What’s the connection between cybercrime and cryptocurrencies? Perhaps it would suffice to say that the reasons for criminals adopting the cryptocoin are quite obvious. But when did this all start, and what fuels it and gets fueled in return? This blog will go over some of the historical reasons that connect cybercrime and cryptocurrency as well as examine the possible consequences of that connection.

Cybercrime’s Favorites Before Crypto

Cybercriminals and anonymized payment methods always kept a close relationship for obvious reasons. One of the most lucrative aspects of online crime is the ability to conceal one’s identity, and using cryptographic currencies is part of that overall scheme.

Historically, the connection between cybercrime and cryptocoins was not always the default. In the years before the Dark Web emerged, when fraudsters mostly congregated on IRC channels and in underground forums, that relationship was backed up by other means. From prepaid payment cards to alternative goods, such as stored value cards or even loyalty points and air miles, fraudsters flocked to platforms that allowed users to identify themselves only by digital means, without demanding any solid proof of identity or verifying it, for that matter.

Over the years, these platforms gradually became less lucrative to the cybercrime crowd because of two major reasons.

1. They Received Scrutiny From Law Enforcement and Were Forced to Change Their Ways or Suffer the Consequences.

One such case was WebMoney, which was a payment platform established in Moscow in 1998. Unlike competing platforms at the time, WebMoney (WMZ) did not require connection to a bank account or credit card. Although it was an inherently legitimate business, it attracted cybercriminals who used it as their top cash and credit exchange platform. In 2013, the Ukrainian government accused WebMoney of illicit activity and seized $7.5 million in WebMoney-linked companies’ bank accounts, as well as computer systems used for the operation of the platform.

WebMoney had to clean up its platform, which it did. It rose above its past issues to become a banking partner and active global exchange platform to this very day.

2. Popular Platforms Were Shut Down by Law Enforcement.

One of the most publicized cases of a platform shutdown was that of Liberty Reserve, the exchange platform that became the de-facto standard in cybercrime forums until it was investigated by law enforcement, found to have laundered $6 billion, and shut down indefinitely in 2013. Preeta Bharara, the then U.S. attorney for the southern district on New York who charged the case, said that the organization became the “bank of choice for the criminal underworld.”

The same fate befell other players such as e-Gold, which was another very popular exchange platform cybercriminals favored.

The reaction in the underground world was to quickly turn to another, similar platform called PerfectMoney. But that did not last, possibly because of its similarity to the previously failed Liberty Reserve.

It was around that time that the cryptocurrency connection, especially with bitcoin, gained a foothold in the cybercrime arena — not because it had any connection to illicit activity, but because of its inherent ability to keep users anonymous while providing monetary value.

Together at Last?

Although some cybercriminals started adopting bitcoin as their preferred payment method earlier on, it was the 2013 shutdown of Liberty Reserve that marked the end of an era and saw practically every illicit service and commodity peddler move to exchange money via a bitcoin wallet.

Seeing the rising value of cryptocurrency in the underground, banking Trojans that used to solely focus on bank websites then started to either covertly mine bitcoin, steal wallets or both on the infected endpoints they managed to control.

As the value of the currency continued rising in the legitimate world, it also increased the affinity of cybercriminals for the cryptocoin and for other coins that came after it. At the time of this writing, the bitcoin exchange rate to U.S. dollars is at $3,961 per coin. This number is only one point in the historical rise for bitcoin, which has kept a steady upward movement in the past three years, even after facing many trials and tribulations, such as hacks, theft, internal divergence and a ton of new competition.

This bitcoin price history chart illustrates the continued rise, and shows that the liftoff began in 2013.


Figure 1: Bitcoin price history chart from August 2010 to September 2017 (Source: Buy Bitcoin Worldwide)

What Other Phenomenon Has Taken Off Since 2013?

While these changes started taking shape starting 2013, another phenomenon was about to explode, linking the world of cybercrime and cryptocurrency even more tightly together: cryptoransomware!

Ransomware itself is a very old threat. Its first in the wild occurrence dates back to 1989, when a malicious locker was distributed to people over a floppy disk. But the phenomenon took time to gain speed, mainly because criminals had a hard time collecting money for their misdoings in a way that would not expose their true identity. For many years, fake applications and fake screen lockers demanded payment in prepaid vouchers. While that endeavor was somewhat profitable, it never reached notable magnitude.

It might have taken some time for cybercriminals to catch on to the bitcoin hype, but only because it was not worth enough just yet. In 2010, bitcoin never crossed the $1 per coin, and its status was still too unclear, as were the exchange options.

