The high-profile Twitter hack — which saw malicious actors take over 130 verified accounts including Bill Gates and Elon Musk — managed to be both technically brilliant and incomprehensibly stupid at the same time.
It was a multi-person attack, deep inside the company’s infrastructure, using sophisticated social engineering to defeat 2FA-protected accounts.
But while the hackers were smart enough to defeat Twitter’s security, trawling through the internal Slack messaging system to unlock ever greater levels of access, they ultimately failed. Miserably.
Instead of, say, using Musk’s account to send Tesla market FUD to tank the stock price (and make millions shorting it) the hackers instead sold access to various accounts on the darknet for a few magic beans to some vanity-handle clowns, and then spammed out a two-for-one Bitcoin giveaway scam, netting a paltry $117,000.
And then they got caught.
“It doesn’t make sense as far as the sophistication of the attack,” says Dave Jevans, CEO of CipherTrace. “The actual scam was ridiculous.”
Rather than an elite group of high-level professionals, the ringleaders were a bunch of teenagers and 20-somethings who’d stumbled upon Twitter’s God Mode but had no idea what to do with it. The FBI tracked them down thanks to a series of total noob mistakes, including using their home WiFi without a VPN, and trying to cash out stolen Bitcoin using Coinbase accounts verified with their real drivers licenses.
It turns out that just like ordinary criminals, some technically adept cyber criminals can act like bumbling goons too.
Cleverness not required
Alex Lazarenko, Group-IB’s Head of R&D says that being clever is not a prerequisite of hacking into many crypto exchanges, which can have worse cybersecurity than non-finance companies.
“From our experience with our clients they are pretty bad with security,” Lazarenko explains in his thick Russian accent.
“There are not so many sophisticated attacks because the industry is not very much secure in terms of cyber security. A lot of people are getting into trouble with cryptocurrency because of simple mistakes.”
Most cryptocurrency scams don’t involve a crack team of hackers pulling off some ingenious and unique multi-level con — instead they just dust off hoary old scams and dress them up with a thin veneer of technobabble about ‘high yield investments’ and ‘sophisticated trading algorithms’.
“There’s nothing much new under the sun,” says Michael Cohen, Vice President of Operations at MyChargeBack, an Israeli company that deals with retail crypto crimes. “You don’t have to be Dr Evil to scam someone via cryptocurrency. You can be a Mini Me.”
Scammers and thieves love crypto because there’s a perception that there’s no central authority to complain to, no way to reverse transactions, and the funds are difficult to trace. (In truth, most on-chain transactions are far from anonymous, and their traceability is often a boon to law enforcement.)
But cryptocurrency’s complexity means that even some of the smartest people can fall victim to their dumb tricks.
“The common denominator of all of them is a tremendous amount of inexperience on the side of the consumer,” says Cohen.
“You could have doctors, lawyers, investment CFOs, government officials. We see there’s no delineation between someone’s professionalism and education and the susceptibility to these types of scams.”
So how smart do you have to be to pull off various types of crypto crimes?
The Scam: Say Hello To My Little Friend
Criminal sophistication level: Grunts and goons.
Crypto extortion is a crude and unpleasant crime. At its most basic this involves a man with a shotgun bursting into your apartment demanding the passcode to your Bitcoin wallet.
Crude attacks can be defeated with similarly crude countermeasures however, and when this exact situation happened to a Norwegian crypto millionaire last year, he vaulted over the balcony of his second-floor apartment and escaped.
In a bizarre spin on the practice, The New York Times reported a group of men had ransacked the New York apartment of a man named Nicholas Truglia, and held his head underwater demanding his crypto logins. But it turned out that Truglia had made up the story, and in doing so he’d sparked an investigation by the police into his unexplained crypto wealth.
He was unmasked as The Bitcoin Bandit, the ringleader of a 25-person SIM swap gang, and ordered to pay $74.8 million in compensation to Michael Terpin, an investor in multiple ICOs and head of a blockchain marketing group.
The Scam: Show Me The Money
Criminal sophistication level: Dumb as a stump.
