During the raid, it was discovered that wallets connected to North Korean cybercriminals and Russian intelligence services had evidence of digital currencies.
The US criminal prosecutors have booked a Vietnamese man they claim to have run the service since its August 2017 creation. Potentially contaminated funds are gathered by mixers and sent at random to destination wallets.
Minh Quoc Nguyen, 49, of Hanoi has been accused of money laundering, operating an unlicensed money-transmitting business, and identity theft. The FBI has included him on the wanted criminal list.
Criminals laundering more than $700 million in bitcoin from wallets identified as stolen funds, including money taken by North Korean hackers from Axie Infinity's Ronin Bridge and Harmony's Horizon Bridge, were among the service's customers.
It has also been reported that APT28, the Russian military intelligence, and Fancy Bear also utilized ChipMixer in order to buy infrastructure used from Kremlin Drovorub malware. Moreover, according to Europol, the Russian RaaS group LockBit was also a patron.
ChipMixer joins a relatively small group of crypto mixers that have been shut down or approved, enabling criminals to conceal the source of the cryptocurrency obtained illegally. The list presently includes Blender.io, which was probably renamed and relaunched as Sinbad, and Tornado Cash, a favorite of cybercriminals that helped hackers launder more than $7 billion between 2019 and 2022.
The Federal Criminal Police Office of Germany seized two ChipMixer back-end servers and more than $46 million in cryptocurrencies, while American investigators seized two web domains that pointed to the company.
According to court documents, ChipMixer has enabled customers to deposit Bitcoin, which would then be mixed with other users’ Bitcoin in order to anonymize the currency.
Court records state that ChipMixer allowed users to deposit Bitcoin, which was then combined with Bitcoin from other users to make the currency anonymous. But, this mixer took things a step further by converting the deposited money into tiny tokens with an equal value called "chips," which were then combined, further anonymizing the currencies and obscuring the blockchain trails of the funds. This feature of the platform is what attracted so many criminals.
The domain now displays a seizure notice, stating: “This domain has been seized by the FBI in accordance with a seizure warrant.”
“Together, with our international partners, we are firmly committed to identifying and investigating cybercriminals who pose a serious threat to our economic security by laundering billions of dollars’ worth of cryptocurrency under the misguided anonymity of the darknet,” adds Scott Brown, special agent in charge of Homeland Securities Investigations (HSI) Arizona.
An unidentified federal civilian executive branch (FCEB) agency's Microsoft Internet Information Services (IIS) web server was compromised by a number of threat actors, including an advanced persistent threat (APT). The advisory, which includes in-depth technical information and indicators of the breach, was created by CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
Apparently, a critical.NET deserialization flaw in the Progress Telerik UI for ASP.NET AJAX component allowed hackers to compromise a Microsoft Internet Information Services (IIS) web server used by a U.S. government agency last year.
As per the advisory, the threat actors acquired access to the servers between November 2022 and early January 2023 based on indicators of compromise (IOCs) found on the unidentified FCEB agency’s network. To acquire remote code execution, at least two threat actors (among them the Vietnamese XE Group) accessed the unpatched server.
According to CISA, the central vulnerability was linked with the Telerik UI flaw on the IIS server – CVE-2017-11357 and CVE-2017-11317 – However, the forensic investigation was unable to conclusively verify which of the two was utilized, or even whether they were.
The agency's instance was version 2013.2.717; the advisory stated that builds prior to version 2020.1.114 are vulnerable to CVE-2019-18935. "Though the agency's vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan[…]This may be the case for many software installations, as file paths widely vary depending on the organization and installation method," the advisory noted.
Similar to the 2017 Equifax hack, it was caused in part by a vulnerability assessment for a severe Apache Struts flaw that overlooked an earlier system that was subsequently infiltrated by threat actors.
CISA, the FBI, and MS-ISAC advised companies to use central log collection and monitoring. Moreover, it has been recommended to implement process monitoring in order to gain "visibility into file system and application process activity." The advisory also included a CISA-developed YARA rule for CVE-2019-18935.
