Over the last few years, hackers have been actively stealing smaller amounts of cryptocurrency from individual users using malware available on the internet or darknet, Chainalysis reported.
For individual hacking users, hackers use malware strains available on the darknet mainly to take a “spray-and-pray” approach which allows them to spam millions of potential victims and steal smaller amounts. They do so by tricking individuals into downloading the malware.
“Many of these malware strains are available for purchase on the darknet, making it even easier for less sophisticated hackers to deploy them against victims,” the blockchain data platform said in its report.
In terms of cryptocurrency theft, the report added hackers’ attacks is mostly against organizations – namely hacks of cryptocurrency exchanges or ransomware attacks against critical infrastructure. However, hacks conducted by using malware to steal or extort cryptocurrency have been prevalent for many years.
Malware is any malicious software that can hijack a victim’s phone, usually without their knowledge and a related crime can be anything from stealing information to money or confidential data.
Info stealers, clippers, cryptojackers and trojans are among the most popular malware families used to steal cryptocurrency from individual victims and are easily available for purchase on cybercriminal forums, according to Chainalysis.
The large access to malware like Redline – an info stealer, allows even relatively low-skilled cybercriminals to use them to steal cryptocurrency.
Access to malware is also available on a monthly and lifetime basis. Per the report, Chainalysis said:
“Law enforcement and compliance teams must understand that the malware attacks they investigate aren’t necessarily carried out by the administrators of the malware family itself, but instead are often carried out by smaller groups renting access to the malware family, similar to ransomware affiliates,”
Following which malware operators are then found to have sent the majority of funds to addresses at centralized exchanges.
In an investigation conducted by Chainalysis, Cryptbot – an info stealer that takes victims’ cryptocurrency wallet and account credentials – was a prolific malware family within a sample of malware families in the info stealer and clipper categories. Cryptbot raked in almost half a million dollars in pilfered Bitcoin, the investigation reported.
While QuilClipper, a clipboard stealer or “clipper,” was another notable malware.
Hackers use clippers to insert new text into the “clipboard” that holds text a user has copied, usually with the intent to paste elsewhere.
According to Chainalysis, Clippers typically use this functionality to detect when a user has copied a cryptocurrency address to which they intend to send funds — the clipper malware effectively hijacks the transaction by then substituting an address controlled by the hacker for the one copied by the user, thereby tricking the user into sending cryptocurrency to the hacker.
While the HackBoss clipper stole over $80,000 worth of cryptocurrency throughout 2021, Chainalysis data showed.
Since 2012, HackBoss has taken over $560,000 from victims in assets like Bitcoin, Ethereum, Ripple, and more.
Cryptojackers is another notorious malware that obtains funds for hackers by utilizing the victim’s computing power to mine cryptocurrency. Monero, Zcash and Ethereum were among the top cryptocurrencies mined by hackers, Chainalysis reported.
Cryptojacking activities are considerably hard to trace since hackers move funds directly from the mempool to mining to unknown addresses, rather than from the victim’s wallet to a new wallet.
According to Chainalysis, Cisco’s cloud security division reported that cryptojacking malware affected 69% of its clients in 2020, which would translate to an incredible amount of stolen computer power and, therefore a significant amount of illicitly-mined cryptocurrency.
While in a 2018 report from Palo Alto Networks, an estimate of 5% of all Monero in circulation was mined by cryptojackers, which would equate to over $100 million in revenue.
Chainalysis said that a vast majority of malware operators or hackers receive initial victim payments at private wallet addresses, though a few use addresses hosted by larger services. Among that smaller group, most use addresses hosted by exchanges but mostly high-risk exchanges with low or no KYC (Know Your Customer) requirements.
Although data relating to hacks have been found, it is still challenging to investigate malware-based cryptocurrency theft partially due to the fact that a large number of less sophisticated cyber criminals rent access to these malware families.
“Studying how cybercriminals launder stolen cryptocurrency may be investigators’ best bet for finding those involved,” Chinalysis reported.
Image source: Shutterstock