Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud, has analyzed the basic information security risks for the cryptoindustry and compiled a rating of key threats to an ICO (initial coin offering). The key conclusions of the Group-IB analysis are: on the average, over 100 attacks are conducted on one ICO; the vector of attacks has ‘socialized’ and criminals are increasingly using modified Trojans that were previously used for thefts from banks.
After analyzing about 450 attacks on ICO projects all over the world, the Group-IB specialists came to the conclusion that most problems lay in the vulnerability of cryptoservices using blockchain technology. According to Group-IB, on average, each ICO is attacked about 100 times within a month. Such attacks include phishing, deface, and DDoS, as well as targeted attacks with a view to compromise secret keys and secure control over accounts. Group-IB experts calculated that, during the year, the total volume of attacks on each ICO increased almost tenfold.
Director of private client services, Group-IB.
Most dangerous: ranking of threats to the crypto industry
While summing up a year of protecting projects with cryptocurrencies, Group-IB experts compiled a rating of the most dangerous threats to the industry.
I. Phishing. This type of fraud is still the most dangerous threat. It accounts for over 50% of all money stolen. According to Group-IB, a large phishing group steals from $30,000 to $1,500,000 per month. Criminals build complex multistep schemes involving all possible channels of influence on the community. This market is now interesting to criminals who only yesterday monetized their illegal activities with banking Trojans and are now updating their tools to focus on cryptocurrencies. They threaten not only ICO projects, but also traders, crypto enthusiasts and other cryptocurrency owners.
II. Deface or targeted attacks. Errors in the configuration of web application servers, compromise of hosting passwords or the use of vulnerable software are the most common reasons hacking occurs. Attackers replace the addresses of wallets used for fundraising. In contrast to phishing, such attacks use real project addresses with fake wallet addresses. For instance, investment portfolio management platform CoinDash lost about $7,500,000 in the first 3 minutes of its ICO start after its website was hacked.
III. ‘Social-vector’ attacks. According to Group-IB, this category includes attacks on project members and stealing coins from community members via social networks, thematic forums and media resources. In the final months of 2017 and early 2018, Group-IB specialists recorded an outbreak of fraud on social media, where criminals use well-known social engineering techniques (messages from “security teams of cryptocurrency services,” notifications of prizes in coins, invitations to take part in important community activities, etc.). Group-IB experts note increased criminal interest in ICOs that have not been announced yet, but have ‘hype potential’ (the most obvious example is the expected ICO of Telegram).
Group-IB experts have confirmed the forecasts they made at the industry conference CyberCrimeCon’2017: due to the hype around blockchain and cryptocurrencies, cybercriminals have started to pay increased attention to them. The last year saw dozens of successful major attacks on cryptocurrency services, which showed that the criminals have adapted patterns of attack on banks and used the same tools to hack cryptocurrency exchanges and wallets and make attacks on users. Some banking Trojans — TrickBot, Vawtrak, Qadars, Triba, Marcher — have been retargeted at users of cryptocurrency wallets. “Throughout the last year, we saw examples of adaptation of hacker tools to the crypto industry,” comments Ilya Obushenko, security expert at Group-IB. “The banking Trojan TrickBot obtained additional features for stealing money from accounts in Coinbase as early as in August 2017. Features for attacks on cryptowallets have also been added to another banking Trojan – Tinba. CryptoShuffler replaces wallet addresses in the i/o buffer, Quant Trojan provides attackers with information about access to cryptowallets found in user devices, and an Android bot called Red Alert replaces authorization pages of exchange websites and cloud wallets in victims’ browsers.”
What should startups prepare for in 2018: 4 vectors of threats to cryptocurrency projects in 2018
The Group-IB experts come to discouraging conclusions: the number and frequency of attacks on cryptocurrency projects (exchanges, wallets, funds) will grow. The growth of cryptocurrency exchange rates is attracting more and more criminals to the segment. Based on data from their own projects and a study of international practices, company specialists forecast the following vectors in the development of threats to cryptocurrency projects:
- Phishing schemes using cryptobrands will become more complex. The level of preparation for phishing attacks will also grow, the automation of phishing and using of ready-made phishing kits for attacks on ICO will get more and more widespread.
- Social vectors of attacks will develop. Hackers will more and more often set their sights on the founders and members of projects teams and communities.
- The number of coin thefts will increase. Market participants announcing cryptocurrency trading are already being shortlisted by criminals. Various forms of fraud on social media, focused on cryptocurrency owners and allegedly implemented on behalf of platform developers, are gaining momentum.
- Android Trojans will attack cryptocurrency owners. The techniques used to identify and gain access to cryptowallet owners will be identical to those used for cyberattacks on bank accounts. Hackers will most likely adapt Android banking Trojans.
Group-IB in global EY research
In December’s EY research: initial coin offerings (ICOs), EY analysts specified the top 3 countries in the field of ICO in the world. The champion in this area is the USA, where this tool has been used to raise over $1 billion, while Russia and China follow, with $452 and $310 million, respectively. As part of the research, Group-IB specialists were involved in an analysis of cyber threats connected with ICO. Partners analyzed 372 ICOs all over the world. The analysis was based on data obtained from public sources, exchanges, data aggregators, ICO reports, ICO trackers, news websites, blockchain networks and platforms, as well as mass media. In the end, the analysts came to the conclusion that almost $400 million of the $3.7 billion raised was stolen or lost.
General conclusion: hackers consider ICO projects easy money, while this business model is raising billions of dollars. According to the report, some projects raised $300,000 per second in an ICO.
Group-IB’s 5 facts about ICO protection:
- Group-IB started to defend crypto industry companies in September 2017 and has protected one of every tenth dollar raised for ICO as part of projects they have implemented.
- Blackmoon Crypto, a one‑stop solution for asset managers to create and manage tokenized funds, successfully secured $30,000,000 in ICO with a comprehensive cyber risk management program and phishing protection from Group-IB.
- Protection of the BANKEX ICO (which raised $77 million), one of 50 leading fintech startups in the world, with technologies allowing the creation of smart assets for a new generation of decentralized capital markets.
- The Group-IB team was able to protect ICO in a total amount of about $300 million in 4 months last year.
- At present, Group-IB is successfully protecting ICO projects in Russia and on the international market.