Search This Blog

Showing posts with label Bitcoin. Show all posts

TeamTNT is Back & Targets Servers to Run Bitcoin Encryption Solvers

 

AquaSec threat analysts have detected TeamTNT activity on their honeypots since early September, leading them to believe the infamously hacking group is back in business. 

TeamTNT announced its retirement in November 2021, and most associated observations since then have involved remnants of previous infections, such as automated scripts, but no new payloads. The recent attacks, however, bear various signatures associated with TeamTNT and rely on tools previously deployed by the gang, indicating that the threat actor is likely making a comeback.  The researchers observed three attack types utilized in the reportedly new TeamTNT attacks, the most intriguing being the use of hijacked servers' computational power to run Bitcoin encryption solvers.

The attack, dubbed "the Kangaroo attack" because it employs Pollard's Kangaroo WIF solver, scans for vulnerable Docker Daemons, deploys an AlpineOS image, drops a script ("k.sh"), and eventually retrieves the solver from GitHub. Pollard's Kangaroo interval ECDLP (Elliptic Curve Discrete Logarithm Problem) solver algorithm attempts to decipher the SECP256K1 encryption used in Bitcoin's public-key cryptography.

“It [the algorithm] is designed to run in a distributed fashion since the algorithm breaks the key into chunks and distributes them to various nodes (attacked servers), collecting the results which are then written locally to a text file,” explains AquaSec.

While quantum computing is expected to break existing Bitcoin encryption at some point in the future, it is thought to be impossible to achieve with current machines, TeamTNT appears willing to test the theory anyway, using other people's resources.

Perhaps the threat actors are simply experimenting with new attack pathways, payload deployment, and evasion while performing intensive operations on captured systems, with the Kangaroo attack ticking all of the boxes.

Other Attacks

Other attacks detected by AquaSec are similar to previous TeamTNT operations but have some new characteristics.

The "Cronb Attack" employs well-documented rootkits, cron jobs for persistence, cryptominers for profit, and lateral movement tools. The appearance of new C2 infrastructure addresses and more elaborate data exchange is the novel element.

The "What Will Be" attack targets Docker Daemons with shell-file dropping Alpine images once more, taking advantage of a vulnerability to escape from the container to the host. The attackers then download and execute additional scripts, rootkits, and a cryptominer, as well as add cronjobs and perform network SSH scans.

These scripts introduce a new trick in this attack, allowing threat actors to optimise crypto mining performance by modifying CPU model-specific registers. Whether it is TeamTNT or someone else carrying out these attacks, organisations should strengthen their cloud security, strengthen Docker configuration, and implement all available security updates before it is too late.

FBI: Hackers use DeFi Bugs to Steal Cryptocurrency

 


Investors are being warned by the FBI that hackers are increasingly using Decentralized Finance (DeFi) platform security flaws to steal cryptocurrency.

According to the PSA, which was posted on the FBI's Internet Crime Complaint Center (IC3) today, nearly 97% of the $1.3 billion in bitcoin that was stolen between January and March 2022 came via DeFi sites. This represents a big increase from 72% in 2021 and roughly 30% in 2020, according to projections by the FBI.

The FBI urges people to be aware of the hazards, seek professional assistance if they are unsure, and research the security and general business practices of DeFi providers. Additionally, we all refer to DeFi providers as exchanges, markets, and other websites where you may buy, sell, trade, and borrow bitcoins and other digital assets.

The FBI's warning is due to a Chainalysis analysis from April that revealed how, per Q1 2022 statistics, DeFi cryptocurrency platforms are currently more targeted than ever.

In the majority of occurrences, the hackers rely on using security flaws in their platform's code or unauthorized access to drain cryptocurrency to addresses under their command.

According to Chainalysis, the threat actors responsible for these attacks used dangerous laundering services, like unlawful exchanges and coin tumblers on the dark web, to re-launder the majority of the stolen funds in 2022.

The FBI's alert provides investors with guidance that begins with basic cautions about performing due diligence before investing and then suggests the following:

Before investing, research DeFi platforms, protocols, and smart contracts and be aware of the dangers associated with DeFi investments.

Verify whether the DeFi investment platform has undergone one or more code audits done by impartial auditors. A code audit normally entails carefully examining and studying the platform's underlying code to find any flaws or vulnerabilities that might impair the platform's functionality.

Be wary of DeFi investment pools with short join windows and quick smart contract rollouts, especially if they don't perform the advised code audit.

Be mindful of the potential risks crowdsourced solutions pose for finding and patching vulnerabilities. Open source code repositories give anyone, even those with malicious intent, unauthorized access.

This year, no DeFi-taken monies have been reimbursed, indicating that attackers are less interested in protecting their stolen assets than they were in 2021 when almost 25% of all cryptocurrency stolen via DeFi platforms was eventually recovered and given to the victims.

The FBI established a link between the Lazarus and BlueNorOff (also known as APT38) North Korean threat organizations and the April attack of Axie Infinity's Ronin network bridge, now the largest crypto hack ever.

The $611 million breach of the decentralized merge protocols and network Poly System in August 2021 was the most significant cryptocurrency theft to date.




Over 130 Organizations Targeted in Okta Phishing Campaign

In a single phishing attempt, the hackers behind a number of recent attacks, such as those targeting Twilio, Cloudfare, MailChimp, and Klaviyo, infiltrated over 130 firms.

Through this phishing attack, 9,931 login credentials were stolen using a phishing kit with the codename "0ktapus," which the hackers then used to log into business networks and systems using VPNs and other remote access tools.

Because the primary intent of the assaults was to "get Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations," the conduct has been denounced by Group-IB.

The Singapore-based corporation said that the opponent sought out employees of businesses that use Okta, a provider of identity services, and praised the attacks for being well-planned and carried out. With the help of the identity-as-a-service (IDaaS) platform Okta, employees may access all of their company's software with just one login. 

