Search This Blog

Showing posts with label Cyber Crime. Show all posts

Ransomware Gang BianLian Switches to Extortion as its Primary Goal

 

The BianLian gang has abandoned its strategy of encrypting files and demanding a ransom in favour of outright extortion. 

Avast, a cybersecurity company, released a free decryptor for BianLian victims in January, which appears to have persuaded the criminals that extortion was the only viable option rather than the ransomware business. 

Threat analysts for cybersecurity firm Redacted stated in a report that BianLian is increasingly choosing to forgo encrypting victims' data and instead concentrate on persuading victims to pay solely using an extortion demand in exchange for BianLian's silence, as opposed to the typical double-extortion model of encrypting files and threatening to leak data. 

Several ransomware organisations are starting to depend less on data encryption and more on extortion. Yet, it appears that that Avast tool served as the catalyst for this gang's action.

The BianLian group boasted that it generated unique keys for each victim in a message posted on its leak site when the security company released the decryptor. They also claimed that Avast's decryption tool was based on a build of the malware from the summer of 2022 and that it would fatally corrupt files encrypted by other builds. 

Since then, the message has been deleted, and BianLian has modified some of its strategies. That includes abandoning the practise of holding the data ransom and the attackers' practise of revealing victim information on their leak site while hiding their identities in an effort to further persuade the victims to pay. 

Concealing victim data

Before the decryptor tool became accessible, they had this strategy in their toolbox, but "the group's use of the technique has exploded with the release of the programme," Redacted researchers Lauren Fievisohn, Brad Pittack, and Danny Quist, director of special projects, noted. 

BianLian contributed 16% of the postings to the group's leak site between July 2022 and mid-January by posting concealed details. Masked victim details were present in 53% of the postings in the two months following the decryptor's publication. Even faster, often within 48 hours of the compromise, they are posting the masked details on the leak site.

In order to put more pressure on the groups, the group is also doing research and increasingly customising its messages to the victims. Several of the messages made mention of the legal and regulatory concerns that businesses would face if a data breach became public, with the rules mentioned appearing to be those that apply to the victim's country of residence.

"With this shift in tactics, a more reliable leak site, and an increase in the speed of leaking victim data, it appears that the previous underlying issues of BianLian's inability to run the business side of a ransomware campaign appear to have been addressed," the researchers added. "Unfortunately, these improvements in their business acumen are likely the result of gaining more experience through their successful compromise of victim organizations." 

Expanding influence

The BianLian gang first appeared in July 2022 and quickly established itself as a serious danger, notably to the IT, engineering, and healthcare sectors, with healthcare accounting for 14 percent of the group's victims (9 percent). As on March 13, the criminals' leak site named 118 victims, according to Redacted. The US accounts for about 71 percent of those victims. 

The malware is built in Go, one of the more recent languages that hackers are using, along with Rust, to escape endpoint security software, avoid detection, and conduct numerous calculations at once. 

The ransomware gang is maintaining its consistency with regard to initial access and lateral movement within a victim's network even though some of its strategies have changed. The bespoke Go-based backdoor has undergone certain modifications, but its fundamental functioning has not changed, according to the research. 

The researchers wrote that Redacted, which has been tracking BianLian since last year, is also getting a view of the close relationship between the backdoor deployment and the command-and-control (C2) server, which suggests that "by the time a BianLian C2 is discovered, it is likely that the group has already established a solid foothold into a victim's network." 

Each C2 server is active for roughly two weeks when it is brought online by the threat group, which deploys almost 30 new C2 servers each month.

Rising Cyberattacks Increase Stress on Healthcare Industry

 

The health industry has recently come under increasing pressure to protect sensitive data from cyberattacks as these attacks become more frequent and sophisticated. Healthcare providers have been targeted by cybercriminals seeking to obtain sensitive patient data such as medical records and financial information. This is a worrying trend that is posing a significant risk to patient privacy and could potentially harm the reputation of healthcare providers.

The rise in cyberattacks on the healthcare industry is not surprising given the vast amounts of sensitive data that are collected, stored, and shared within the sector. Patient data is highly valuable on the black market, with medical records often fetching high prices. Cybercriminals are using a variety of tactics to gain access to healthcare systems, including phishing emails, ransomware attacks, and exploiting vulnerabilities in software.

Healthcare providers must take proactive steps to protect themselves from these threats. This includes implementing robust cybersecurity measures such as firewalls, intrusion detection systems, and data encryption. Staff training is also critical to ensure that employees are aware of the risks and understand how to detect and respond to potential cyberattacks.

In addition to these measures, healthcare providers should also be regularly testing their cybersecurity defenses. This can be done through simulated cyberattack scenarios, which allow providers to identify weaknesses in their systems and make improvements before an actual attack occurs.

It is important to note that protecting patient data is not only a legal and ethical obligation but also a critical aspect of maintaining patient trust. Patients expect their healthcare providers to keep their personal and medical information confidential and secure. A data breach can have significant consequences for patient trust and can harm the reputation of healthcare providers.

In conclusion, cyberattacks on the healthcare industry are becoming more common, and healthcare providers must take proactive steps to protect patient data from these threats. This includes implementing robust cybersecurity measures, staff training and regularly testing their defenses. Protecting patient data is a legal and ethical obligation, and failure to do so can have significant consequences for patient trust and the reputation of healthcare providers.


Two ‘ViLE’ Cybercrime Group Members Charged in 2022 Hacking of DEA Portal

 

Last year, cybercriminals began using a novel method to steal subscriber data from social media companies: they would hack into police email accounts using stolen passwords purchased on the dark web, then utilise their access to file an emergency data request, or EDR. EDRs are a type of urgent subpoena that does not require court approval or broader company review. They are frequently issued by police agencies to social media companies, and law enforcement encourages the companies to turn over subscriber information on specific users as soon as possible. Hackers would conduct harassment campaigns against users using information from EDRs.  

Two people have been arrested in connection with one such scheme. Federal prosecutors charged two men with computer crimes on Tuesday, accusing them of being members of a gang that engaged in targeted online harassment and doxxing campaigns. Officials say Nicholas Ceraolo, 25, of New York, and Sagar Steven Singh, 19, of Rhode Island, are members of the "ViLE" online collective.

The group is said to have "acquired victims' information through various means" before posting or threatening to post it "on a public website administered by a ViLE member."Ceraolo and Singh, also known as "Ominous" and "Weep," are accused as part of "ViLE" of hacking into a federal law enforcement data portal and then using information from that portal to carry out extortion and harassment schemes against targets. Officials do not identify the police portal in question, only describing it as a  nonpublic, password-protected web portal (the "Portal") maintained by a United States federal law enforcement agency, whose intent is to share information from government databases with state and local law enforcement agencies.

