Bitcoin in the Darknet Ecosystem

Friday, January 05, 2018

Guy Caspi

0a36f423b9a230eb25d9f024fb71c03c

2017 was without a doubt the year of Bitcoin. The first decentralized cryptocurrency, which had been skyrocketing from a value of $1,000 USD a Bitcoin in January 2017 up to a maximum value of $20,000 USD in December. The worldwide awareness of Bitcoin and the cryptocurrency phenomenon is affecting and challenging traditional financial institutions, investors and even governments in a variety of ways.

The Underlying factors – what makes Bitcoin (et al.) different than other currencies and payment forms?

Bitcoin’s attributes make it profoundly different from traditional currencies and financial assets, which aspire cybercriminals and other potential users:

  • Decentralization and deregulation: One of bitcoin’s most valuable features is its decentralization - The fact that the currency is not controlled by any country, or governing body. Additionally, most countries and central banks have yet to regulate it in any way. This combination makes it attractive for cybercriminals (and others) looking for an easy way to launder money, but also to investors looking for diversification in their funds with a high-risk, but potentially very profitable, tax-free investment.
  • Privacy: Bitcoin and transactions in which it is involved are perceived as anonymous. This claim is not entirely accurate – as there are links to aliases or public keys.
  • Ambiguity: It’s becoming harder and harder to decide whether Bitcoin is indeed a currency, or essentially a commodity/product/goods. In the past, the cyber community was using it as means to buy online products and services in numerous fields, among them dark web markets. However, it seems that most of the Bitcoin purchasers in the 2017 bull-run were buying it for the purpose of investment, as if it were a financial asset.

These attributes, and their perception (and in some cases - misperception) leads to the current changes and trends we are seeing from threat actors and hackers as to how they approach Bitcoin.

The go-to currency for hackers

Bitcoin has long been the go-to currency for hackers, scammers and fraudsters, due to its relative anonymity and high tradability in the black market, especially in the last couple of years, as Bitcoin is much more accessible to the public. This tendency was and still is reflected in the rise of ransomware. An easier solution for collecting Bitcoin with minimal effort is the use of cyber-extortion, known as Doxware.

Doxware is similar to a ransomware attack, but instead or in addition to encrypting the victims’ files, it informs the corporation or the individual that it had penetrated their systems, and is threatening to leak confidential information unless a ransom is paid (in Bitcoin of course).

A similar type of cyber extortion, seen in 2017, is the threat to perform a denial of service attack (DDoS) unless the victim pays a ransom in Bitcoin. This type of attack can appear following an attack in a small scale or with any proof of capability to perform such an attack.

Another threat on the rise these days, is cryptocurrency mining malware. Hackers infect websites, servers and end-users with mining code (sometimes implemented in a distributed manner) while victims are unaware they are being used. A known mining malware attack is the recent Adylkuzz malware, which spread using EternalBlue exploit used by the infamous WannaCry ransomware. Once infected, Adylkuzz will mine the cryptocurrency Monero. 

How Hackers try and steal your Bitcoin

Due to Bitcoin’s relative anonymity and the mass of new investors eager to hop on the cryptocurrency wagon, it is no surprise that scammers, hackers and fraudsters are taking advantage of the inexperienced users.

An infamous way of fooling both experienced and inexperienced Bitcoin owners, is conducting fake Initial Coin Offerings (ICOs). New companies in the field of cryptocurrency and blockchain offer cryptocurrency tokens at a low-price, in order to raise funds.

Investors participate in ICOs, hoping one would turn out to be the next crypto-bonanza, and the tokens issued are bought and sold on trading platforms. Their prices peak and drop before even one line of code is written or currency issued.

Other than the fact that many of these companies go down along with the tokens, many of the ICOs are not actually intended to develop a crypto platform, but rather, make an exit scam by disappearing with the funds raised or selling their tokens on high rates in a classic “pump and dump” move.