The phrases "OKTA," "HELP," "VPN," and "SSO" were used in 169 different phishing domains that supported the 0ktapus campaign.  

In addition, customers who used these services, such as Signal, and DigitalOcean, became the target of supply-chain attacks as a result of these breaches.

The threat actors targeted businesses in a variety of areas, including bitcoin, technology, banking, and recruiting, based on the phishing domains built as part of this effort.

These login credentials were then utilized by the hackers to log into internal customer support systems, corporate networks, and VPNs in order to steal consumer data. As earlier witnessed with DigitalOcean and Signal, subsequent supply-chain hacks were carried out using this customer data.

The hacked information was disseminated over a Telegram channel via the phishing kit employed in this effort. One of the channel administrators who went by the handle "X" was connected by the experts to a Twitter and GitHub account, which suggests the person may be based in North Carolina, US.

Threat actors frequently targeted data belonging to organizations in the bitcoin industry, according to revelations from previous victims.

According to Group-IB, the hackers were able to steal 5,441 records with MFA codes, 3,129 data with emails, and 9,931 records with user credentials from 136 businesses, with the mass of the targeted businesses being based in the United States.



Hackers Exploit Zero-Day Bug, Steal Crypto from Bitcoin ATMs

 


General Bytes and the Vulnerability

Hackers have abused a zero-day vulnerability in General Bytes Bitcoin ATM servers to get cryptocurrency from customers. When customers would deposit or buy cryptocurrency via the ATM, the funds would be stolen by hackers. 

General Bytes manufactures the Bitcoin ATMs that, according to the product, let people buy or sell more than 40 different cryptocurrencies. 

Actors Exploit CAS Zero-day

Crypto Application Server (CAS) controls the Bitcoin ATMs, looks over the ATM's operations, and the cryptocurrency it supports, and completes the sales and purchases of cryptocurrency on exchange forums. 

The attacks were carried out using a zero-day vulnerability in the company's Crypto Application Server (CAS). The hacker created an admin user remotely via CAS administrative interface through a URL call on the tab, using it for default installation on the server and therefore creating the first administration user. The vulnerability exists in the CAS software since version 20201208

General Bytes believes that the threat actors searched the internet for exposed servers that run on TCP ports 443 or 7777, this includes servers hosted at Digital Ocean and General Bytes' own cloud service.

Hackers exploit bugs to transfer money

The hackers then used the bug to put a default admin user named 'GB' in the CAS and changed the 'buy' and 'sell' crypto settings and 'invalid payment addresses' to use a cryptocurrency wallet within the attacker's control. 

After the hackers have modified these settings, any cryptocurrency sent to CAS was forwarded to the attackers instead. Two-way ATMs' began sending money into hackers' wallets when the customers deposited coins in the ATM. 

What should the users do?

General Bytes has warned its customers not to use their Bitcoin ATMs until the company has implemented two server patch releases 20220531.38 and 20220725.22, on their servers. General Bytes also gave a steps checklist for the devices before they are put back to use. 

We should note that the hackers wouldn't have been able to launch these attacks if the servers had a firewall, this would allow connections from only trusted servers. Hence, we should always configure firewalls to only give access to trusted IP addresses for the Crypto Application Server, for instance, the customer's offices or the ATM's location.

According to General Bytes, the following things didn't happen-

1. The attacker didn't gain access to the host operating system.
2. The attacker didn't gain access to the host file system.
3. The attacker didn't gain access to the database.
4. The attacker didn't gain access to any passwords, password hashes, salts, private keys, or API keys.

Currently, 18 General Bytes CAS are still vulnerable to the internet, most of these are located in Canada. We aren't aware of how many servers were compromised using this vulnerability and how much cryptocurrency was stolen. As of now, no further updates have come from General Bytes', CySecurity will update its readers in case.

Dutch University Receives Bitcoin Ransom Paid in 2019

 

The southern Maastricht University in Netherland that fell victim to a major ransomware assault has partly received back its stolen money, a local news organization reported on Saturday. 

The Dutch University suffered a large cyberattack in 2019 that locked them, and their students, out of valuable data until they agreed to pay a €200,000 ($208,000) ransom in Bitcoin which hackers demanded to decrypt the data.

"The criminals had encrypted hundreds of Windows servers and backup systems, preventing 25,000 students and employees from accessing scientific data, library and mail," the daily De Volkskrant told. 

"After a week the university decide to accede to the criminal gang's demand," the paper said. This was partly because personal data was in danger of being lost and students were unable to take an exam or work on their theses.” 

As part of an investigation into the cyberattack, local police traced part of the ransom paid to an account belonging to a money launderer in Ukraine. In 2020, the authorities seized the perpetrator's account, which contained a number of different cryptocurrencies including part of the ransom money paid by Maastricht University. 

Earlier this week, the authorities were able to return the ransom back to the university. But the value of the Bitcoin held in the Ukrainian account has increased from its then-value of €40,000 to €500,000.

"When, now after more than two years, it was finally possible to get that money to the Netherlands, the value had increased from 40,000 euros to half-a-million euros," the paper further read. Maastricht University will now get the 500,000 euros ($521,000) back. 

"This money will not go to a general fund, but into a fund to help financially strapped students," Maastricht University ICT director Michiel Borgers stated. 

The administrators of Maastricht University should count themselves lucky as they were able to retrieve their stolen money. Last year, the University of California paid $1.14 million to NetWalker attackers after they encrypted data within its School of Medicine’s servers, and the University of Utah paid hackers $457,000 to prevent them from releasing data stolen during an attack on its network. 

In 2021, ransomware attackers targeted 58 U.S. education organizations and school districts, including 830 individual schools, according to the report published by Emsisoft threat analyst Brett Callow. Emsisoft estimates that in 2020, 84 incidents disrupted learning at 1,681 individual schools, colleges, and universities.