According to cybersecurity reporter Brian Krebs, the portal in question belongs to the Drug Enforcement Agency, based on his previous reporting about a previous hack of that portal. According to Krebs, the DEA portal in question provides access to 16 different law enforcement databases, giving the criminals access to a wide range of sensitive information.

Ceraolo and Singh, according to federal prosecutors, used information stolen from the data portal to cyberstalk, threaten, and extort their victims. In Singh's case, he allegedly threatened targets using information obtained directly from the portal. In one instance, he contacted a victim and threatened to "harm" their family if they did not comply with his demands, despite having access to their social security number, home address, and driver's licence information.

Ceraolo is accused of using his portal access to submit EDRs to social media companies, giving him access to sensitive subscriber data. In the complaint, one incidentt is described as follows...

"…between February 2022 and May 2022, Ceraolo accessed without authorization an official email account belonging to a Bangladeshi police official. Ceraolo used the account to pose as a Bangladeshi police officer in communication with U.S.-based social media platforms. In one instance, Ceraolo induced a social media platform (Platform-1) to provide information about one of its subscribers, including the subscriber’s address, email address and telephone number, by asserting that the subscriber had participated in “child extortion” and blackmail and had threatened officials of the Bangladeshi government."

It's an odd story — and an obvious example of the lengths cybercriminals will go to obtain valuable information.

“As these charges make clear, the alleged unauthorised access of a US federal law enforcement system and impersonation of law enforcement officials are serious offences, and the criminals who perpetrate these schemes will be held accountable for their crimes,” said Ivan J. Arvelo, Special Agent-in-Charge with Homeland Security Investigations for New York. “HSI and its law enforcement partners are committed to safeguarding public safety infrastructure from cyber criminals and ensuring that those seeking to compromise these systems face the fullest extent of the law.”

Ceraolo, who is charged with both wire fraud and computer crimes, faces up to 20 years in prison, according to officials. Singh faces up to five years in prison if convicted of computer crimes.

Growing Threat From Deep Fakes and Misinformation

 


The prevalence of synthetic media is rising as a result of the development of tools that make it simple to produce and distribute convincing artificial images, videos, and music. The propagation of deepfakes increased by 900% in 2020, according to Sentinel, over the previous year.

With the rapid advancement of technology, cyber-influence operations are becoming more complex. The methods employed in conventional cyberattacks are increasingly being utilized to cyber influence operations, both in terms of overlap and extension. In addition, we have seen growing nation-state coordination and amplification.

Tech firms in the private sector could unintentionally support these initiatives. Companies that register domain names, host websites, advertise content on social media and search engines, direct traffic, and support the cost of these activities through digital advertising are examples of enablers.

Deep learning, a particular type of artificial intelligence, is used to create deepfakes. Deep learning algorithms can replace a person's likeness in a picture or video with other people's visage. Deepfake movies of Tom Cruise on TikTok in 2021 captured the public. Deepfake films of celebrities were first created by face-swapping photographs of celebrities online.

There are three stages of cyber influence operations, starting with prepositioning, in which false narratives are introduced to the public. The launch phase involves a coordinated campaign to spread the narrative through media and social channels, followed by the amplification phase, where media and proxies spread the false narrative to targeted audiences. The consequences of cyber influence operations include market manipulation, payment fraud, and impersonation. However, the most significant threat is trust and authenticity, given the increasing use of artificial media that can dismiss legitimate information as fake.

Business Can Defend Against Synthetic Media:

Deepfakes and synthetic media have become an increasing concern for organizations, as they can be used to manipulate information and damage reputations. To protect themselves, organizations should take a multi-layered approach.
  • Firstly, they should establish clear policies and guidelines for employees on how to handle sensitive information and how to verify the authenticity of media. This includes implementing strict password policies and data access controls to prevent unauthorized access.
  • Secondly, organizations should invest in advanced technology solutions such as deepfake detection software and artificial intelligence tools to detect and mitigate any threats. They should also ensure that all systems are up-to-date with the latest security patches and software updates.
  • Thirdly, organizations should provide regular training and awareness programs for employees to help them identify and respond to deepfake threats. This includes educating them on the latest deepfake trends and techniques, as well as providing guidelines on how to report suspicious activity.
Furthermore, organizations should have a crisis management plan in place in case of a deepfake attack. This should include clear communication channels and protocols for responding to media inquiries, as well as an incident response team with the necessary expertise to handle the situation. By adopting a multi-layered approach to deepfake protection, organizations can reduce the risks of synthetic media attacks and protect their reputation and sensitive information.


Psychological Tactics Used by Cybercriminals to Conduct Malicious Activities


Recently, the emergence of finance and accounting related cyberattacks via phishing campaigns and Business Email Compromise (BEC) attack has been a hot topic for South African companies having gaps in their payment systems. 

BEC attack is a type of cybercrime wherein the threat actor poses as a trusted figure in order to dupe the victims to give off money or entice them into exposing confidential company information. 

However, according to Ryan Mer, CEO of eftsure Africa, a KYP platform provider, “robust financial controls together with strong server, IT, and email monitoring processes aren’t enough if staff aren’t savvy to the psychological tricks scammers use to manipulate people, making them more vulnerable to tricker and deception.” 

Mer rejects the idea that hackers target solely credulous, unskilled professionals. “The misconception that only foolish individuals fall victim to cybercrime and payment fraud is dangerous because it leads to complacency in the highly educated who occupy senior positions within organizations. Criminals engaging in payment are often well-skilled, well-resourced and armed with enough industry knowledge to appear legitimate.” 

Manipulating Trust and Competence 

Human tendencies to be cooperative, avoid conflict, and find quick and efficient solutions to problems are used as a bait by threat actor to obtain information or persuade their victims to take certain actions. 

A popular tactic is to pretend to be someone they know or trust in order to gain the trust of a potential victim. Examples include a worker receiving a letter from the financial director of a company telling them to make a quick payment to a vendor or an HR manager receiving a polite email from a worker asking that their bank information be altered for payroll purposes. 

Banking on Urgency 

While scammers are becoming more creative, a tried-and-true strategy that hackers frequently use is making their victims feel as though they need to act quickly. According to Mer, phishing emails and business email compromise scams are made to increase employees' likelihood of complying with potential threats they are supposed to notify. 