The oldest scam in the world is convincing people to hand over money now, with the promise of getting more money later.
‘Bitcoin giveaways’ on Twitter trade on this principle and have been at plague proportions for years. For a slightly more sophisticated example, head on over to YouTube on any given day and you’ll find tens of thousands of people watching a ‘live broadcast’ from someone posing as Ripple or SpaceX to promote the scam.
It’s lent credibility by screening on what appears to be a verified channel with hundreds of thousands of followers. Scammers typically use phishing emails to get a password to take over a gaming nerd’s verified channel. They then change the name from ‘Bob’s Gaming Channel’ to ‘Ripple’, and start screening old footage as ‘live’ to attract viewers. Both Ripple and Steve Wozniak have launched lawsuits against YouTube over the practice.
The Scam: We’re Not In Kansas Anymore
Criminal sophistication level: basic comprehension of Rock, Paper, Scissors
Moving up the scale, we begin to find crimes that require a modicum of technical ability. One method scammers use to steal passwords is to clone exchange websites to fool victims into entering their details.
The trick here is to use a domain name that looks identical to the real one, but isn’t, thanks to a ‘homograph attack’. This takes advantage of the fact that various letters in alphabets like Cyrillic and Greek look virtually identical to English.
In 2018, scammers set up a fake Binance site, complete with a reassuring looking padlock next to the address denoting an SSL certificate. But the letter ‘n’ had been replaced with a version that included an underdot (?). Scammers pulled a similar trick by replacing the ‘r’ in Bittrex with one that included a cedilla (?) which looks like a comma.
Once every couple of months Ledger is forced to put out another warning of a malicious browser extension pretending to be Ledger, seeking to trick users into entering their seed phrase. At one crypto conference in 2017 scammers went so far as to distribute fake Trezor and Ledger hardware wallets so they could later steal funds users deposited.
There are also simple malware programs devoted to diverting your funds to scammers — one Trojan called CryptoShuffler affects the cut and paste function, so that each time you ‘cut’ a wallet address, it pastes in the scammer’s destination address instead.
The Scam: I Know What You Did Last Summer
Criminal sophistication level: knows not to iron a shirt while wearing it.
Sextortion is where victims receive a personally addressed email from attackers who claim to have hacked their webcam and recorded them masturbating, demanding payment not to release the footage.
“They’re not spamming,” says Jevans. “They actually do have your name and they do have your email address. That’s why they’re convincing.”
SIM swapping involves a social engineering attack, whereby criminals contact a victim’s telecom provider purporting to be them in order to trick support staff to forward the victim’s number to a phone the hacker controls. This allows attackers to intercept two factor authentication text messages to steal crypto.
While phone providers have protocols to stop this happening, these are often easily circumvented, as hacker ‘Daniel’ told the online publication Trijo last year: “There are always ways to convince. For example, that you call and pretend to work at Tele2 (a Swedish telecom company) and ask them to help you forward a number. It does not take many calls before you have learned to pretend.”
The Scam: You Had Me At Hello
Criminal sophistication level: smarter than the average bear.
Tricking people into handing over money can be as easy as sending a few emails. In 2014, a hacker gained access to the email of an executive at BTC Media, which was in business negotiations at the time with Bitpay Exchange, and tricked Bitpay’s CFO Bryan Krohn into filling out his corporate email information on a Google doc.
This gave the attacker access to Bitpay’s internal systems, where they discovered that the exchange would provide Bitcoin upfront to SecondMarket with an agreement to pay later. The attacker then emailed Bitpay’s CEO from Krohn’s account, instructing him to send 5000 Bitcoin to ‘SecondMarket’… which was of course just the hacker’s wallet.
Bitpay lost $1.8 million and their insurance wouldn’t cover the loss as there technically was never a ‘hack’.
“The simplest attack is the best one you can do,” says Jevans. “There are still very simple attacks that can make you hundreds of millions of dollars a year by sending the right email to the right person at the right time.”
Cohen has noticed a big uptick this year in crypto scammers contacting victims via Tinder on dating sites.