Netwalker: Ex Canadian Government Employee Pleads Guilty to Cybercrimes 

 

An ex-government of Canada official pleaded guilty in a US court to crimes related to data theft stemming from his involvement with the NetWalker ransomware group. 

Sebastien Vachon-Desjardins admitted on Tuesday that he had planned to commit bank fraud and phishing scams, intentionally damaged a protected computer, and also sent another demand regarding that illegally damaged computer. 

 Plea agreement filled 

Vachon-Desjardins, 34, who had previously been sentenced to six years and eight months in prison after entering a guilty plea to five criminal offenses in Canada, was deported to the United States in March. 
Vachon-Desjardins is "one of the most prolific NetWalker Ransomware affiliates," as per his plea agreement, and was in charge of extorting millions of dollars from several businesses all over the world. Along with 21 laptops, smartphones, game consoles, and other technological devices, he will also forfeit $21.5 million. 

He has pleaded guilty to conspiracy to commit computer fraud, conspiracy to commit wire fraud, intentionally harming a protected computer, and conveying a demand related to intentionally damaging a protected computer, according to a court filing submitted this weekThe accusations carry a maximum punishment of 40 years in jail combined. The attorneys did not identify the targeted business, but they did indicate that it is based in Tampa and was assaulted on May 1, 2020. 

 NetWalker gang's collapse

In 2019, a ransomware-as-a-service operation called NetWalker first surfaced. It is thought that the malware's creators are based in Russia. Its standard procedure – a profitable strategy also known as double extortion, includes acquiring sensitive personal data, encrypting it, and then holding it hostage in exchange for cryptocurrencies, or risk having the material exposed online.

According to reports, the NetWalker gang intentionally targeted the healthcare industry during the COVID-19 pandemic to take advantage of the global disaster. To work for other RaaS groups like Sodinokibi (REvil), Suncrypt, and Ragnarlocker, Vachon-Desjardins is suspected of being connected to at least 91 attacks since April 2020 in his capacity as one of the 100 affiliates for the NetWalker gang. 

The Feds dismantled the crime gangs' servers and the dark website is used to contact ransomware victims as part of the takedown of the NetWalker gang. Then they took down Vachons-Desjardins, who, according to the FBI, made $27 million for the NetWalker gang. 

His role in cybercrime is said to have included gathering information on victims, managing the servers hosting tools for reconnaissance, privilege escalation, data theft, as well as running accounts that posted the stolen data on the data leak site and collecting payments following a successful attack. 

However, some victims did pay fees, and the plea deal connected Vachons-Desjardins to the successful extortion of roughly 1,864 Bitcoin in ransom payments, or about $21.5 million, from multiple businesses around the world.

This New Malware Redirects Cryptocurrency Payments to Wallets Controlled by the Attacker

 

A clipper malware is a type of software that, once installed on a computer, continuously scans the contents of the user's clipboard for cryptocurrency wallets. If the user copies and pastes the wallet someplace, it gets substituted by the cybercriminal's wallet. 

As a result, if an unknowing user uses any interface to transfer a cryptocurrency payment to a wallet, which is often done by copying and pasting a valid destination wallet, the legitimate wallet is substituted with the fake one. Clipper malware is not a new issue, but it is unknown to the majority of individuals and businesses. 

The first clipper malware surfaced on Windows operating systems in 2017. In 2019, the same malware was also discovered on the Google Play Store. Clipper attacks are effective due to the duration of cryptocurrency wallets. People who transfer cryptocurrency from one wallet to another seldom double-check that the copy/paste result is the one given by a genuine receiver. Cyble researchers examined a new Clipper malware termed Keona Clipper by its developer. 

The malware is provided as a service for $49 per month. Keona Clipper was written in the.NET programming language and is safeguarded by Confuser 1.x. This tool protects.NET applications by changing symbols, obfuscating control flow, encrypting constants and resources, employing anti-debugging, memory dumping, tampering, and disabling decompilers, making reverse engineering more difficult. 

Since May 2022, Cyble researchers have identified over 90 distinct Keona samples, demonstrating widespread deployment. The discrepancy in those Keona samples might be due to minor changes in the code, or it could be the result of several usages of the Confuser protector, which generates a new binary each time a sample is provided to prevent detection by security solutions relying only on file signature. 

Malware capabilities of Keona Clipper

Once launched, the malware uses the Telegram API to connect with an attacker-controlled Telegram bot. The malware's initial contact with the bot includes a message written in Russian that translates as "clipper has started on the computer" and the username of the user whose account is utilised by the malware. 

The malware also ensures that it is always performed, even if the system is restarted. The malware copies itself to numerous areas, including the Administrative Tools folder and the Startup folder, to guarantee persistence. Autostart entries are also placed in the Windows registry to guarantee that the malware runs every time the computer restarts. Keona Clipper then discreetly analyses clipboard activity and checks for bitcoin wallets using regular expressions. 

BTC, ETH, LTC, XMR, XLM, XRP, NEC, BCH, ZCASH, BNB, DASH, DOGE, USDT TRC20, and ADA coins are among the cryptocurrencies that Keona Clipper can steal. If a wallet is discovered, it is instantly replaced in the clipboard with a wallet address supplied by the threat actor. 

How can one defend oneself against this danger?

Every bitcoin payment should be thoroughly scrutinised. By comparing the output of their copy/paste manipulation to the wallet given by the seller, users should visually authenticate the wallet utilised as the transaction's destination. Private keys and wallet seeds should never be kept insecurely on any device. If feasible, keep these encrypted on a different storage device or in a physical hardware wallet. 

To identify the danger, security solutions should be implemented. We don't know the first vector of propagation for Keona, but we think it was emailed, hence email-based protection must be deployed. Email fraud and phishing should also be made more visible to users. 