“Scammers lure victims into acting quickly before they have time to think rationally about the activities they’re undertaking. Implementing processes that require staff to slow down and double-check any actions that involve payments is vital,” he says. 

A new point of contact, a change in email address, or a change in banking information are examples of abrupt changes in customer or supplier business procedures that, he continues, should be viewed with care and thoroughly investigated before agreeing with an urgent request. 

Additional Automated Protection 

The continuous evolution in Cybercrime is making it a moving target. South Africa ranked third globally in terms of the number of cybercrime victims, according to Interpol's most recent African Cyberthreat Assessment Report, which was published in 2021. This crime costs the nation a staggering 2.2 billion yearly. 

“Ongoing education on the latest scams and the tactics used to execute them is crucial for South African companies. In addition, independent third-party verification systems like eftsure can offer a much-need extra layer of protection by automating payment checking and supplier verification, saving time on manual processes and reducing human error,” notes Mer.  

Fake ChatGPT Chrome Extension Targets Facebook Accounts

 

As ChatGPT becomes increasingly well-known, more and more individuals desire to use cutting-edge chatbot. In turn, this makes them a desirable target for cybercriminals. 

This time around, hackers are using a browser extension called "Quick access to Chat GPT" as a ruse to trick unwary users, claims a recent blog post from the online privacy company Guardio. A while back, fake ChatGPT apps were used to spread malware and steal passwords. The extension, which has since been taken down from the Chrome Web Store, does, however, genuinely provide users access to the chatbot, unlike other fraudulent ChatGPT apps. 

The extension does this while also stealing every cookie that is saved in your browser, including security and session tokens for websites like YouTube, Twitter, and even your Google account. The hackers behind the extension can access your online accounts and steal your passwords with this information, while the primary target of the extension is Facebook accounts. 

Targeting prominent Facebook business accounts 

The hackers who created the extension, according to CyberNews, are closely monitoring people who have prominent Facebook business accounts. This makes sense considering how lucrative LinkedIn and Facebook Business accounts may be, and how frequently attackers target them. 

Those who install the extension will not only have their Facebook accounts compromised but also have bots utilise them to promote "Easy access to Chat GPT" even further.

Even worse, the hackers behind this effort have discovered a means to get around Facebook's security by renaming queries made through Meta's Graph API to the social media platform's servers. This allows them to handle a victim's "linked WhatsApp and Instagram accounts" according to Guardio's security analysts. 

You must exercise extreme caution while downloading and installing new browser extensions because so much of our daily activities now take place online. Bad extensions can manage to evade detection, just like malicious programmes. For this reason, before downloading an extension, you should always check its rating and reviews on the Chrome Web Store. When you click "Add to Chrome," you should, however, search for external evaluations on other websites or even videos that demonstrate an extension in use.

How to use ChatGPT securely and safely

The most recent trends are well known to hackers, who exploit them to develop fresh phishing schemes and other intrusions. In order to encourage you to click or download something, companies typically aim to create a sense of urgency, but in this case, ChatGPT has already done the legwork for them. 

The only option to skip the line and gain early access to ChatGPT is to pay $20 per month for ChatGPT Plus or to fulfil all conditions to gain early access to Microsoft's Bing with ChatGPT. 

There isn't an official browser plugin for ChatGPT yet. Indeed, "chat.openai.com" is the only place where you may now access OpenAI's chatbot online. It's possible that this will change in the future, and if it does, there will be several announcements and news stories regarding the new ChatGPT access method. 

You should probably make sure that the best antivirus software is loaded on your PC or the best Mac antivirus software is installed on your Apple computer if you're the impatient type who searches for quick ways to access ChatGPT. This will protect you from malware and other viruses if you encounter fraud similar to the one described above.

Hackers will probably continue to develop new strategies to utilise the well-known chatbot as bait until ChatGPT can be accessible by anybody without needing to join a waitlist or wait in a queue.

Netherlands Restricts Key Tech Exports in US-China Chip Battle

According to sources, the Netherlands government would impose export limits on the nation's most cutting-edge microprocessor technology in order to safeguard national security.

Products manufactured by ASML, a significant company in the worldwide semiconductor supply chain, will be subject to the embargo. China has filed a formal complaint about the action in response.

The administration of US President Joe Biden has put restrictions on semiconductor exports to its chief superpower rival in an effort to halt the development of cutting-edge technology that might be employed in military modernization and human rights abuses as geopolitical tensions between the US and China increase. The US has also pressed its international allies to follow suit.

The Dutch trade minister, Ms. Schreinemacher, said that the Dutch government had taken into account the technological changes and geopolitical environment, but did not specifically mention China or ASML. To export technology, including the most modern Deep Ultra Violet (DUV) immersion lithography and deposition, enterprises would now need to apply for licenses.

The firm stated that it "does not expect these steps to have a major impact on our financial projection that we have released for 2023 or for our longer-term scenarios as indicated during our Investor Day in November last year."

No matter where in the globe the chips were produced, Washington stated in October that it would want licenses from businesses exporting them to China using US equipment or software.

The US position on semiconductors has drawn criticism from South Korea's trade ministry this week. The South Korean government shall make it abundantly clear that the terms of the Chips Act may increase economic uncertainty, undermine companies' management and intellectual property rights, and lessen the allure of investing in the United States. 


Demanding Data Privacy Measures, FBI Cyber Agent Urges Users

 

The FBI maintains a close eye on cyber security risks, but officials emphasized that in order to be more proactive with the prevention, they need the assistance of both people and businesses.

Every one of us can simply navigate that large and somewhat disorganized ecology thanks to algorithms. These algorithms are really beneficial at their best. At their worst, they are tools of mass deception that might seriously harm us, our loved ones, and our society.

These algorithms don't result in immediate or obvious improvements. Instead, they encourage persistent micro-manipulations that, with time, significantly alter our culture, politics, and attitudes. It makes little difference if you can fend off the manipulation or decide not to use the apps that use these algorithms. Your environment will change, but not in ways that are advantageous to you; rather, it will change in ways that are advantageous to the people who own and manage the platforms, when enough of your neighbors and friends make these very imperceptible adjustments in attitudes and conduct.

Over the years, numerous government officials have voiced comparable cautions, and two presidential administrations have made various attempts to resolve these security worries.TikTok has long maintained that it does not adhere to Chinese government content filtering regulations and that it retains user data from American users in the United States. But, the business has come under more and more criticism lately, and in July it finally admitted that non-American staff members did indeed have access to customer data from Americans.

