Eastern European Hacker Group Stole $200m From Crypto Exchanges via Supply-Chain Attack

News and Analysis

Israeli cybersecurity firm ClearSky has detected that the so-called hacker group CryptoCore has managed to steal over $200 million from cryptocurrency exchanges and companies in two years. For the most part, the threat actors—also named by ClearSky as Dangerous Password and Leery Turtle—have been targeting entities located in the United States and Japan.

ClearSky has been tracking CryptoCore’s activity since May 2018, concluding that the group is “not extremely technically advanced.” In the first half of 2020, the hackers’ activity notably declined probably due to the COVID-19 outbreak. Also, the company has not been able to determine the origin of the hacker group, only saying with a medium level of certainty that the group has links to Eastern Europe, particularly Ukraine, Russia, or Romania.

Impersonating High-Ranking Employees

CryptoCore reportedly obtains access to crypto exchanges’ corporate wallets or those owned by the exchange’s employees through spear-phishing primarily targeting the executives’ personal email accounts. The threat actors then impersonate high-ranking employees either from the target company or from a related organization with connections to the targeted officer. The report further detailed:

“After gaining an initial foothold, the group’s primary objective is obtaining access to the victim’s password manager account. This is where the keys of crypto-wallets and other valuable assets—which will come handy in lateral movement stages—are stored. The group will remain undetected and maintain persistence until the multi-factor authentication of the exchange wallets will be removed, and then act immediately and responsively.”

ClearSky told forklog.media that it started digging deeper into this threat actor during the Incident Response investigation, which led it to a vast and evolving digital infrastructure of the attackers. The company said it would rather leave the attribution of the attacks to the community as this is uncertain and in such cases, less is more.

Stipulating on how cryptocurrency companies, which might be current or future targets of the CryptoCore group, can potentially protect themselves, ClearSky said:

“In general, in order to mitigate such threats, cryptocurrency exchanges must first be aware of these threats, as well as practicing employee training. In particular, any exchange SOC team has to actively block and hunt CryptoCore digital infrastructure. Deploying heuristics for checking suspicious activity such as a link file (LNK) communicating to a bit.ly link might be a good start.”

ClearSky said that it can not name victims’ names due to the non-disclosure agreement

Crypto-Related Losses Continue Rising

According to blockchain analytics and crypto intelligence firm CipherTrace, in the first five months of 2020, the total losses of cryptocurrencies to criminals and scammers amounted to $1.36 billion. Researches suggest 2020 may bring the second-highest total crypto lost to crime ever observed, the current record being 2019’s $4.5 billion. 98% of the losses were attributed to investment fraud and misappropriation.

A recent study by the business software site Capterra revealed that remote workers have also become greatly exposed to phishing emails during the lockdown, with hackers aiming to steal users’ passwords. Capterra pointed out that “despite the majority of workers stating they are pleased with working from home, the adoption of security measures still has room for improvement.”

Article was edited to include additional comments by ClearSky

Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.

Found a typo? Highlight text and press CTRL+ENTER

Subscribe to our Newsletter


Related posts

Tags: , ,