Finally, the operating system and any software that runs on it should be maintained up to date and patched at all times. If the malware is dumped and executed on the system via a popular vulnerability, a patched system will almost certainly halt the danger.

Clipminer Botnet Made 1.7 Million Dollars From Crypto Mining

 

Threat researchers have found a large-scale operation of Clipminer, a new cryptocurrency mining virus that netted its users at least $1.7 million in transaction hijacking.

Clipminer is built on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and mine cryptocurrency on affected computers. 

Clipminer is based on the KryptoCibule malware, according to researchers at Symantec, a Broadcom company. Both trojans are designed to steal bitcoin wallets, hijack transactions, and harvest cryptocurrency on affected computers. Researchers were taken aback by the new malware because it had fast grown in size by the time it was discovered. According to the Symantec team, these operations involved 4375 bitcoin wallet addresses that received stolen monies from victims.

Downloads or pirated software, are used to spread malware; malicious clipminer botnet files are distributed over torrent sites and other pirating methods. This bitcoin miner can be installed on the machine as a WinRAR archive, which will immediately start the extraction process and launch the control panel file, leading to the download of the dynamic link library. 

The infected DLL creates registry values and installs malware in several files in the Windows directory. Those files are named after ransoms so that the profile may be hosted and the main miner's payload can be downloaded and installed afterward. The system receives identification, which is sent on to the C&C server, which then sends out a request for the payload. The malware is delivered as a 10MB file in the Program Files directory. Once the trojan has been successfully executed, scheduled actions are set up to ensure the malware's persistence. To avoid re-infecting the same host, registry modification is also performed.

According to Symantec, the first Clipminer samples began to circulate in January 2021, with malicious activity picking up in February. Ever since the malware has spread over P2P networks, torrent indexers, YouTube videos, and through game and pirated software cracks. To avoid becoming infected with Clipminer or other malware, avoid downloading software from unknown sources. Verify the entered cryptocurrency wallet address before initiating the transaction to protect yourself from a clipboard hijacker.

FBI: North Korean Hackers Stole $600M+ Worth Cryptocurrency

 

The FBI accused North Korean government associated hackers of stealing more than $600 million in bitcoin from a video game company last month, the latest in a sequence of sophisticated cyber thefts linked to Pyongyang. 

The FBI said in a statement, "Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29th." "DPRK" is an abbreviation for North Korea's official name, the Democratic People's Republic of Korea, and Ethereum is a technology platform linked with a type of cryptocurrency. 

The FBI was referring to the recent hack of Axie Infinity's computer network, which allows gamers to win cryptocurrency. Undiscovered hackers stole the equivalent of about $600 million — estimated at the time of the hack's detection — on March 23 from a "bridge," or network that allows users to transmit cryptocurrency from one blockchain to another, according to Sky Mavis, the business that developed Axie Infinity. 

The US Treasury Department sanctioned Lazarus Group, a large group of hackers suspected of working for the North Korean government, on Thursday. The precise "wallet," or bitcoin address, that was utilised to cash out on the Axie Infinity hack was sanctioned by the Treasury Department.

According to a United Nations panel and outside cybersecurity experts, cyberattacks have been a major source of revenue for the North Korean state for years as its leader, Kim Jong Un, pursued nuclear weapons. North Korea is reported to have fired its first intercontinental ballistic missile in more than four years last month. According to Chainalysis, a company that records digital currency transactions, the Lazarus Group has stolen an estimated $1.75 billion in cryptocurrencies in recent years. 

Ari Redbord, head of legal affairs at TRM Labs, a firm that investigates financial crime said,"A hack of a cryptocurrency business, unlike a retailer, for example, is essentially bank robbery at the speed of the internet and funds North Korea's destabilizing activity and weapons proliferation. As long as they are successful and profitable, they will not stop." 

While much of the focus of cybersecurity analysts has been on Russian hacking in the wake of the Ukraine conflict, suspected North Korean hackers have been far from silent. Last month, Google researchers revealed two separate suspected North Korean cyber attempts aimed at US media and IT businesses, as well as the bitcoin and financial technology industries. Users who are targeted by state-sponsored hackers are notified by Google. 

If a Google user has "any link to being active in Bitcoin or cryptocurrencies" and receives a warning from Google about state-backed hacking, it nearly invariably turns out to be North Korean activity, according to Shane Huntley, who leads Google's Threat Analysis Group.

Further, Huntley told CNN, "It seems to be an ongoing strategy for them to supplement and make money through this activity." 

Analysis of Cryptocurrency Fundraising

 

A cryptocurrency is a form of digital currency meant to make internet transactions extremely safe. Investors and authorities are paying attention to the unexpected increase in the value of cryptocurrencies. The digital era has surely aided in the advancement of our understanding and use of money. We are also on the verge of a new financial revolution, which is linked to the fourth industrial revolution. There are currently 9,271 distinct cryptocurrencies available, with Bitcoin, Ethereum, Tether, BNB, and USD being the most renowned ones.  

Cryptocurrencies, despite being older than the iPad, have just entered the public sphere, with their impact being predominantly felt in the last three or four years. The aspect of digital currencies has spread to numerous banks, including JP Morgan and Wells Fargo, which are developing their own cryptos. Blockchain, AI, IoT, and a slew of other technologies are making inroads into our daily lives as more traditional concepts and technologies are scrambling to stay up or risk becoming obsolete. 

Bitcoin, one of the most popular cryptocurrencies, was launched in 2009 and employs peer-to-peer technology to enable rapid transactions without the involvement of institutional bodies such as banks or governments. A password or a private key is required to access the received cryptocurrency in the wallet. Furthermore, the transaction is safeguarded by blockchain technology when it is sent from one wallet to another.