Data privacy advocates have long raised concerns about these algorithms, but they have had little luck in enacting significant change. The American Data Privacy and Protection Act (ADPPA) would, for the first time, begin to hold the developers of these algorithms responsible and force them to show that their engagement formulas are not damaging the public. Because to these worries, the U.S. Senate overwhelmingly passed a law barring the software on all federally-issued devices. At least 11 other states have already ordered similar bans on state-owned devices.

Consumers currently have little control over how and by whom their equally important personal data is used for the benefit of others. A law similar to the ADPPA would offer a procedure to begin comprehending how these algorithms function, allowing users to have an impact on how they operate and are used.



Freenom Suspends Domain Registrations After Being Sued by Meta

 

Freenom, a domain name registrar that has attracted spammers and phishers with its free domain names, no longer accepts new domain name registrations. The action was taken just days after Meta filed a lawsuit against the Netherlands registrar, alleging that the latter ignored abuse reports concerning phishing websites while generating revenue from visitors to such abusive domains, according to Brian Krebs.

Five so-called "country code top level domains" (ccTLDs) are managed by Freenom, including.cf for the Central African Republic,.ga for Gabon,.gq for Equatorial Guinea,.ml for Mali, and.tk for Tokelau. 

Freenom has never charged for the registration of domains in these country-code extensions, likely to entice consumers to pay for services that are related to them, such as registering a.com or.net domain, for which Freenom does charge a fee. 

Social media giant Meta filed a lawsuit against Freenom in Northern California on March 3, 2023, citing trademark infringement and violations of cybersquatting. The lawsuit also demands information on the names of 20 separate "John Does" — Freenom customers that Meta says have been particularly active in phishing assaults against Facebook, Instagram, and WhatsApp users. 

The lawsuit makes reference to a 2021 study on domain abuse done for the European Commission, which found that those ccTLDs run by Freenom comprised five of the Top Ten TLDs most frequently utilised by phishers. 

As per Brian Krebs, the complaint asserts that the five ccTLDs to which Freenom offers its services are the TLDs of choice for cybercriminals because Freenom offers cost-free domain name registration services and hides the identities of its customers even after being shown proof that the domain names are being used for unlawful purposes. Freenom keeps granting those same clients additional infringing domain names even after getting complaints from them about infringement or phishing. 

Meta further claims that "Freenom has repeatedly failed to take appropriate steps to investigate and respond appropriately to reports of abuse," and that it monetizes traffic from infringing domains by reselling them and by including "parking pages" that direct visitors to other commercial websites, pornographic websites, and websites used for malicious activities like phishing. 

Requests for comment have not yet received a response from Freenom. However, as at the time of writing, attempts to register a domain via the business' website resulted in the following error message: 

“Because of technical issues the Freenom application for new registrations is temporarily out-of-order. Please accept our apologies for the inconvenience. We are working on a solution and hope to resume operations shortly. Thank you for your understanding.” 

Freenom has its headquarters in The Netherlands, but the case also names a few of its other sister firms as defendants, some of which are established in the US. When Meta first filed this action in December 2022, it requested that the case be sealed in order to limit the public's access to court records related to the case. Following the denial of that request, Meta modified and re-filed the case last week. 

According to Meta, this isn't just an instance of another domain name registrar ignoring abuse concerns because it's bad for business. According to the lawsuit, Freenom's proprietors "are a part of a web of businesses established to promote cybersquatting, all for the advantage of Freenom." 

“On information and belief, one or more of the ccTLD Service Providers, ID Shield, Yoursafe, Freedom Registry, Fintag, Cervesia, VTL, Joost Zuurbier Management Services B.V., and Doe Defendants were created to hide assets, ensure unlawful activity including cybersquatting and phishing goes undetected, and to further the goals of Freenom,” Meta claimed. 

Brian further explained that although the reason for Freenom's decision to stop offering domain registration is yet unknown, it's possible that the company has recently been the target of disciplinary action by the nonprofit Internet Corporation for Assigned Names and Numbers (ICANN), which regulates domain registrars. 

In June 2015, ICANN put a 90-day hold on Freenom's ability to register new domain names or start inbound transfers of existing ones. ICANN's conclusion that Freenom "has engaged in a pattern and practise of trafficking in or use of domain names identical or confusingly similar to a trademark or service mark of a third party in which the Registered Name Holder has no rights or legitimate interest" is the basis for the suspension, according to Meta.


A GoAnywhere MFT hack Exposes Hatch Bank's Data Breach


 

Hackers exploited a zero-day vulnerability in Hatch Bank's internal file transfer software, allowing access to thousands of Social Security numbers from customers, according to Hatch Bank, a digital-first bank that provides infrastructure for fintech companies offering their brand credit cards. 

According to Hatch Bank, security breaches have affected almost 140,000 customers as hackers were able to access sensitive customer information from its Fortra GoAnywhere MFT secure file-sharing platform, which allows customers to access their online accounts from anywhere. 

In addition to providing small businesses with access to a variety of banking services, Hatch Bank is also a financial technology company. 

TechCrunch reported today that 139,493 of the customer data of someone impacted by a data breach had been stolen by hackers who exploited a vulnerability in GoAnywhere MFT software which was submitted to the Attorney General's office for investigation. 

Fortran experienced a cyber incident on January 29, 2023, after discovering that there was a vulnerability in their software. Based on the notification that Hatch Bank sent out, the company experienced a cyber incident. 

Fortra notified Hatch Bank of the incident on February 3, 2023, informing them that files contained on Fortra's GoAnywhere site had been compromised. According to Hatch, they were able to get hold of the data stolen and conducted a review of the data and found that the attackers had gotten hold of customer names as well as social security numbers. 

Affected customers of the bank are entitled to a free twelve-month credit monitoring service from the bank as part of their compensation package. 

Earlier this month, Community Health Systems (CHS) revealed it had suffered a data breach caused by the GoAnywhere MFT attack, making this the second confirmed breach in the past month. 

GoAnywhere Breaches Linked to Clop Ransomware

Despite Hatch Bank not disclosing which threat actor was responsible for the attack, BleepingComputer was told that the Clop ransomware gang conducted these attacks. 

Approximately 130 organizations were breached and their data was stolen. It has been claimed that Fortra's GoAnywhere MFT platform was exploited by the ransomware group to steal data for over ten days, exploiting the zero-day vulnerability in its platform. 