All that changed when cryptoransomware entered the playing field in 2013 with the ability to encrypt data with strong cyphers using symmetric or asymmetric encryption, and sometimes using both. From the get-go, cryptoransomware fittingly relied on cryptocurrency to fuel its development, distribution and deployment across the globe, gaining unprecedented momentum in no time.

By 2015, a single cryptoransomware gang, CryptoWall 3.0, had been tied to more than $325 million in losses from infected victims who ended up buying bitcoin and paying the criminals to get their data back. By 2016, ransomware was the malicious deliverable in up to 63 percent of spam emails sent worldwide. The FBI estimated ransomware losses to reach $1 billion by the end of 2016.

With the advancement of bitcoin, the rise of cryptoransomware became no less than a gold rush in its own right. Nowadays, ransomware codes are available as open source, can be bought in Dark Web markets for under $100, and some are even operated by organized cybergangs.

By 2017, the world saw ransomware debilitate organizations, critical infrastructure and health care systems across the globe with new capabilities and flash distribution that leveraged nation-state-level tools.

Throughout all these attacks, the demands had one thing in common: Attackers wanted the ransom in bitcoin or another cryptocurrency, yet again tightening the link between cryptocurrency and illicit business.

Cybergangs’ Appetite for Cryptocoins Keeps Growing

Cryptocurrency does not only attract ransomware operators, of course. The major financial fraud players in the cybercrime arena are happy to steal coins. To do that, various malware operators have incorporated the URLs of cryptocurrency exchange platforms into their malware’s target lists.

That way, when an infected victim browses to an exchange platform, the malware goes into the same type of action it would perform when the target accesses a bank account: Redirect the user to a phishing page, manipulate what he or she sees on the screen, steal the access credentials, and take over the cryptowallet to empty it. Some names that come to mind from that grade of banking Trojans are Dridex, TrickBot and Zeus Sphinx, all of which target popular coin exchange platforms.

That being said, a ton of other, less sophisticated malware, both past and present, goes after cryptocurrency, mostly by making infected endpoints mine coins. That endeavor is quite resource-heavy on any normal endpoint and is bound to cause the user to eventually clean their PC due to slow performance. One recent occurrence even had a browser extension forcing website visitors to mine Monero coins for Pirate Bay without users knowing about it or opting in.

On the enterprise front, IBM X-Force has recently noted a major hike in coin-mining malware hitting corporate networks, designed to enslave endpoints into benefiting the criminals who operate these codes.

After stealing or illicitly mining coins, attackers aim to anonymize them even more. Stolen coins are moved to coin mixers, which are services that will pass them in bits and pieces through many other wallets, making the trace much harder or virtually impossible.

What’s Next for the Cybercrime-Cryptocurrency Connection?

With immense development and adoption of cryptocurrency and its decentralized nature, the cryptocoin is here to stay.

The more the value of different coins rises, the more lucrative they become to both everyday people and those who value their anonymity. Unfortunately, the top anonymity seekers are people with dubious business and intent, which can tie a perpetual bond between cybercrime and cryptocurrency.

Can that bond be severed? Can cryptocurrencies be adapted to the everyday user, affording them relative anonymity all while removing that mask in cases of suspected crime? Would we be delving into the same old pool of privacy and surveillance by going that route?

Perhaps. The way things stand at this time, cryptocurrency users are not entirely untraceable due to the nature of the blockchain concept that makes every movement trackable to an extent. As FBI Assistant General Counsel Brett Nigh said in September 2015, “investigators can follow the money” in the world of bitcoin.

One thing that’s absolutely sure about crypto is that nothing is sure about crypto.

No one can really tell now how it will evolve and how eventual associations to the everyday banking systems will end up tying it to regulations and reporting obligations. Meanwhile, these currencies continue to generate interest among consumers, startup entrepreneurs and businesses from all walks of life. Not only do they give rise to the creation of new coins, new options and new rising exchange platforms to accommodate the traffic of cash to and from those crypto systems, but they are also changing the face of fintech as we know it.

Just as cybercrime’s roots are in the same social phenomena that have been plaguing humanity since the dawn of days, the same trends are applicable to the underworld of online crimes, where different currencies are the top choice for ill-doers of the web. That is likely to remain the same.

Some things that can be done to limit the effect of cybercrime taking place on legitimate infrastructure is to develop blockchain to provide additional details on each transaction, which would keep users anonymous to one another but not necessarily completely masked. That’s bound to make cryptocurrencies lose most of their luster for cybercriminals and drive many out of that realm.

Watch the video: What is the difference between Bitcoin and blockchain?

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today