Physical currency serves as a universal measure of worth as well as a quick means of transmitting it. The switch to such a system would very certainly be tough, as cash may become incompatible in the blink of an eye if the crypto world advance at the current pace. Established banking institutions would almost certainly have to hustle to adapt. Governments across the world are now accepting blockchain and cryptocurrency. According to the Gartner report, 83 nations are currently experimenting with or deploying as such Central Bank Digital Currencies, or CBDCs, which account for 90 percent of global GDP. While many businesses initially offered to accept Bitcoin during its first boom, this list has progressively reduced, reinforcing doubt about the cryptocurrency's potential as a medium of trade. 

In India, cryptocurrency boomed relatively late when it already cost millions of rupees, as a result, Indians have few Satoshis (small units of a bitcoin) but this isn't the case in every situation. People are dealing in smaller units such as milli or micro bitcoins as the worth of cryptocurrency. 

Furthermore, the price of a cryptocurrency varies between exchanges, which is a clear breach of the legislation of one price.

While bitcoin performs admirably as a wealth vault, its volatility makes it riskier and exposes it to increased danger of loss. Several variables influence the price of a single bitcoin, like supply and demand, competition, and regulation. Investor perceptions of cryptocurrency are also influenced by recent news events.

The lack of other traits for crypto in India is typically associated with modern physical currencies; they cannot be deposited in a bank and must be held in digital wallets, which are costly and risky due to the possibility of hacking, staff corruption, public IP addresses, and ransomware. In many aspects, government supervision over central currency is essential for regulation, and cryptocurrencies would function with far less government oversight. Bitcoin's supply is set; there is an absolute limit of 21 million units.

In order to maintain steady price levels, the money supply must be able to rise in lockstep with macroeconomic activity, otherwise, the problem can only be solved by raising the velocity of money or by a substantial drop in prices. This might put the economy in jeopardy. 

For investors, bitcoin's artificial scarcity is a benefit: increased demand combined with inelastic supply leads to a greater price. The lack of a central regulator renders investor protection untenable and raises the likelihood of greater instability. People engage in these markets expecting the cryptocurrencies would grow in the future; this presumption fuels speculative behaviours, and a quick shift in the presumption may cause the market to crash, injuring many naive investors. 

The magnitude of economic harm is influenced by the connectivity between crypto-assets and the traditional banking industry. According to economists, direct exposure from cryptocurrencies to the financial system might be transmitted, and indirect repercussions could expand to other asset classes. Crypto assets, according to the RBI financial stability report (2021), offer long-term risks for capital control management, financial and macroeconomic stability, and monetary policy transmission.

China has taken the toughest stance on cryptocurrencies, going from allowing crypto mining to outright prohibiting it as of June 2021. Regulations are divided between the federal and state governments in the United States and India. Most EU draught Markets in Crypto-Assets Regulation (MiCA) legislation was announced by the European Commission in September 2020. The UK  is currently supervised by the Financial Conduct Authority (FCA). It's worth noting that the South American nation was the first to declare Bitcoin to be legal cash.

If we look at the evolution of crypto as a currency, it has virtually achieved its goal of decentralisation, and is now one of the main firms such as Tesla, Microsoft, and Meta are investing in it. On the other hand, the emerging cryptocurrency has the issue of being hackable. In the long run, if cryptocurrency continues to develop at its current rate, it may eventually replace fiat currency, resolving the issues of hacking and extreme volatility.

Germany Shuts Down World's Largest Illegal Marketplace on Darknet

 

The German authorities have confiscated the servers of Hydra Market, the most well-known Russian darknet network for drug sales and money laundering. The authorities were also able to seize 543 bitcoins worth a little more than $25 million from the earnings of Hydra. 

The money seized reflects the scale of the Hydra market, which had over 19,000 registered vendor accounts serving at least 17 million clients worldwide. Hydra Market had a turnover of $1.35 billion in 2020, according to the Central Office for Combating Cybercrime (ZIT) and Germany's Federal Criminal Police Office (BKA), making it the world's largest darknet market. 

Elliptic, a blockchain analytics firm, confirmed the authorities' confiscation of digital assets today, charting the action as 88 transactions totalling 543.3 bitcoin. Hydra also provided stolen databases, falsified documents, and hacking for hire services, in addition to the core focus of narcotics and money laundering. 

An investigation into a shady area 

The BKA, operating on behalf of the Attorney General's Office in Frankfurt am Main, confiscated the market's infrastructure following a coordinated international law enforcement action, according to Hydra's homepage. This move was made possible following a lengthy examination of the platform's previously unknown operators and administrators. 

 Hydra Market had a Bitcoin Bank Mixer, which disguised all bitcoin transactions done on the platform, making it difficult for law enforcement organisations to track money gained through illicit activity, according to the BKA announcement. 

According to a BKA spokesperson, no arrests have been made in this operation, and they are unable to give any other information on the evaluation of the confiscated infrastructure owing to ongoing investigations.

Cryptocurrency Network Ronin Suffers Breach, Hackers Steal Millions

Ronin, a cryptocurrency network revealed a breach where threat actors swept $540 million worth of Ethereum and USDC stablecoin. The attack is one of the biggest in the history of cryptocurrency cyberattacks, particularly retrieved funds from a service called Ronin Bridge. Pulled-off attacks on "blockchain bridges" have become normal in the last two years, the Ronnie incident is a testimony to thinking hard about the problem. Blockchain bridges (network bridges) are apps that allow users to transfer digital assets from one blockchain to another. 

Cryptocurrencies can't usually interoperate, for instance, one can't do a transaction on a bitcoin platform via doge coins, hence, these "bridges" have become an important process, in the cryptocurrency world. Bridge services use 'cryptocurrency' to convert a bitcoin into another. For instance, if one goes to a bridge and uses a different cryptocurrency, like bitcoin (BTC), the bridge splits out wrapped Bitcoins (WBTC). In simple terms, it's similar to a gift card or a check that shows stored value in an open alternative format. 