There is now a CVE-2023-0669 vulnerability that is being tracked and allows remote threat actors to access servers through a remote code execution vulnerability. After learning that the vulnerability in GoAnywhere was being actively exploited in attacks, GoAnywhere disclosed its vulnerability to its customers in early February. 

It was revealed that there was an exploit exploited in the platform on February 7th, only a day before it was patched. 

Fortra did not respond to our emails requesting more information about the attacks, and BleepingComputer was unable to independently confirm Clop's assertions that the attackers were behind them. 

It has been discovered that the GoAnywhere MFT was also linked to TA505, the hacking group well known for the deployment of Clop ransomware, according to Huntress Threat Intelligence Manager Joe Slowik. 

In December 2020, Clop utilized a similar tactic to steal data from companies worldwide by exploiting a zero-day vulnerability in Accellion's File Transfer Appliance (FTA) system, and the hacker was identified as Clop. 

With Accellion FTA, organizations have a secure way of sharing files with their clients, much like they would with GoAnywhere MFT. 

The Clop ransomware gang gave an ultimatum to the victims of these attacks, demanding a $10 million ransom in return. Data was intended to be protected from being published because it had been stolen. 

Numerous organizations have disclosed related breaches; Morgan Stanley, Qualys, Shell, and Kroger are a few of the most notable companies that published their reports related to the Accellion FTA attacks. Several other universities around the world, including Stanford Medicine, the University of Colorado, UCLA, and the University of Colorado-Boulder were also affected by the incident. 

In the event of a GoAnywhere MFT attack, Clop may well demand a similar ransom from those who are attacked by his code. The stolen data, however, will soon appear on the data leak site of the gang if the gang follows similar tactics in the future.

Australia's OAIC Confirms Substantial Increase in Data Breaches

According to the Office of the Australian Information Commissioner's (OAIC) most recent report on notifiable data breaches, there was a 26% rise in breaches in the second half of 2022, including many significant breaches that affected millions of Australians.

The OAIC reports that cyber security incidents led to 33 out of the 40 breaches affecting more than 5,000 Australians. In the first half of 2022, there were just 24 significant breaches.

Massive data breaches at Optus and Medibank in the second half of 2022 exposed the personal data of about 9.8 million and 9.7 million people, respectively.

Large-scale breaches naturally garnered a lot of attention, although only 62% of reported breaches had an impact on more than 100 persons.

In total, malicious or criminal attacks accounted for 70% of data breaches. Human error, which most frequently manifests itself in the form of sending emails to the wrong recipient, closely followed by unintended release or publication, and failing to use BCC when sending emails came in third place, accounting for another 25% of data breaches.

In the December quarter of 2022, Australia's gross domestic product increased by just 0.5%, a dramatic fall from the December quarter of 2021 when lockdowns in Sydney and Melbourne were lifted. Despite migrant arrivals increasing by 171% to 395,000 from 146,000 in 2021–22, the GDP per capita—or the economic output for each individual—remained unchanged.

The Commonwealth government responded, in part, by toughening the penalties under the Privacy Act and giving the Australian Information Commissioner more authority to enforce it. It also started a review of the Act. One of the suggestions is to eliminate the Privacy Act's small business exemption, which presently excludes the majority of companies with annual sales of up to A$3 million, but only after an impact review and other criteria have been completed.









CrowdSrike: Cybercriminals Are Choosing Data Extortion Over Ransomware Attacks


CrowdStrike’s threat intelligence recently reported that cybercriminals have been learning how data extortion attacks are more profitable than ransomware attacks, leading to a drastic shift in the behavior of cyber activities throughout 2022. 

The cybersecurity vendor's "2023 Global Threat Report," which summarizes CrowdStrike's research on cybercrime (or "e-Crime") from the previous year, was released this week. The report's major sections address ongoing geopolitical disputes, cloud-related attacks, and extortion attacks without the use of software. 

One of the major findings from the CrowdStrike research is that the number of malicious actors who conducted data theft and extortion attacks without the use of ransomware increased by 20% in 2022 compared to the previous year. Data extortion is the practice of obtaining confidential information from target companies and then threatening to post the information online if the victim does not provide the ransom demanded by the attacker. 

Data extortion has frequently been a part of ransomware operations, with the fear of data exposure intended to provide additional incentive for the victim to pay the demanded ransom. However, as per the CrowdStrike findings, more attackers are now inclining toward data extortion, while abandoning the ransomware element altogether. 

Adam Meyers, head of intelligence at CrowdStrike says that “We’re seeing more and more threat actors moving away from ransomware[…]Ransomware is noisy. It attracts attention. It’s detectable. Encryption is complex.” 

According to Meyers, the rise in extortion addresses the adaptability of cyber adversaries. He further adds that while ransom payments were down slightly in 2022, both extortion and ransomware-as-a-service (RaaS) have witnessed a significant boost. 

CrowdStrike observed and noted the overall waning interest in malware. The firm reported that in 2022, up from 62% in 2021, malware-free activity accounted for 71% of its threat detections. 

"This was partly related to adversaries' prolific abuse of valid credentials to facilitate access and persistence in victim environments[…]Another contributing factor was the rate at which new vulnerabilities were disclosed and the speed with which adversaries were able to operationalize exploits," the report said. 

While also noting the improved resilience of the RaaS network, CrowdStrike stated that affiliated hackers will continue to be a major concern as they move from one network to another despite the move away from conventional ransomware deployment.  

The Ukraine Invasion Blew up Russian Cybercrime Alliances

 


Over the years, Russia has built up one of the world’s most formidable cybercriminal ecosystems. Russian hacker groups are linked to disruptive cyberattacks including one of the United States’ most critical oil pipelines and the world’s largest meat producers.  

A recently released study suggests that the conflict between Russia and the former Soviet Union disrupted the criminal ecosystem in Russia and its former Soviet satellite states. This was a year after the illegal invasion. Alexander Leslie, the associate threat intelligence analyst at Recorded Future's Insight Group, believes this is one of the most significant developments in the history of cybercrime. It has broad implications affecting nearly every aspect of the world of cybercrime.

In a recent interview with The Register, Leslie told them that these fractures can be felt in all facets of the Russian-speaking underground: digital fraud, dark web forums and marketplaces, ransomware gangs, and hacktivists, all of whom derive their revenue from Russian-speaking underground activities. 

"Russia's military intervention in Ukraine has ushered in the era of volatility and unpredictability in the world of international cybercrime, which carries a multitude of implications for the defense community," Leslie said in a statement. 