Progress CISO Richard Barretto wrote in an email to TechTarget Editorial "the security of our customers is one of our highest priorities, and we continue to distribute periodic reminders on the importance of implementing patches and applying software upgrades," he also included a link to Progress' knowledge base's specific article about the problem.
"As we do with all critical vulnerabilities found in our products, we issued notification and remediation guidance to our customers in 2019 when the vulnerability was discovered[…]Due to the severity of the vulnerability, we provided technical support as needed to all customers regardless of their license status," he added.
Despite the practice becoming more frequent and widespread since the US Supreme Court restricted the government’s ability to track Americans’ phones warrantlessly, around five years ago, the FBI did not previously acknowledge ever making purchases of such kind.
The revelation comes after Sen. Ron Wyden [D-Ore] questioned Wray “Does the FBI purchase US phone-geolocation information?” The response to which alarmed privacy experts.
“To my knowledge, we do not currently purchase commercial database information that includes location data derived from Internet advertising[…]I understand that we previously—as in the past—purchased some such information for a specific national security pilot project. But that’s not been active for some time,” said Wray.
The response, while being vague and revolving around the question asked, gave a clear insight into the way the FBI made use of location data to monitor US individuals with no court oversight.
It is not immediately clear whether Wray was talking to a warrant—a court order that states that a crime has been committed—or another legal device. Wray also did not explain why the FBI decided to stop the practice.
The Supreme Court ruled in the infamous Carpenter v. United States decision, that when government organizations accessed historical location data without a warrant, they were in violation of the Fourth Amendment's prohibition on unjustified searches. But the decision was interpreted very strictly. Privacy groups claim that the judgment left an obvious gap that enables the government to just buy anything it is unable to legally obtain. The Military Intelligence Agency and US Customs and Border Protection (CBP) are two federal organizations that are known to have exploited this loophole.
On being asked during the Senate hearing whether the FBI is planning to adhere to the practice of buying location data again, Wray said “We have no plans to change that, at the current time.”
According to Seam Vitka, a policy lawyer at Demand Progress, a nonprofit firm based on national security and private reforms, the FBI needs to be more forthcoming about the purchase, dubbing Wray’s revelation as “horrifying” in its implications. “The public needs to know who gave the go-ahead for this purchase, why, and what other agencies have done or are trying to do the same,” says Vitka.
US lawmakers have historically failed to enact a comprehensive privacy law, and the majority of the proposed bills have purposely ignored the government's own acquisition of US citizens' private data. For example, all law enforcement organizations and any business "gathering, processing, or transferring" data on their behalf are excluded from the provisions of the American Data Privacy and Protection Act (ADPPA), which was presented last year. Wyden and other senators have attempted to tackle the problem head-on with a number of proposals. For instance, the Geolocation Privacy and Surveillance Act has been reintroduced multiple times in Congress since 2011, but it has never been put to a vote.
The contributions made by the Peel Regional Police are one of the reasons why Canadian flag is among the icons displayed on what was the dark website for the Russian-linked ransomware group Hive, along with the logos of the U.S. Department of Justice, the FBI, and a variety of police forces around the globe.
According to Detective Const. Karim Hussain in an interview with CTV News Toronto, Peel's detectives got engaged early when a local firm contacted them in 2021 claiming that their systems were down and a text message on their desktops revealed a ransom note.
“We had one of the first cases in Canada of Hive ransomware[…]It was the first to market. At the time we started gathering evidence, Hive was a fairly new ransomware group. Everything we brought to the table was interesting because no one had seen it before,” he says.
The attributes of the Hive case were similar to numerous other high-profile incidents, like a hospital in Louisiana where threat actors had accessed data of around 270,000 patients, and a Ohio hospital that was attacked and made them incapable of accepting new patients even during the massive surge of COVID-19.
Those were only a few of the more than 1,500 attacks throughout the globe that had the digital traces of Hive, an organization whose associates, according to authorities, have made $150 million since 2021 as they demand money from companies in exchange for access to their data or system.