Bridges require a vault of cryptocurrency coins to underwrite the total wrapped coins, and that trove is the primary target for threat actors. "Bridges will continue to grow because people will always want the opportunity to join new ecosystems. Over time, we'll professionalize, develop best practices, and there will be more people capable of building and analyzing bridge code. Bridges are new enough that there are very few experts," says James Prestwich. 

Besides the Ronin heist, hackers stole around $80 Million worth of cryptocurrency from the Qubit bridge in January, around $320 Million from the Wormhole bridge in February, and $4.2 Million a few days later from Meterio Bridge. Another thing that one should note is that Poly network had around $615 Million worth of cryptocurrency stolen in August last year, but the attackers returned the fund a few days after. "Ronin was created by the Vietnamese company Sky Mavis, which develops the popular NFT-based video game Axie Infinity. In the case of this bridge hack, it seems attackers used social engineering to trick their way into accessing the private encryption keys used to verify transactions on the network," reports the Wired.

Pune Police Recover Over Rs. 84 Crore Worth of Bitcoins From Two Cyber Experts

 

The Pune city Police have traced 237 bitcoins taken by two cyber specialists who were arrested for committing a multicrore cryptocurrency seizure fraud while assisting the cops in two cases in 2018.

Last month on March 12, the Pune City police’s cybercrime cell detained two specialists — Pankaj Ghode (38) and Ravindranath Patil (45) and an ex-IPS officer of Jammu and Kashmir cadre, following an exhaustive probe that began in April 2021. 

In 2018, Ghode and Patil aided a Pune police Special Investigations squad in uncovering two multimillion-dollar bitcoin ponzi schemes. The duo transferred the cryptocurrencies, recovered from the Gainbitcoin scam, and then manipulated the screenshots of those transactions and gave them to the police as proof. However, the technical investigation revealed that there were some bitcoins in the said wallet and Ghode did not give information regarding them to the investigating officer. 

Two FIRs were lodged at Dattawadi and Nigdi police stations against the duo for probing the fraud, under sections 406, 409, 420, 120 b, 109, 201 of the IPC and sections of the Maharashtra Protection of Interest of Depositors (MPID) Act. 

From the 17 persons arrested in the 2018 case, the Pune Police, had, with the assistance of Ghode and Patil, seized 241.46 Bitcoins, 452 Bitcoin cash units, and 94 Ethereum units. As of Thursday, 14:00 IST, Bitcoin was trading at 35,76,630, according to CoinMarketCap data, which means the recovered bitcoins are worth 84,88,88,259.00 as per recent exchange rates. 

“We have been able to trace as many 237 bitcoins to the wallets linked to Patil, equivalent to worth over Rs 84 crore. Prima facie, this chunk of cryptocurrency is from what was seized from the accused in the 2018 cases. The probe suggests that Patil was also involved in crypto trading. To date, we have seized Rs 6 crore worth of cryptocurrencies, such as Ethereum, Ripple, and four others. We are also probing a discrepancy of 900 bitcoins — equivalent to over Rs 320 crore today — in the reports submitted by Ghode at the time of the 2018 investigation,” an official who is part of the present investigation team stated.

Theft of 54 million SA Records, as per TransUnion Linked to the Current Breach

 

Recently one of South Africa's main credit bureaus, TransUnion has been hacked, and the hackers are demanding $15 million in ransom. 

The compromised credit bureau revealed on Friday it had been hacked and had received a ransom demand which "will not be paid." By exploiting an authorised client's credentials, the hackers, dubbed N4aughtysecTU, acquired access to an "isolated server holding restricted data from our South African firm."

N4aughtysecTU told IT Web it had 4 terabytes of client data and had accessed 54 million records, including information from more than 200 businesses. It allegedly threatened to attack TransUnion's corporate clients unless the credit bureau paid it $15 million in Bitcoin (about R223 million). 

The breach affects many South Africans who have entered into credit agreements, regardless of loan size. Users automatically consent to the credit bureaus disclosing about credit and payment history when they sign into agreements with banks or other financial institutions, credit card providers, vehicle lenders, utilities, or other creditors. The fact that your account information and payment history will be submitted to credit reporting agencies is outlined in these agreements.

According to a statement on the TransUnion website: 
  • An isolated server containing limited information from our South African operations was impacted by the attack.
  • The team is working closely with other specialists to figure out what data was impacted. 
  • Consumer information, such as phone numbers, email addresses, and identity information, may be affected. 
People should not give out personal information such as passwords and PINs to strangers over the phone or over email, according to Sabric, and demands for personal information should be confirmed first.

Experian, a credit bureau, had a data breach in 2020, potentially exposing the personal information of 24 million South Africans. Alongside, a ransomware attack hit Debt-IN Consultants, a debt recovery partner to various South African financial sector companies, in 2021. It is estimated that over 1.4 million South Africans' personal information was fraudulently accessed from its systems.

Moreover, banks have also been targeted. Absa revealed a data breach in November 2020, and over a year and a half later, it is still identifying more compromised customers. 

Russian Man and his Wife Arrested in U.S. for Stealing Record $4.5 billion in Bitcoins

Russian citizen Ilya Lichtenstein and his wife Heather Morgan were arrested in the United States on Tuesday. The U.S. Justice Department in a statement called them the largest Internet fraudsters in history. 

The spouses are suspected of hacking the Hong Kong cryptocurrency exchange Bitfinex in 2016 and withdrawing 120,000 bitcoins from its accounts, which is $4.5 billion at current prices. Intelligence agencies managed to confiscate $3.6 billion worth of bitcoins stored in the Russian's e-wallets. 