As per the report, Russian cybercrime refers to a wide range of crimes perpetrated by miscreants who speak Russian languages in a variety of parts of the world, including Russia, Ukraine, Belarus, the Baltics, the South Caucasus, and Central Asia.  Leslie, during the time before the war, all of these criminal elements shared a common goal. This goal was refusing to target entities located in the Commonwealth of Independent States. This was so as not to draw attention from law enforcement. The day after the Russian government began attacking critical infrastructure on February 24, 2022, the Conti ransomware gang immediately declared its "full support" for the Russian government and pledged to use all the resources at its disposal to take back the critical infrastructure that had been destroyed. There were later claims that the country had condemned the war, but the damage had already been done at that point. 

Hundreds of internal documents from Conti's internal domains were leaked by a Ukrainian security researcher on February 27, 2022. It was the so-called Conti leaks that led to the Trickbot leaks, which were able to reveal Trickbot's senior leadership by using the information revealed in the Conti data dump, which was appropriated by the Trickbot leaks. According to reports, Conti closed down its operations in the weeks that followed. 

Moreover, Conti's rival gangs such as ALPHV (BlackCat) and LockBit neither declared their loyalty to the Kremlin to any significant extent, while on the other hand, some of his rival gangs did. 

There is also a decrease in the number of ransomware attacks in the context of the war in general, which may be attributable to fewer Russian cyberattacks as well. It has been a year since the war started and fears of large-scale disruptions of Ukrainian and Western infrastructure have not yet been realized. Although Russia has not given up, Google reported that it would increase the targeting of Ukrainian users by 250 percent by the year 2022 compared to 2020. In contrast, it will increase the targeting of NATO users by 300 percent.  

As experts point out, this is not necessarily an indictment of Russia's cyber capabilities. Instead, it is an indication of the effectiveness of Ukrainian cyber defense backed up by its Western allies and companies such as Google, Microsoft, and Amazon on the ground. This is a largely successful strategy.  

The Georgia Institute of Technology's Nadiya Kostyuk, who specializes in modern warfare and cyber conflict, has said that that support was "crucial" to Ukraine's cyberspace remaining relatively unscathed, despite the geopolitical turmoil around the world. 

It is currently apparent that Ukraine's cyber capabilities haven't kept up with those of Russia even though it has been developing them since 2014. According to her, Microsoft, along with other companies, had played a huge part in building more resilient networks and systems as well as defending Ukraine's cyberspace. 

Forum Rules for the Russian Dark Web. 

The war did not only expose the fault lines of ransomware gangs, but also other criminals associated with these gangs. It would appear that the invasion of Ukraine also violates an unwritten rule on Russian-language dark web forums, which holds that criminals would not target organizations in former Soviet states unless they were inside the country. 

Despite the increased geographical decentralization of cybercriminal groups, Leslie predicts that the industry will become more centralized in the future.

During the kinetic war and in the immediate aftermath of it, there was also an increase in pro-Russian hacktivist groups. The 'second wave' of hacktivism took place around March 22, 2022, when Killnet's campaign against the Latvian government was initiated, following the initial wave of hacktivism, which included pre-existing groups such as the Stormous ransomware gang as well as new crews that were created to support the Russian war effort. 

An Increase in the Number of Killnets

Despite that, Recorded Future claims that Killnet dominated this second wave of electronic music. 

As a consequence of these attacks, the gang and its subgroups have expanded their targets beyond Europe. They have in recent years targeted the Americas, Asia, and other parts of the world. 

Recorded Future says that most of the pro-Russian hacktivist groups active since the end of the war are no longer active despite estimates by security researchers such as @Cyberknow20 that there were 70 or more such groups active at the beginning of the war. 

As the authors point out, although they identified about 100 such groups between February 24, 2022, and February 10, 2023, only a few remain active today. This is even though a total of about 100 groups were identified. 

Even those that remain are not very effective, as there are only a few left. A new FBI report describes Killnets' distributed denial of service attacks as having "limited success" in the course of their attacks. Additionally, the researchers point out that their impact on the overall war effort has been "minimal" at best, in terms of the effects on the war effort. 

Is 2023 Going to be a Year of Change?

A second year of the war is expected to bring more of the same from security researchers, with insider criminal gangs leaking information, hacktivist attacks making headlines, and database dumps being sold on dark-web forums - possibly with a rise in Russian and Belarusian databases that have been leaked - as well as credential leaks targeting .ru and .by domains that have been targeted by hackers.  As a result of the malware-as-a-service threat landscape and the ongoing changing of the criminal forums on the dark web, "volatility and instability" are predicted to persist through 2023 throughout the Russian-speaking dark web market. 

In the short term, Leslie predicts that the cyber efforts of Ukraine are likely to be stepped up in 2023. The public-private partnership has helped foster increased collaboration between intelligence agencies and the provision of active defensive support, and we anticipate that this will only increase in the years to come, Leslie added. 

The majority of offensive operations are likely to be undertaken by the IT Army of Ukraine. This is expected to maintain support to enable a method of crowdsourced hacktivism that will continue to dominate offensive operations. 

He says he expects more hack-and-leak attacks from the Ukrainian IT Army in the future, but the most dominant methods of attack will likely remain DDoS attacks and website defacement.

Preventing a USB Killer Threat

A USB Killer is a USB drive that was altered to emit an electrical surge that can break or destroy hardware when a modified flash drive is plugged into a computer's USB port.

The concept for USB Killers was created by a Russian researcher named Dark Purple with the stated objective to eliminate delicate computer parts. When a USB Killer device is inserted into a USB port, it draws power from the devices' USB power sources and stores it in its own capacitors. It holds this procedure until a high voltage is reached. Once finished, it discharges the accumulated negative 220 volts of high voltage onto the USB data pins. An estimated 215–220 volts can be produced by the USB Killers that are now on the market. The host device's circuitry is harmed or destroyed as a result.

Its capacitors rapidly accumulate this enormous voltage. As long as the gadget is connected and hasn't been damaged to the point that it can no longer charge itself, the charge/discharge cycle also continues numerous times per second.

This approach makes nearly any unprotected equipment susceptible to high voltage attack. For years, malicious software has been spread via USB sticks, including viruses that can infect computers. This is probably because they are easy and affordable to design and buy. Unaware users frequently utilize them to store and transport data.


A USB Killer Attack: How to Prevent It

1. Keep Unknown Drives Out of the Plug

Social engineering, or using deceptive techniques to persuade people to connect a malicious device, is at the heart of many USB risks.

