This is how Crypto Malware works
The last crypto bull run in 2017 saw an increase in utility of crypto currency for malicious actors. Crypto coins for popular crypto currency come into existence through so called mining. The mining process requires computational power. Mining allows a compromised machine to turn profits regardless of who it belongs to and what its business function is. There is no specific need to target security critical, well protected hosts and no further movement in the network of a compromised host is required, creating a low bar of entry for hackers seeking to generate mining profits. Otherwise unattractive hosts running old, unpatched software, handling “boring” data from a hacker’s perspective, can become worth compromising with rising crypto prices.
Another way to obtain coins is through extortion. Possible ways to gain leverage on a person or company would be to obtain sensitive information which they need to keep confidential or to threaten business critical infrastructure. Examples for suitable attack angles on infrastructure include wide scale encryption of data or classical network-based denial of service.
When a miner mines a valid block, they receive a block reward. The block prepared by a miner, contains the miner’s address to which the block reward will be sent. Small miners do not have the resources to reliably mine blocks on their own. That’s why they join mining pools which distribute received block rewards to the participants based on their contribution.
In case of extortion, the victim is given an address to which to send crypto funds to. In the past, the acts of obtaining and sending crypto with all its unknowns and difficulties posed a significant obstacle to people and companies alike. Comparable to purchases of any kind, the easier it is to pull the trigger and conclude a payment, the more likely a person is to make a purchase. This is purely an UX problem which is continuously improving. Nowadays it is fairly straight-forward to obtain the crypto funds needed to pay a ransom.
Assuming the attacker’s leverage is too great to not pay ransom or the illegal mining operation has already been ongoing for quite some time, what options present themselves to entities such as law enforcement after a transaction has taken place? One possibility is to follow the money. Bitcoin, for example, is very transparent when it comes to transaction flow. The sender, recipient and amount of all Bitcoin transactions are publicly available in the blockchain. Thus, any Bitcoin transaction can be traced if either the sender or recipient address is known. In case of extortion, the address is of course known. If mining malware is used, it can be reverse engineered to find the address to which mined Bitcoin are sent. If the address belongs to a mining pool, it can be pressured to reveal the payout address for the people who registered the machines found to be running the mining malware. It may not be possible to link the address, where the illegally obtained Bitcoin accumulated, to the people controlling them. A Bitcoin address is essentially a public/private key pair. The public key does not inherently divulge any information about the holder of the private key, i.e. the person who controls the Bitcoin at that address.
At some point, actors will want to use their crypto coins in real world purchases. If, for example, a car is purchased with the tainted Bitcoin, the Bitcoin transaction is visible on the blockchain. Whoever goes to either pick up the car or the car is delivered to, will at least be placed under great suspicion by law enforcement.
Purchasing goods directly in crypto is not widely possible yet, so for the time being, a conversion to fiat needs to take place. Various challenges can arise after converting crypto to government-controlled money and these are outside of this article’s scope. The conversion can be done with anyone who wants to purchase crypto for fiat, but commonly takes place on centralized crypto exchanges. These provide a marketplace where buyers and sellers meet and support even fairly large volumes. The daily trade volume of a top 5 crypto exchange ranges between 1 and 3 billion USD. To trade on a centralized crypto exchange, the crypto needs to be transferred to an exchange-controlled address, i.e. the owner loses custody of his crypto. The exchange is a choke point on which law enforcement can exert pressure for funds to be seized. Furthermore, trading significant amounts requires prior user identification, also called KYC (Know Your Customer).
There are also decentralized exchanges, which essentially only do order book matching and where users do not lose custody of their assets and don not need to go through a KYC process. These work in a variety of ways. At the time of writing, they are slower and more expensive than centralized exchanges. The conversion to fiat is also not straight-forward and requires purchasing USD-backed tokens called stable coins. The topic of decentralized exchanges goes beyond the scope of this article and is not further elaborated upon here.
Essentially, the problems with illegally obtained crypto are currently similar to those already faced by any entity handling substantial amounts of illicit funds in fiat.
A viable method to cover one’s tracks is to change to another crypto currency. Not all crypto currencies share Bitcoin’s transaction flow transparency. Monero for example, is specifically designed with privacy in mind. Illegally obtained Bitcoin can be converted to Monero at various exchange services without any registration. A common workflow is to supply the desired currency and address, in our case Monero and deposit the Bitcoin to an address designated by the exchange service. These often operate out of countries which do not pressure them to implement KYC. Liquidity can however be an issue with these. In any case, small amounts can be exchanged at a time to avoid larger losses and conversions can be spread out across a number of such exchange sites to avoid liquidity problems. Once in the Monero world, the money is squeaky clean. The Monero blockchain obscures the sender, the amount, and the recipient of transactions. From here Monero can be converted back to any other crypto currency or sold for fiat at a centralized exchange where the identity of the malicious actor is known.
Another way of obfuscating coin origins is through coin mixers, also called tumblers. Multiple participants typically inject the same amount of crypto into the tumbler, after which these inputs are mixed and redistributed to new addresses. This cuts the linkage between input and output addresses. This can be implemented in a zero-trust fashion, where no participant has to trust either the mixer or any other participant with the Chaumian CoinJoin. Mixing with the Chaumian CoinJoin is conveniently implemented in the Wasabi wallet. Depending on the taint level of the coins to be mixed and one’s moral disposition, a drawback could be that less dirty coins, gained from mining malware for example, are mixed with coins associated with much dirtier activity such as human trafficking or child pornography. The practice of multiple consecutive coin mixes can alleviate the coin taint problem by further ambiguating all mixed coin’s origins.
With the upcoming crypto bull run the profitability of the attacks described above is bound to increase. Security controls should be considered and/or be put in place to mitigate this threat.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here