On Tuesday night, after the arraignment in the Court of the Southern District of New York, Magistrate Judge Debra Freeman decided to release the suspects on bail of $8 million for two. However, the spouses were unable to leave federal prison as the judge's decision was put on hold by Washington. 

According to the prosecution, the couple should remain in custody because "they are sophisticated cybercriminals and money launderers, and there is a serious risk of their escape." Prosecutors admit that the couple may have passports in other names. 

In particular, agents found a file named Passport_ideas on Liechtenstein's computer. And a plastic container with disposable phones was found under the bed in the apartment of the defendants. Under American law, Ilya Lichtenstein and Heather Morgan face up to 25 years in prison. 

A few years ago, 34-year-old Ilya Lichtenstein unsuccessfully tried to create a technology startup and become an investor. He came to the United States from Russia at the age of six, when his family was granted asylum for religious reasons. 

His wife, Heather Morgan, called herself an economist, a journalist, and a "Crocodile of Wall Street", was a freelance writer for Forbes magazine and even performed as a rapper under the name Razzltkhan. According to the New York Times, giant billboards with her image decorated Times Square. 

According to the investigation conducted by the FBI and the US Internal Revenue Service, Lichtenstein and Morgan hacked the Bitfinex protection system and made about 2 thousand illegal transactions, transferring funds from the accounts of the exchange's clients to their electronic wallet. 

In subsequent years, the suspects managed to launder about 25 thousand bitcoins through third-party exchanges and online services on the darknet. A new hearing on Lichtenstein and his wife's bail application will be held in Washington on February 11.

BitMart Will Compensate Victims of $196 Million Hack

 

The global Cryptocurrency trading platform BitMart has recently witnessed a security breach in the wake of which the company has released a statement and confirmed that the hackers have managed to steal $150 million in various cryptocurrencies. Sheldon Xia, BitMart’s CEO, and founder confirmed the breach on Twitter. 

The company confirmed in the statement that although all wallets, except ETH and BSC, are “secure and unharmed,” Bitmart has temporarily paused all withdrawals until further notice. 

“The affected ETH hot wallet and BSC hot wallet carry a small percentage of assets on BitMart and all of our other wallets are secure and unharmed. We are now conducting a thorough security review and we will post updates as we progress,” the company said in a statement. 

Additionally, Sheldon Xia said that during the investigation they discovered that the cryptocurrencies were drained by using a stolen private key which usually enables a user to access their cryptocurrency.

Furthermore, the company’s intelligence confirmed that it will compensate victims, it will use its own assets to recompense victims of this large-scale security breach. As per the sources, hackers withdrew $150 million in assets. However, blockchain security and data analytics firm Peckshield, which first confirmed the attack, claims that the loss is closer to $200 million. 

Owing to the cyberattack, the trade volume of the company has gone down, CoinGecko CEO Bobby reported. “Crypto exchange hacks are fairly common. Exchanges are a honeypot for hackers because of the high potential payoff for any successful exploit,” he said.

Bitmart was created by cryptocurrency enthusiasts, the roadmap began in November 2017. It has worldwide offices, with the company being registered in the Cayman Islands. The platform offers a mix of spot trading, OTC trading, leveraged futures trading as well as lending and staking services, and other services for digital assets. Also, in April, Bitmart registered with US regulators and was named MSB. 


FBI Seizes 39 BTC Worth $2.2M Tied to Ransomware Gangs

 

The Federal Bureau of Investigation (FBI) has seized 39 BTC worth approximately $2.3 million from a Russian man affiliated to Revil and Gandcrab ransomware gang, according to a court document unsealed Tuesday. 

"The United States of America files this verified complaint in rem against 39.89138522 Bitcoin Seized from Exodus Wallet ("the Defendant Property") that is now located and, in the custody, and management of the Federal Bureau of Investigation ("FBI") Dallas Division, One Justice Way, Dallas Texas," reads the United States' Complaint about Forfeiture. 

Exodus is a desktop or mobile wallet that owners can use to store cryptocurrency, including Bitcoin, Ethereum, Solana, and many others.

The FBI seized $2.3 million on 3rd August, however, the officials did not disclose how they secured access to the wallet. According to the court document, the wallet contained Revil ransom payments belonging to an affiliate discovered as Aleksandr Sikerin (aka Alexander Sikerin and Oleksandr Sikerin), whose email address is engfog1337@gmail.com. 

The name “engfog” in the email address is tied to a well-known Gandcrab and Revil/Sodinokibi affiliate known as “Lalartu,” Bleeping Computer reported. 

“Gandcrab and Revil organizations operated as Ransomware-as-a-Service (RaaS), where core operators’ partner with third-party hackers, known as affiliates, the news outlet noted, adding that ransom payments are split between the affiliate and core operators. The operators usually earn between 20% and 30% of the ransom,” reads the court document. 

The Justice Department this month announced the seizure of $6.1 million from Yevgeniy Polyanin, a Russian “charged with deploying Sodinokibi/Revil ransomware to attack businesses and government entities in the United States.” Meanwhile, the U.S. government has been increasing its efforts to fight ransomware attacks. The Treasury Department has already sanctioned two cryptocurrency exchanges tied to ransom payments. 

Earlier this year in October, REvil was reportedly forced offline by a multi-nation operation — giving the ransomware group a taste of its own medicine after it orchestrated a number of high-profile attacks. The attacks include targeting the Colonial Pipeline which resulted in gas shortage across the U.S., hundreds of supermarkets were forced to close in Sweden after the software firm Kaseya was crippled in a separate incident. 

Google: Cryptocurrency Miners are Targeting Compromised Cloud Accounts

 

Google has warned that cryptocurrency miners are using hacked Google Cloud accounts for computationally intensive mining.

Details were disclosed by Google's cybersecurity team in a study published on Wednesday. The "Threat Horizons" study seeks to give intelligence that will assist firms in keeping their cloud systems safe. 

