Group-IB: each ICO faces over 100 attacks on average

Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud, has analyzed the basic information security risks for the cryptoindustry and compiled a rating of key threats to an ICO (initial coin offering). The key conclusions of the Group-IB analysis are: on the average, over 100 attacks are conducted on one ICO; the vector of attacks has ‘socialized’ and criminals are increasingly using modified Trojans that were previously used for thefts from banks.

After analyzing about 450 attacks on ICO projects all over the world, the Group-IB specialists came to the conclusion that most problems lay in the vulnerability of cryptoservices using blockchain technology. According to Group-IB, on average, each ICO is attacked about 100 times within a month. Such attacks include phishing, deface, and DDoS, as well as targeted attacks with a view to compromise secret keys and secure control over accounts. Group-IB experts calculated that, during the year, the total volume of attacks on each ICO increased almost tenfold.

In most cases, ICO projects face phishing, deface of websites, compromise of administrators’ accounts (Slack, Telegram), as well as vulnerabilities in their own smart contracts. DDoS attacks generally used in combination with phishing websites also remain dangerous. Inaccessibility of the main project platform allows criminals to redirect investors to fake websites. Moreover, there are some cases when hackers extorted money to stop their attacks. Most projects configure their anti-DDoS protection incorrectly. At the same time, almost every ICO project is subject to DDoS attacks. In spite of the fact that such attacks require quite a strong technological background, such services are available in the black market. As for phishing, in many cases, criminals don’t even need deep technical skills to arrange such an attack. Most attacks use traditional and well-proven techniques, which are also very effective in stealing cryptocurrency from end users. Most projects underestimate cybersecurity risks, which results in the snowballing growth of threats and successful thefts.

Ruslan Yusufov
Ruslan Yusufov

Director of private client services, Group-IB.

Most dangerous: ranking of threats to the crypto industry

While summing up a year of protecting projects with cryptocurrencies, Group-IB experts compiled a rating of the most dangerous threats to the industry.

I. Phishing. This type of fraud is still the most dangerous threat. It accounts for over 50% of all money stolen. According to Group-IB, a large phishing group steals from $30,000 to $1,500,000 per month. Criminals build complex multistep schemes involving all possible channels of influence on the community. This market is now interesting to criminals who only yesterday monetized their illegal activities with banking Trojans and are now updating their tools to focus on cryptocurrencies. They threaten not only ICO projects, but also traders, crypto enthusiasts and other cryptocurrency owners.

II. Deface or targeted attacks. Errors in the configuration of web application servers, compromise of hosting passwords or the use of vulnerable software are the most common reasons hacking occurs. Attackers replace the addresses of wallets used for fundraising. In contrast to phishing, such attacks use real project addresses with fake wallet addresses. For instance, investment portfolio management platform CoinDash lost about $7,500,000 in the first 3 minutes of its ICO start after its website was hacked.

III. ‘Social-vector’ attacks. According to Group-IB, this category includes attacks on project members and stealing coins from community members via social networks, thematic forums and media resources. In the final months of 2017 and early 2018, Group-IB specialists recorded an outbreak of fraud on social media, where criminals use well-known social engineering techniques (messages from “security teams of cryptocurrency services,” notifications of prizes in coins, invitations to take part in important community activities, etc.). Group-IB experts note increased criminal interest in ICOs that have not been announced yet, but have ‘hype potential’ (the most obvious example is the expected ICO of Telegram).

Attack tools

Group-IB experts have confirmed the forecasts they made at the industry conference CyberCrimeCon’2017: due to the hype around blockchain and cryptocurrencies, cybercriminals have started to pay increased attention to them. The last year saw dozens of successful major attacks on cryptocurrency services, which showed that the criminals have adapted patterns of attack on banks and used the same tools to hack cryptocurrency exchanges and wallets and make attacks on users. Some banking Trojans — TrickBot, Vawtrak, Qadars, Triba, Marcher — have been retargeted at users of cryptocurrency wallets. “Throughout the last year, we saw examples of adaptation of hacker tools to the crypto industry,” comments Ilya Obushenko, security expert at Group-IB. “The banking Trojan TrickBot obtained additional features for stealing money from accounts in Coinbase as early as in August 2017. Features for attacks on cryptowallets have also been added to another banking Trojan – Tinba. CryptoShuffler replaces wallet addresses in the i/o buffer, Quant Trojan provides attackers with information about access to cryptowallets found in user devices, and an Android bot called Red Alert replaces authorization pages of exchange websites and cloud wallets in victims’ browsers.”

What should startups prepare for in 2018: 4 vectors of threats to cryptocurrency projects in 2018

The Group-IB experts come to discouraging conclusions: the number and frequency of attacks on cryptocurrency projects (exchanges, wallets, funds) will grow. The growth of cryptocurrency exchange rates is attracting more and more criminals to the segment. Based on data from their own projects and a study of international practices, company specialists forecast the following vectors in the development of threats to cryptocurrency projects:

  • Phishing schemes using cryptobrands will become more complex. The level of preparation for phishing attacks will also grow, the automation of phishing and using of ready-made phishing kits for attacks on ICO will get more and more widespread.
  • Social vectors of attacks will develop. Hackers will more and more often set their sights on the founders and members of projects teams and communities.
  • The number of coin thefts will increase. Market participants announcing cryptocurrency trading are already being shortlisted by criminals. Various forms of fraud on social media, focused on cryptocurrency owners and allegedly implemented on behalf of platform developers, are gaining momentum.
  • Android Trojans will attack cryptocurrency owners. The techniques used to identify and gain access to cryptowallet owners will be identical to those used for cyberattacks on bank accounts. Hackers will most likely adapt Android banking Trojans.

Group-IB in global EY research

In December’s EY research: initial coin offerings (ICOs), EY analysts specified the top 3 countries in the field of ICO in the world. The champion in this area is the USA, where this tool has been used to raise over $1 billion, while Russia and China follow, with $452 and $310 million, respectively. As part of the research, Group-IB specialists were involved in an analysis of cyber threats connected with ICO. Partners analyzed 372 ICOs all over the world. The analysis was based on data obtained from public sources, exchanges, data aggregators, ICO reports, ICO trackers, news websites, blockchain networks and platforms, as well as mass media. In the end, the analysts came to the conclusion that almost $400 million of the $3.7 billion raised was stolen or lost.

General conclusion: hackers consider ICO projects easy money, while this business model is raising billions of dollars. According to the report, some projects raised $300,000 per second in an ICO.

Group-IB’s 5 facts about ICO protection:

  1. Group-IB started to defend crypto industry companies in September 2017 and has protected one of every tenth dollar raised for ICO as part of projects they have implemented.
  2. Blackmoon Crypto, a one‑stop solution for asset managers to create and manage tokenized funds, successfully secured $30,000,000 in ICO with a comprehensive cyber risk management program and phishing protection from Group-IB.
  3. Protection of the BANKEX ICO (which raised $77 million), one of 50 leading fintech startups in the world, with technologies allowing the creation of smart assets for a new generation of decentralized capital markets.
  4. The Group-IB team was able to protect ICO in a total amount of about $300 million in 4 months last year.
  5. At present, Group-IB is successfully protecting ICO projects in Russia and on the international market.
About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.