2. When possible, turn off USB ports

If it is possible, disabling USB ports is a great way to stop USB attacks, including USB Killer attacks.

3. Register online

A computer's virtual environment that hosts a mockup of your computer inside of your computer. It won't have an impact on your data or network if you connect to the drive and open it in the virtual environment.

It swiftly ruins a PC once you plug it into a USB port. Moreover, refraining from using unknown USB devices on computers is the greatest approach to stop USB Killers from causing PC damage. The majority of USB-related attacks can be effectively prevented by following the best cybersecurity measures. For complete security, you can physically cap and disable the USB ports in your business.

Even measures implemented to guard against USB assaults are not 100% secure. Never trust unknown disks, periodically examine those you do use, and utilize security features like passwords, PIN codes, and data encryption. Ideally, being informed of the strategies that hackers employ as well as having strong hardware and software security can keep you safe from any unpleasant digital illnesses.

Challenges With Software Supply Chain & CNAPP


In 2021, sales of CNAPP exceeded $1.7 billion, an increase of roughly 49% over 2020, according to a recent Frost & Sullivan analysis. According to Frost & Sullivan, CNAPP revenue growth will average over 26% annually between 2021 and 2026.

Anh Tien Vu, industry principal for international cybersecurity and the author of the report, projects that by 2026, revenues will surpass $5.4 billion "due to the increasing demand for a unified cloud security platform that strengthens cloud infrastructure security and protects applications and data throughout their life cycle."

How Does CNAPPs Function?

CNAPP platforms combine many security technologies and features to cut down on complexity and expense, offering:
  • The capabilities of the CSPM, CIEM, and CWPP tools are combined across the development life cycle, correlation of vulnerabilities, context, and linkages.
  • Identifying high-risk situations with detailed context.
  • Automatic and guided cleanup to address flaws and configuration errors.
  • Barriers to stopping unauthorized alterations to the architecture.
  • Simple interaction with SecOps ecosystems to quickly deliver notifications.
Security teams must transition from guarding infrastructure to guarding workload-running applications in order to maximize cloud security and compliance, enable DevOps, and reduce friction. That entails, at the very least, protecting the security of the production environment and cloud service configurations, with runtime protection serving as an important extra layer of security.

Attackers are focusing more and more on cloud-native targets in an effort to find vulnerabilities that may be used to compromise the software supply chain. The widespread effect that a vulnerability of this kind can have on the application environment was demonstrated by the Log4Shell flaw in the widely used Log4j Java runtime library last year.

Melinda Marks, a senior analyst at Enterprise Strategy Group, claims that while CNAPP helps businesses to set up DevSecOps processes where software engineers take the initiative to find potential bugs in code before delivering application runtimes into production, it also goes beyond. Before you release your applications to the cloud, this is crucial for preventing security risks since once you do, hackers can access them.

The scanning of development artifacts like containers and infrastructure as code (IaC), cloud infrastructure management (CIEM), runtime cloud workload protection platforms, and cloud security posture management (CSPM) are just a few of the siloed capabilities that CNAPPs combine. Together with a more uniform approach and improved awareness of the risk associated with cloud-native computing environments, CNAPP offers standard controls to reduce vulnerabilities.

Significantly, CNAPP also promotes communication between teams working on application development, cybersecurity, and IT infrastructure, opening the door to finding and fixing flaws before apps are put into use. CNAPP features are being added to security platforms by security manufacturers like Check Point and Palo Alto Networks. Marks cautions against the common misunderstanding that shifting security left is all about putting security first during the software development and build process.





DDoS Attacks: Becoming More Powerful & Shorter in Duration

 

Microsoft says that it witnessed distributed denial-of-service attacks turn shorter in duration in 2022 while also becoming more effective and capable of greater impact. As per Microsoft's DDoS trends report for 2022, the United States, India, and East Asia topped the targeted regions for DDoS attacks, among others, and internet of things devices remained the preferred choice for launching these attacks. DDoS attacks in 2022 lasted less than an hour on average, and attacks lasting 1 or 2 minutes accounted for one-fourth of total attacks last year.

According to the tech giant, the attacks were shorter because bad actors required fewer resources to carry them out, and security teams are finding it difficult to defend against them using legacy DDoS controls. "Attackers frequently use multiple short attacks over the course of several hours to make the most impact while using the fewest resources," Microsoft says.

The daily average was 1,435 DDoS attacks, with the highest number being 2,215 on September 22. During the holiday season, the volume of DDoS attacks increased significantly until the last week of December.

In Azure Aloud, Microsoft documented a 3.25 terabyte-per-second attack as the "largest attack" in 2022. This is less than the previous largest known DDoS attack, which had an intensity of  3.47 TB per second at its peak.

TCP reflected amplification attacks are becoming more common and powerful, according to Microsoft, and more diverse types of reflectors and attack vectors are typically exploiting "improper TCK stack implementation in middleboxes, such as firewalls and deep packet inspection devices." Attackers impersonate the target's IP address to send a request to a reflector, such as an open server or middlebox, which response to the target, such as a virtual machine.

TCP reflected amplification attacks can now reach "infinite amplification" in some cases. A reflected amplified SYN+ACK attack on an Azure resource in Asia in April 2022 reached 30 million packets per second and lasted 15 seconds.

The attack throughput was not particularly high, but there were 900 reflectors involved, each with retransmissions, resulting in a high pps rate that can bring down the host and other network infrastructure," according to the report.

Preferred Mode of Attack for IoT Devices

According to Microsoft, adversaries preferred IoT devices to launch DDoS attacks, a trend that has been growing in recent years. During the Russia-Ukraine war in 2022, the use of IoT devices increased.

Botnets used by nation-state actors and criminal enterprises, such as Mirai, have been adapted to infect a wide range of IoT devices and support new attack vectors. "While Mirai is still a major player in the field of botnets, the threat landscape in the field of IoT malware is evolving, with new botnets emerging such as Zerobot and MCCrash," Microsoft said.

TCP attacks were the most common type of DDoS attack in 2022, accounting for 63% of all DDoS attacks recorded, followed by UDP attacks at 22%.
 
Politically motivated DDoS attacks have risen to prominence, particularly in the year since Russia's invasion of Ukraine. KillNet, a Russian hacktivist group loyal to Moscow, actively recruited volunteers to launch DDoS attacks against Western nations.

KillNet has launched 86 attacks against pro-Ukraine countries since the war began in February, according to the CyberPeace Institute, which tracks publicly disclosed attacks related to the Russia-Ukraine war.