The attacks are carried out via a "ransomware as a service" (RaaS) model, in which a small group of individuals create malicious software and then distribute it to numerous users, allowing them to quickly scale up their attacks before the security flaws they exploit are addressed.
“You have an overarching group that provides everything down to the infrastructure, to lesser-capable cyber criminals, and they provide them the tools to conduct the hack,” Hussain said.
The case brought the RCMP, the FBI, the police from France, Germany, Norway, and Lithuania together with Peel Police and other agencies dealing with Hive's impact.
In retaliation, the group took over Hive's website earlier this year and replaced it with a landing page with the logos of numerous investigative agencies. “Simply put, using lawful means, we hacked the hackers,” said U.S. Deputy Attorney General Lisa Monaco in a press conference in January.
Adding to this, she says that the police had found and then openly disseminated decryptor keys that may aid anyone who had been assaulted in independently recovering their data or liberating their systems.
According to Christopher Wray, director of the FBI, these actions have prevented around $130 million in ransom from being paid. “This cut off the gas that is fueling Hive’s fire,” Wray said.
According to Hussain, the inquiry is still ongoing as the prevalence of ransomware grows. Ransomware assaults made up 11% of all cyber security incidents in 2021, according to Statistics Canada.
“There’s no end in sight to cybercrime right now,” Hussain said.
According to DOJ, FBI gained deep access to the Hive ransomware group in the late July 2022. The infiltration prevented them from blackmailing $130 million in emancipate bills from more than 300 organizations.
The files of victims are encrypted by ransomware gangs using malicious software, locking them up and rendering them unavailable unless a ransom is paid to obtain a decryption key.
It is being estimated that Hive and its affiliates have accumulated over $100 from more than 1,500 victims that included hospitals, school districts, financial companies and critical infrastructure, in more than 80 countries across the globe.
The FBI revealed that it has collaborated with the local law enforcement agencies to help victims recover from the attack, including the UK's National Crime Agency, which claims to have given around 50 UK organizations decryptor keys to overcome the breaches.
On Thursday, the US announced that it had put an end to the operation by disabling Hive's websites and communication systems with the aid of police forces in Germany and Netherlands.
Attorney General Merrick Garland stated that "Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world."
While the Equity Division had not yet been used to capture any individual connected to Hive attacks, a senior official suggested that such releases might happen soon.
In regards to the infiltrations, Deputy Attorney General Lisa O Monaco said, "simply put, using lawful means, we hacked the hackers."
Moreover, the DOJ says it would pursue those behind the Hive until they were brought to justice.
"A good covert operation can degrade confidence in operational security and inject suspicion among actors,” Mandiant Threat Intelligence head John Hultquist said. "Until the group is arrested, they will never truly be gone. They will have to reconstitute, which takes time, but I'll bet they reappear in time."
A national public alert has since been released by the FBI on Monday, in collaboration with the Justice Department and the National Center for Missing and Exploited Children, and several other agencies in response to what an FBI official called a “staggering increase” in cases – 7,000 reports last year alone, according to the agencies. According to a Justice Department official, such reports led to at least 3,000 victims and more than a dozen suicides that were apparently connected to them.
A majority of offenders are based in West Africa, mainly from Nigeria and the Ivory Coast. The victims are mostly male, as per the alert.
The modus operandi of offenders included engaging with their victims via social media platforms such as Instagram and Facebook, meanwhile also luring them onto gaming platforms.
Moreover, in a peculiar action taken by agencies, it was not announced how the individuals connected with the reports will be prosecuted.
In regards to this, a Justice Department official stated, “when it comes to these types of prosecutions, they can be quite difficult, first and foremost with identification of offenders.” Online identities are challenging to validate. They could be easily fabricated, making it more difficult and time-consuming to link them back to the original owner, he furthermore added.
The advisory was carefully scheduled to coincide with students and families getting ready for Christmas break, since "a lot of youngsters are going to be out of school at home, spending a lot of time online," the Justice Department official added.