.
According to the research findings published by ClearSky Cyber Security, an Israeli cybersecurity outfit, the threat group has been in operation since May 2018. The report adds that the threat group has been majorly targeting crypto exchange employees from the U.S. and Japan.
ClearSky says that it is unusual that the threat group has achieved dizzying heights of success while relying on basic attack techniques in most instances. The research reads in part that CryptoCore is not exceedingly advanced in technical prowess. The study adds that their success is probably due to their swiftness, persistence, and effective attack techniques.
According to Boaz Dolev, the co-founder of ClearSky, five exchanges were hacked following a similar pattern. However, Dolev did not reveal the identity of the said exchanges.
He added that the criminals attack very quickly. In one instance, Dolev said, CryptoCore deployed an attack only 12 hours after creating a new domain name. He suspects that the group does not consist of many people. According to him, the group consists of a gang of three or four people who run an efficient operation.
Or Blatt, who leads the threat intelligence team at ClearSky, believes that the cybercriminals are ordinary rogues. He overruled military support or any form of military training among the thieves.
He described the attacks undertaken by the threat group as far less sophisticated. For instance, the CryptoCore’s strikes compared to cybercrimes conducted by officers from the Russian military intelligence who were indicted for U.S. election interference, seem considerably subpar.
Or added that attacks similar to what CryptoCore did often succeed if the crypto exchange employees are vulnerable to social engineering. Instead, the cybersecurity operative contends, they did not notice any sign of the attackers using a VPN, which is a common feature of the usual cyber-attacks.
According to ClearSky, the threat group has scammed crypto exchange vaults more than $70 million. However, this is only the tip of the iceberg. The online cybersecurity that conducted the research and identified the threat group estimates that crypto exchanges and individuals have lost more than $200 million at the hands of these cybercriminals in just two years.
CryptoCore uses supply chain attacks to infiltrate cryptocurrency exchanges almost exclusively. However, the research findings hint that cybercriminals may have targeted employees of companies that work with these exchanges.
The ClearSky research suggests that CryptoCore’s goal is to access the cold wallets of the cryptocurrency exchanges that they target. Such vaults include the corporate wallets as well as the crypto vaults belonging to the staff of these exchanges. The research further highlights that CryptoCore mainly used spear-phishing to gain access.
Cybercriminals that go about their trade using this technique often gain earmarked accounts by impersonating senior executives of the target companies. In certain instances, these criminals go through employees of other companies that have connections with the firms they are targeting.
In the case of CryptoCore, they sent out emails with malicious Bitly (shortened) links directed to a false Google drive folder. Individuals that click on the link end up on the landing page that the threat group controls.
Once you get to the landing page, the cybercriminals gain access to your password manager account from where they quickly snatch the keys to your crypto wallets.
The ClearSky team has tracked the threat group for a little over two years. During this duration, they have reasonably noticed a constant flurry of activity. However, the attack has subsided in Q1 and Q2 of 2020, probably due to the COVID-19 pandemic.
Despite the prolonged tracking and the threat group’s proclivity to basic techniques, ClearSky is still unable to pinpoint the origin of CryptoCore. However, they managed to isolate three countries in Eastern Europe as the probable operation bases.
The ClearSky research report said that they have assessed with a moderate level of certainty that CryptoCore has links to Ukraine, Russia, and Romania.
Dolev said that crypto exchanges are vulnerable when they fail to use the level of security protocols that banks employ. Nicholas Percoco, the head of security at Kraken, agrees with Dolev, adding that such cyber attackers often target many institutions in the same sector.
He admitted that Kraken sees several attempts to attack the exchange. Most of these strikes come from several vectors, including social engineering tricks similar to what CryptoCore employed. Percoco said their security protocols involve taking their employees through extensive training.
Percoco suggests that exchanges should take their employees through social network and home network security, and even personal device security training.
Dolev warns that the coronavirus pandemic's unprecedented times have led to a mass exodus from the norm. Most workers now fulfill their responsibilities remotely. He says that this situation presents a higher risk. Or echoes added that even though CryptoCore has not hit any of the crypto exchanges lately, they have been more active since the pandemic began.
Dolev warns crypto holders against leaving their coins in exchanges. He says that it is almost impossible to determine the safety of the coins in a crypto exchange.
An Israeli-based cybersecurity company has alleged that a new threat group it identified only recently has scammed crypto exchanges of more than $200 million. The company, ClearSky Cyber Security, says that the threat group, CryptoCore has successfully hit five crypto exchanges over the past two years. ClearSky says that the threat group seems outdated in methodology but is swift, persistent, and effective in its mode of attack.