Remember to Clear the Cache on Your iPhone

Websites and apps may load more quickly by taking advantage of the cache, a designated area in your iPhone that stores temporary data. As cache data use up space on your phone, it's a good idea to wipe it off frequently to improve browsing speed. When you free up space on your iPhone by clearing the browser or app cache, you may notice a speed and performance improvement. This is especially true if you're experiencing performance concerns.

Clearing cache on  iPhone

For iPhones, Safari is the default browser, which lets you clear the cache in just a few simple steps. This method has a major impact on all devices logged into your iCloud account starting with iOS 11. As a result, the caches on all of your devices will be emptied, and the next time you use them, you'll have to sign in to each one separately. Here is what to do.

1. Launch the iPhone's Settings app.
2. From the list of programs, choose Safari.
3. Choose Clear Website Data and History.
4. The pop-up box will allow you to select Clear History and Data.

Even though cleaning your browsing history in Chrome logs you out of websites, it doesn't appear to dismiss all open tabs. You will need to re-log into any websites you may have been visiting.

With Chrome, remove the iPhone cache

1. Start the Chrome application.
2. To access more options, click the three dots in the lower right corner.
3. Choose Settings by swiping up from the top.
4. On the following menu, choose Privacy and Security.
5. After that, choose Clear Browsing Data to bring up one final selection.
6. At the top-left corner of the menu, choose the desired time frame.
7. Check to see if Cached Images and Files, Cookies, and Site Data are all selected. At the very bottom of the screen, select Clear Browsing Data.


Caches and cookies 

Cookies are little files that carry passwords and personalization data and store data about your online behavior. Many cookies, including those that keep you logged in to regularly visited websites, are helpful; nevertheless, some third-party cookies track your behavior on many websites. This could contain potentially sensitive data, such as your search history and your clicked links.

Contrarily, a cache stores data files that your browser or application is likely to utilize frequently. Avoiding the need to constantly download the same data, can improve the performance of your phone.

Caches typically only need to be cleared once every two to three months. Usually, at that point, your browser will start accumulating a cache big enough to start slowing things down. One should be cautious of cleaning your cache more frequently if you visit many websites.




Video Calling Apps Target Children

 

Eden Kamar, a Ph.D. student in cybersecurity at the Hebrew University of Jerusalem, and Dr. C. Jordan Howell, a cybercrime specialist at the University of South Florida, collaborated to highlight the various methods that pedophiles prey on young children in the US. 

Howell explained that the team intended to understand how sexual predators first approach kids in chatrooms to start a dialogue before using devious means to gain their trust and record child porn. Around October 2021 and May 2022, the study was conducted.

The research started by developing a number of automated chatbots which never initiated a conversation and were set to only respond to users that identified as being at least 18 years old.

In 30 randomly chosen chatrooms for teenagers, the chatbots had roughly 1,000 conversations with potential pedophiles. Then, 38 percent of online predators emailed unwanted links, according to Howell. In text chats seen on public platforms, the bots asked predators for their "a/s/l"—age, sex, location—after which, once the bot identified herself as a 13 or 14-year-old female, the predators returned with a video link.

A surprising 41% of links went to Whereby, a competitor of Zoom that offers video and audio conferencing. According to the company's website, it was founded in Norway ten years ago and has worked with organizations like Spotify and Netflix.

Howell added that after exploring the company's website, the researchers discovered that Whereby permits users to manage other participants' webcams without their knowledge.

19% of the links contained malicious malware, and another 5% sent users to well-known phishing websites. Phishing sites are intended to obtain personal information, including home addresses, while malware sites can be used to remotely access a child's computer. Phishing attempts can also offer a predator access to a child's computer password, which can be used to log in and manage a camera from a distance.

Evaluation by Chainalysis Declare 2022 to be "The Year of Crypto Thefts"

 

A recent Chainalysis analysis stated that ransomware and fraud increased cryptocurrency theft last year. "The 2023 Crypto Crime Report" was published by Chainalysis. The paper also discussed the reasons why 2022 established records for cryptocurrency hacking and the effects of sanctions against Hydra, Tornado Cash, and other companies on cryptocurrency crime. In addition, case studies on the greatest hacks, darknet markets, and ransomware variants of the year were included in the paper. 

Rise in crypto crime

Chainalysis is a well-known blockchain data platform that serves more than 70 nations' worth of exchanges, financial institutions, insurance organisations, and cybersecurity firms with data, software, services, and research.

The 2022 instability on the cryptocurrency markets was addressed in the 2023 crypto crime report. The paper also highlighted the most recent methods used by fraudsters for laundering money using cryptocurrencies. 

For cryptocurrency criminals, 2017 was a good year. Over $3.8 billion, more than any other year, was stolen from various services and processes, with $775.7 million of that total occurring in just one month, according to Chainalysis. The research also claims that fraudsters' and ransomware hackers' overall revenue decreased.

As stated in the papers, DeFi methods accounted for 82.1% of the stolen money. "In particular, cross-chain bridges, which are protocols that let users exchange assets between two separate blockchains."

"Bridges are an enticing target for hackers as the smart contracts in effect become massive, centralised warehouses of monies backing the assets that have been crossed to the new chain – a more desirable honeypot could barely be imagined," the paper states. 

Oracle manipulation, according to Chainalysis, is a growing trend in DeFi hacks. This is when an attacker subverts the mechanisms used by a decentralised protocol to determine the price of traded assets and establishes favourable conditions for quick and extremely profitable trades.

DeFi protocols lost $386.2 million in 2022 as a result of 41 different oracle manipulation attacks. A case in point is the Mango Markets exploit, which led to the arrest of the suspected attacker, Avraham Eisenberg, who is now accused of manipulating commodities in a US court. 

The Lazarus squad of North Korean hackers surpassed their previous record in 2022, stealing $1.7 billion from numerous victims. The majority of that money was sent to decentralised exchanges and a number of mixers, including Tornado Cash, Blender(dot)io, and Sinbad after Blender was shut down

The Russian darknet marketplace Hydra, the exchange Garantex, the cryptocurrency mixers Blender(dot)io, and Tornado Cash were all sanctioned by the United States last year. However, not all of the money processed by these sanctioned services had criminal origins; according to the Chainalysis analysis, just 6.1% of the money Garantex received and 34% of the money received by Tornado Cash came from illegal sources. 

Sanctions, as stated by Chainalysis, significantly reduced the amount of money that could enter Tornado Cash, however, Garantex continued to operate as usual and reported an increase in receiving funds from recognised darknet and fraud sites.