Cryptocurrencies Have Revolutionized the Economics of Cybercrime
Over the past year, Bitcoin and other Cryptocurrencies have increasingly gained publicity and media attention. The focus of the reporting has been primarily on cryptocurrencies as a financially speculative medium, with the value of Bitcoin rising over 2000% in 2017 alone. Although there has been some reporting on the importance of cryptocurrencies as the payment medium of choice on the Darknet, less attention has been given to the fact that they have revolutionized the economics of cybercrime, with a noticeable impact on threat actors’ Tactics, Techniques and Procedures (TTP’s).
The history of monetizing hacking
Historically it has been challenging for cyber criminals to monetize hacking. While for example it has always been relatively easy to obtain credit card numbers from ecommerce web sites, converting these into cash has required more than just computer skills and frequently exposed the hacker to real world risk. Going back to the 1st and 2nd generation of hackers, the currency of choice within the community were lists of password and shells, zero days and exploits. As hacking knowledge was more broadly disseminated and moved beyond a small circle of technology enthusiasts, and more and more commercial activity transitioned to computerized and networked systems, financially motivated cybercrime also increased.
In the early days of cybercrime, cybercriminals used a variety of approaches to generate profit from their activities:
Stealing sensitive data and finding a buyer for it has a long history in the hacking community and beyond. In 2006 for example, two criminals stole intellectual property from Coca-Cola and tried to sell it to Pepsi. Thankfully, Pepsi alerted the authorities and the perpetrators were caught and prosecuted. Although this example was committed primarily physically, the risk involved in this particular crime is similar to when it’s committed through hacking.
Even when the counter parties that the data is sold to do not alert the authorities, a concerted campaign of data theft can eventually be discovered, as in the case in 2008 of a Greek hacker who had stolen weapons data from France’s Dessault Group and sold them to several nation states
One of the oldest, but most famous examples is the story of Karl Koch and the KGB hackers, who broke into US defence contractor systems for the KGB in return for cash and drugs. Karl Koch died in a suspicious suicide in 1989 that many still suspect was a murder.
Another way to monetize hacked data is to blackmail the victim. Many companies and people have data that they wish to keep a secret, whether they are sensitive trade secrets, evidence of wrongdoing or unethical behaviour, or something to be ashamed of. The true scale of this can only be guessed at, but there are quite a few known cases. In 2007, Nokia allegedly paid millions of Euro’s to cybercriminals who had stolen a digital signing key for Nokia’s Symbian OS and Domino Pizzas’ customer database was stolen in a breach in 2014 with the attackers demanding a ransom of $30,000.
Extortion based on DDoS attacks is another tried and tested criminal way of monetizing hacking. The idea is simple – the victim has to pay the hacker or their cyber presence will be DDoS’ed, and is especially effective when targeting online retailers, gaming, gambling and media providers. Not paying could mean a higher financial impact in lost revenue and service outages.
The current variation of cyber extortion is of course ransomware.
The challenge for the hacker, as with most historic methods, is how to get his hands on the money without being exposed to risk. A wire transfer and even PayPal leave an audit trail, and a cash exchange requires physical interaction.
Identity Theft and Credit Card Fraud
The first attempts hackers made at credit card fraud were primitive, but so were credit card theft counter measures. One generally accepted Modus Operandi was to order a high value item such as a laptop to an address were the hacker knew no one was at home. They would then pretend to be the resident of the property, doing gardening work for example, to intercept the delivery, or a similar social engineering based ruse. This approach was inherently risky and difficult to execute, requiring knowledge of an empty property without suspicious neighbours and of the day and time of delivery.
As credit card data became increasingly available and hacking skills were disseminated to a broader audience, organized crime got into the game as well. The simplest way to convert credit card data into cash involved copying the stolen to card data to cloned cards and to use these to pick up cash from ATMs. This was still something that a hacker could accomplish alone, but daily ATM cash limits meant that each card only provided a percentage of the available funds and the window of opportunity for using them was small. The risk of getting caught was also not negligible. Alberto Gonzalez, one of the most famous early cyber criminals first came to the authority’s attention this way.
A more effective and scalable method involved cloning credit cards and going on a purchasing spree for high ticket items for resale. This requires a sophisticated crime ring. The capability to clone large amount of cards including the raw cards and copying technology, a group of willing accomplices who will physically go into stores to buy the merchandise and a way of selling it to turn it back into cash. At each step there is a loss of value – only a percentage of the credit limit can be used, resale means selling at discount. Lastly, there’s at least a partial audit trail that a fraud investigator could use to reconstruct the crime – receipts, serial numbers, the seller account and the mechanism with which payment is received.
With the advent of online retailers such as Amazon or eBay and payment services such as PayPal, this became easier, but a high level of risk was still involved, and businesses also put counter measures into place. For example, Amazon stopped sending orders to certain high risk countries such as Russia. But Russian cybercriminals just bypassed this restriction by placing job ads seeking individuals who would repost ordered items from their own address, essentially transferring the risk of getting caught to hapless victims who thought they were getting an easy side job.
Wire transfer fraud
Another classic is the theft of banking or other payment related credentials, for example PayPal, often via social engineering or a Trojan, to subsequently transfer funds out of the victims account. In its most simple form, this involves social engineering via email or phone to fool the victim into passing on the account credentials. More sophisticated cybercriminals automate this using drive-by infection or phishing emails as success can require a high volume of attempts before victims fall for the scam.
Direct attacks on the banking system have occurred, but are rarer and difficult to execute. They require a high degree of formality with how financial transactions and the banking system function, and frequently rely on insider knowledge or participation.
The inherent challenges of traditional Cybercrime Monetization – Complexity and Risk
Each one of these has four distinct weaknesses from the hackers point of view:
1. They force him to move beyond the virtual. To monetize each of these approaches requires interaction with the real world.
2. They make him rely on oftentimes dangerous and unpredictable 3rd parties, such as nation state intelligence services or hardened criminals.
3. They require a sophisticated and complex infrastructure or human organisation
4. The last step in the chain – obtaining the profit and converting it into cash anonymously – is difficult and requires multiple steps to launder the money.
The hacker is rarely autonomous and independent, and the risk of getting caught, especially when transferring the stolen profit into his own hands is considerable.
The role of Cryptocurrencies in the new Cybercrime Economy
Cryptocurrencies possess some characteristics that solve the complexity and risk challenges for monetizing hacking:
1. They are anonymous
2. They are unregulated
3. They represent a direct store of purchasing value, even if they need to be converted from one cryptocurrency into another
4. They can be stolen themselves, or resources can be stolen to mine them
It is these characteristics that make Cryptocurrencies so attractive and especially useful to cybercriminals.
The problem that cybercriminals have always had, was how to turn data into currency. Now data is currency.
We are already seeing this have effect on the threat landscape and threat actor’s TTP’s:
1. Cryptojacking, where system resources are hijacked to mine cryptocurrencies, is up by 725% over the past 4 months
2. Ransomware, that now generally demands payment in BitCoin, has increased by 90% in 2017
3. Bitcoin exchanges have been targeted in a number of high profile breaches
4. Bitcoin users have been specifically targeted to steal their wallets
Cryptocurrency was envisioned as a revolution in how money is created, used and controlled. This utopian goal seems to have been overly idealistic and never considered that it will in fact be co-opted and regulated by central powers and financial institutions. Where it has in fact caused a revolution is in Cybercrime. Cybercriminals are now truly autonomous. They can directly monetize hacking. They require no middlemen to do this, and can use less sophisticated TTP’s than has historically been required. The task of tracking and catching them however has become more difficult, and whenever the profit in a criminal endeavour increases, so does its proliferation.