All cryptocurrencies are a target for cybercriminals. Anywhere there is value, criminals, fraudsters, and charlatans will soon follow. Call it the Willie Sutton principle. Sutton, a famous bank robber in the 1920s–30s, was asked why he robbed banks. His reply was “Because that’s where the money is.” The simplicity rings true. That same age-old principle still applies today in the digital world.
Cryptocurrencies have been targeted since the early days of Bitcoin. Popularity fuels growth and increased valuation. Since the introduction of Bitcoin, hundreds of cryptocurrencies have emerged. According to coinmarketcap.com, the total market cap of cryptocurrencies exceeds $11 billion, with Bitcoin holding a majority stake of about $9 billion dollars. This amount of money is a strong lure for all kinds of malicious activity.
Attacks on cryptocurrency
Although cryptocurrency architecture is designed to be secure, it is not infallible. Once stolen, digital funds can be electronically laundered, obscured from authorities, and disappear into the electronic ecosystem with their new owners.
There have been many hacks and frauds during the past few years targeting cryptocurrencies, causing significant losses. Mt. Gox lost a staggering $350 million in 2014, Bitcoinica lost $28 million in 2012, and in 2016 a string of incidents has already occurred, starting with Cryptsy losing $10 million, the DAO $50 million, and Bitfinex $65 million.
Most of the big attacks have focused on the technical aspects of account control and the ability to transfer funds without the owner’s consent. Some of the attacks were perpetrated by external threats, while others were inside jobs by trusted personnel.
Many people unfamiliar with cryptocurrencies ask “Why don’t governments put a stop to this?” These systems are new, and even basic legal structures have not caught up. Separation from government oversight is largely viewed as a good thing by the community, but there are drawbacks. Cryptocurrencies suffer from a lack of regulation to establish consistent controls, legal responsibility, and accepted business practices. In the corporate world, laws and regulations establish clear boundaries to define legal responsibility, forbid situations in which conflicts of interest may arise, and establish accountability to support informed decisions by investors. Most of the cryptocurrency enterprises operate only on a level of trust in the proprietors or the code. Sadly, technology is fallible to exploitation, users can be rash, gullible, and manipulated by attackers, and many times owners of the systems are the very culprits behind the losses. The right balance has yet to be struck. Until then, criminals have the opportunity to run rampant, with much less risk compared with highly regulated monetary services.
Threats targeting cryptocurrencies
Most cryptocurrencies are used for decentralized asset exchange. That is just a fancy way of saying they act as a form of money. One that is purely digital, can easily cross borders, be concealed, and transferred seamlessly between parties. Bitcoin and many like it are largely anonymous. The transactions are public, contained in the open blockchain ledger, but in most cases the sender and receiver cannot be easily identified.
Attacks tend to target the control of assets via transactions. The security of these systems is based upon private keys, which are an identity verification system. If an attacker compromises a victim’s private key, he or she can control the funds of the account without recourse from the victim. Many attacks gain access to accounts or tamper with transactions to siphon off assets from the victim’s to the attacker’s accounts.
Cryptocurrencies are also widely used in criminal activities. Ransomware extortions are largely paid in Bitcoin, as the attackers demand. Due to the nature of these transactions, once money is transferred, it cannot be recovered. The tracking of money to people is near impossible due to the anonymity of these systems.
Cryptocurrencies and blockchains are used for more than just money. Technologists and entrepreneurs are creating innovative foundational structures for use in digital services. The decentralized nature can make the capability extremely robust. The open transparency of the transactions builds trust in the system and, coupled with a monetary element, such services can play a powerful role in business, communication, and nontransmutable record keeping. These are powerful tools, but they also present new opportunities for theft, fraud, and misuse.
Ethereum is a currency and public blockchain that features “smart contract” technology which runs programs across the widely distributed user base without central control. Basically, code is created and then run by the users, with no administrative oversight. People trust the code. All operations and transactions are transparent. As long as actions do not violate the code, they are allowed and thus correct. But there have been problems. After all, the people come up with the rules that the code enforces.
Recently the DAO—an Ethereum Decentralized Autonomous Organization investment fund that allows contributors to vote on which companies to back—got into trouble. Money was transferred from many accounts into an “attacker’s” account. But this was done based upon the functions allowed by the code. Many screamed theft, but others simply stated the rules were followed and thus the transfers must stand. It remains a mess, but $50 million was siphoned from users, against their desires.
Stay tuned for Part 2, a discussion of the risks of cryptocurrencies merging with social media platforms and how attackers could gain new advantages.
Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.