We may not know the names of those who steal cryptocurrency from online exchanges, but we now know that most of the thefts are down to just two groups – and one of them isn’t even in it for the money alone.
A new report from blockchain investigation company Chainalysis reveals that just two criminal groups are responsible for around 60% of all cryptocurrency stolen from exchanges.
Cryptocurrency exchanges are prime targets for cybercriminals. People trading Bitcoin and other virtual currencies do so using exchanges, and many tend to leave their funds in their accounts on those exchanges rather than withdrawing them to a secure account under their control. This makes it more convenient for them to to make trades quickly without having to keep redepositing funds.
Large amounts of these funds often reside in an exchange’s hot wallet, which is connected to the blockchain and therefore online. It makes exchanges prime targets for online attacks. Chainalysis, which uses forensic techniques to find connections between cryptocurrency addresses, analysed some of those thefts to find out where the funds ended up. They may not know who owns the addresses, but using its forensic techniques it can determine whether the addresses are owned by the same people.
In its Crypto Crime Report, released last week, Chainalysis found that two groups, which it calls Alpha and Beta, were responsible for stealing around $1 billion in funds from exchanges.
Each group had different endgames, the company said. Alpha is quick to route its stolen funds through a large number of addresses – up to 15,000 in some cases – to cover its tracks. On average, the group sold three quarters of its ill-gotten gains via other exchanges within a month.
The Chainalysis report describes Alpha as “a giant, tightly controlled organization partly driven by non-monetary goals.” A spokesperson told Naked Security:
There’s one key indicator that Alpha wasn’t driven entirely by monetary goals: they had an extremely high average number of transfers, and for each transfer they had to pay a fee. And when that number of transfers is in the range of 15,000 for one hack, it adds up.
Alpha’s motive seemed to have been causing chaos and confusion, according to Chainalysis, whereas Beta was all about the money. The latter group would leave coins dormant for up to 18 months before selling them, using fewer transactions to cloak its activities.
Stolen cryptocurrencies flow to other exchanges, where criminals sell them for other currencies. With exchange hacks from Blackwallet through to CoinRail plaguing the cryptocurrency space, many investors must understandably be nervous about having anything to do with cryptotrading.
One of the reasons hackers and bad actors use cryptocurrency for criminal activity is because it’s a relatively nascent technology in financial services with a reputation for anonymity.
The company hopes to work with exchanges to warn them about incoming funds from illicit addresses. It told us:
These insights, we hope, will help the industry work together to protect themselves against bad actors and ultimately build trust in cryptocurrency and help it become a more mainstream way of transferring value.
Exchange theft isn’t the only source of stolen coins. Ether, the token that operates on the smart contract-capable Ethereum blockchain, is a popular target for scammers. They tend to steal it through Ponzi schemes, fraudulent initial coin offerings (ICOs) and phishing scams. The value of stolen Ether is relatively low compared to the value of other stolen cryptocurrencies, but is still growing. It grew to $36m in 2018 from $17m in 2017, the report said.
Ethereum thefts are coming to resemble cryptocurrency exchange thefts in one key way: A small number of perpetrators seem to be responsible for some high-value heists. According to the Chainalysis report:
…the number of scams declined through 2018, although those that remained were bigger, more sophisticated, and vastly more lucrative.
Apparently in the world of cryptocurrency crime, the laws of power distribution are alive and well.
By Sophos Naked Security News