There are several red flags that can indicate a fake ICO:

  1. No decentralization: If the companies’ mining project does not require the use of a blockchain or another distributed platform, there is a good chance the ICO is a scam.
  2. Promised returns: As cryptocurrencies are by definition a high-risk investment, you can assume that an ICO that suggests high returns in minimal risk is most definitely an attempt to steal your money.
  3. Vague data: If you cannot know for sure what is the expected net value of the ICO, who the company behind the ICO, or what is the roadmap of the project, there is a good chance there are none. Read the ICO’s whitepaper and make sure to go through a prolonged research of the project, its founders, and its mining structure before you put your money in.
  4. Be careful who you trust: YouTube investment gurus and other internet experts often get paid to promote an ICO. Even if these experts have a solid reputation, it is not recommended to trust them blindly.

Another known scam is the proliferation of fake wallets. In two known scam campaigns, attackers used Google ads to promote phishing websites that mimic famous wallets, luring inexperienced users to download or log-in online to their wallets.The victims end up entering their private key or login information to the fake wallets, and losing all their Bitcoins.

How anonymous is Bitcoin?

Bitcoin is thought to be anonymous, as the identity of its owner is unknown. Nevertheless, all the transactions made in Bitcoin are recorded on the blockchain, and can be seen upon request. These transactions are linked to the users’ public key, in a case where this key is somewhat linked to a real identity, the user might be uncovered. Users of some cryptocurrency exchange markets are even more exposed, since they are going through a business identifying process, exposing their true identities to the owners of the exchange. Bitcoin should be addressed as pseudonymous, as the public key is the alias.

Another possible breach in user anonymity in Bitcoin is following transactions made from Bitcoin ATMs to wallets, which can usually indicate a geographical location of the wallet owner. Cross-referencing the geographic location with other transactions, time of purchase or even street cameras, can allow law enforcement or cyber-espionage organizations to identify the user behind the Bitcoin wallet. 

In pursuance of better anonymity, cybercriminals are turning to different services that can obscure the real user behind transactions. Some are using “mixing services”, in which users can trade their Bitcoin wallets with others containing a completely different history, or sending dozens of small amount transactions, combining their Bitcoins with others’, in order to keep the sender’s real address unknown.

WannaCry, the ransomware that hit the world in May 2017, used only three Bitcoin wallets. A research tracing these three public keys[1] completed by the writer of the blog Le Comptoir Sécu, demonstrates how three wallets were emptied into nine new addresses, which were later emptied as well, creating hundreds of micro transactions. In a high-profile attack like WannaCry, it is only natural that the attackers would want to avoid any option of exposure, and make the tracing as hard as possible for law enforcement and the cyber-security community.

Bitcoin makes the underworld go round, it that so?

Bitcoin is still perceived by many as underground money, used by criminals, drug dealers and hackers. However, recent hype around Bitcoin caused high volatility, heavy load on blockchain networks, and costly fee expenses. This hype had actually drawn darknet users away from Bitcoin, as many black markets are now adhering to other, new cryptocurrencies (known as ‘Alts’) such as Ethereum, Bitcoin Cash, Litecoin, and the recent favorite Monero – a currency which currently offers the highest anonymity in the cryptocurrency market. Libertas market, one of the most known black markets in the dark web, had even went as far as giving up on Bitcoin and solely accepting Monero.

It seems that the acceptance of Bitcoin by the public had brought it from the margins of the internet society to the center of the stage, and sent the cyber criminals searching for other solutions, more compatible to their needs of anonymity.

Conclusions

To sum it up, Bitcoin is a rollercoaster for both investors and cybercriminals, and as it becomes more and more accepted in the public and financial ecosystem, cybercriminals are more interested in stealing Bitcoins, than using them as a currency. This trend will probably continue as long as the Bitcoin bull run lasts, turning Bitcoin from a means to an end. Alternatives are getting better by the day, threatening to take over Bitcoin’s roll as the main currency of the cybercrime community.

[1]115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn, 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

About the author: Guy Caspi is a seasoned CEO and leading global expert in cybersecurity, big data analytics and data science. A pioneer technologist by the world economic forum in Davos.

Possibly Related Articles:
58353
Policy Security Awareness
Bitcoin cybercriminal cryptocurrency
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.