Google wrote in an executive summary of the report, “Malicious actors were observed performing cryptocurrency mining within compromised Cloud instances.” 

Cryptocurrency mining is a for-profit industry that frequently necessitates enormous quantities of computational power, which Google Cloud users may purchase. Google Cloud is a cloud-based storage technology that allows consumers to store data and files off-site. 

As per Google, 86 per cent of the 50 newly hacked Google Cloud accounts were used to mine cryptocurrencies. Bitcoin mining software was downloaded in the majority of cases within 22 seconds of the account being hacked. Around 10% of the affected accounts were also used to perform scans of other publicly available resources on the internet in order to locate susceptible systems, while the remaining 8% were utilised to attack new targets. 

According to Google, malicious actors were able to get access to Google Cloud accounts by exploiting inadequate consumer security procedures. Almost half of the compromised accounts were the result of criminals acquiring access to an internet-facing Cloud account that had either no password or had been hacked. 

As a result, these Google Cloud accounts were vulnerable to being scanned and brute-forced. A quarter of the compromised accounts were the result of flaws in third-party software installed by the owner. Bitcoin, the world's most popular cryptocurrency, has been criticized for consuming excessive amounts of energy. Bitcoin mining consumes more energy than several countries. When authorities investigated a suspected cannabis farm in May, they discovered it was actually an illegal bitcoin mine. 

“The cloud threat landscape in 2021 was more complex than just rogue cryptocurrency miners, of course,” wrote Bob Mechler, director of the office of the chief information security officer at Google Cloud, and Seth Rosenblatt, security editor at Google Cloud, in a blog post. 

They also stated that Google researchers discovered a phishing attack by the Russian group APT28/Fancy Bear at the end of September and that Google stopped the attack. Google researchers also discovered a North Korean government-backed threat organisation that impersonated Samsung recruiters in order to deliver harmful attachments to the staff at various South Korean anti-malware protection firms, they noted.

Miners began to leave Kazakhstan due to a shortage of electricity

Co-founder of the company Didar Bekbau said on Twitter on Wednesday that crypto-mining company Xive has closed a large farm for 2,500 devices in Southern Kazakhstan due to the lack of sufficient electricity supply from the national grid. According to Xive co-founder Didar Bekbau, mining in the south of Kazakhstan is no longer possible.

Kazakhstan is struggling with a shortage of electricity, partly caused by the influx of crypto miners from China. The southern part of the country is particularly vulnerable because there are not enough powerful power plants in the region, and the national grid cannot reliably transmit electricity from the energy-rich northern region.

Crypto miners such as Xive and Enegix have been facing electricity problems since September due to rationing introduced by the national grid operator KEGOC, which has not yet commented on the situation.

Xive is preparing a new project for more than 2,500 machines, but "it is obvious that mining in the south of Kazakhstan is no longer possible,” Bekbau said.

Other miners in the south of Kazakhstan are also looking for hosting sites to move their mining machines, but the country “has no options left”. Some managed to locate their farms in Russia and the United States.

Last month, the Ministry of Energy published a draft resolution limiting the construction of new farms to 100 megawatts. The ministry later stated that they would not restrict the supply of electricity to legitimate businesses unless it jeopardized the national grid.

Recently, the government announced that it wants to encourage crypto-miners to develop independent renewable energy capacities. According to Sapar Akhmetov, Chairman of the Board of the Kazakhstan Association of Blockchain Technologies, the industry hopes that after Kazakhstan expands its capacity with renewable energy sources in the next one or two years, the limit may change.

According to the Bitcoin Electricity Consumption Index conducted by the Center for Alternative Finance at the University of Cambridge, Kazakhstan is the second-largest country in the world in the production of cryptocurrencies after the United States.

UK Man Arrested for Cryptocurrency Fraud, Sentenced 20 Years

 

A United Kingdom man who was earlier charged in the US for links to hacking celebrities' and politicians' Twitter accounts was recently arrested for stealing cryptocurrency worth $784,000 of cryptocurrency. Prosecutors in Manhattan, US said that Joseph James O'Connor (age 22) along with his partners stole Bitcoin, Litecoin, and Ethereum, after getting access to target's cellphone no. by linking it to SIM cards. 

O Connor, aka PlugwalkJoe, along with his partners orchestrated a SIM swapping attack targeting three Manhattan cryptocurrency company executives, stealing cryptocurrency from two clients, while laundering it. O Connor's lawyer isn't yet known. As per the prosecutors, the campaign ran from March 2019 to May 2019. O'Connor awaits possible extradition from Spain after the July arrest concerned with a last year's July hack which compromised several Twitter accounts and stole around $118,000 worth of Bitcoins. 

"It named the British man as Joseph James O'Connor and said he faced multiple charges. He was also accused in a criminal complaint of computer intrusions related to takeovers of TikTok and Snapchat accounts, including one incident involving sextortion, as well as cyberstalking a 16-year-old juvenile," reported Reuters earlier in July. These hacked accounts include current US president Joe Biden, former president Barack Obama, Ex Amazon CEO Jeff Bezos, Bill Gates, Warren Buffett, Kim Kardashian, Elon Musk, and rapper Kanye West (currently known as Ye). 

The accused teenager, Graham Ivan Clark, the mastermind behind the Twitter hack, pleaded guilty in March in state court of Florida and is currently serving three years in a juvenile prison. The latest charges against Connor consist of money laundering and conspiracies to commit wire fraud, carrying a minimum of 20 years prison sentence, along with aggravated identity theft and computer hacking conspiracy. 

Reuters reports, "the alleged hacker used the accounts to solicit digital currency, prompting Twitter to take the extraordinary step of preventing some verified accounts from publishing messages for several hours until security to the accounts could be restored."