“They enter into a quasi-relationship and show a screenshot ‘oh, this is my account, I do day trading,’ he says. “It’s kind of a honeypot, they bring them in that way. They log into their trading account and see $100,000.”
“Suddenly the person has forked over $50,000 via cryptocurrency after being baited into this online ‘trading’ enterprise.”
The Scam: Always Be Closing
Criminal sophistication level: Ties own laces, buttons own shirt… but thinks Fibonacci is one of the Three Tenors
Many crypto investment schemes turn out to be dressed up Ponzi schemes – named after Charles Ponzi, who came up with a legitimate arbitrage scheme initially, but then started to use the funds from new investors to pay ‘returns’ to existing investors and himself.
Cryptocurrency is the perfect disguise for Ponzis because a) it’s complicated and b) people really do get rich from crypto. Right now three of the top five biggest gas guzzlers on Ethereum are suspected Ponzi schemes.
“Back in the day before Bitcoin and other things were big, these scams were making a few hundred or thousand million dollars,” explains Jevans. “Now you look at things like Plus Token. These things have escalated with the ability to transfer money globally.
The PlusToken scammers made off with $3 billion by offering high returns to investors who thought they were funding the ‘development’ of an exchange and wallet. OneCoin brought in $4 billion with crypto mining and selling trader training material. Bitconnect was a ‘lending platform’ offering 1% interest per day for Bitcoin that hit a $2.6 billion market cap.
Even QuadrigaCX – whose founder famously died* suddenly with the only passcode to the exchange’s crypto wallet – turned out to be a collapsed Ponzi.
Off the shelf Ponzis
Despite the vast sums involved, Ponzis aren’t hard to set up. You can buy software to run a professional looking Ponzi scheme for a couple of thousand dollars on the web, hire a handful of people to do marketing, social media and answer the odd customer enquiries, and you’re up and running.
“(For) a billion-dollar scam, you don’t need that many people,” says Jevans. “You could probably do the whole thing with 10 people and a million dollars. Laundering the money however requires the services of professionals. “Behind the scenes they are very intelligent, you have to be very savvy, there’s no question about that,” he says.
“Here’s the thing I was once told,” says Jevans. “There’s no point stealing $10,000 and there’s no point stealing $10 million dollars.”
“Steal $100 million dollars because then you can afford the best lawyers and you’ll only do five years in jail and you walk out with $90 million. You only have to do it once and then you’re done.”
Ransomware is another game that anyone can play using software bought on the darknet.
“Ransomware isn’t a highly innovative field,” explains Fabian Wosar, the Chief Technology Officer for Emsisoft, which provides anti-ransomware tools. “The vast majority, if not all, of the attacks, use off-the-shelf attack toolkits.”
The Scam: I’m Gonna Make Him An Offer He Can’t Refuse
Criminal sophistication level: solves Rubik’s Cube with their eyes closed.
But while ransomware attacks can be carried out by bored high school kids, most of the real money is made by sophisticated, well-funded ransomware gangs. A gang called REvil came to mainstream attention this year after crippling Travelex for weeks with an attack on New Year’s Eve. The company eventually paid 285 Bitcoin.
The latest twist involves stealing confidential files during the attack and threatening to release them in order to ramp up the pressure to pay the ransom. When REvil stole the private legal secrets of celebs including Elton John, Robert DeNiro, Madonna from a New York law firm, they released 2GB of Lady Gaga’s file The firm still refused to pay, so REvil made their money auctioning off 756 GB of celebrities’ data on the darknet for Monero.
“They are technically sophisticated and where you can see just looking at the code that the people behind them have a great deal of software engineering experience and attention to detail,” says Wosar.
Sitting near the top of the tree are North Korea’s hacking gangs. Crypto is the perfect way to evade crippling financial sanctions, and these hackers are state-backed professionals who face significant penalties for failure. There are tertiary-education training courses for DPRK hackers at Kim Chaek University of Technology and Kim Il-sung University. In 2018, it was estimated that North Korean hackers are responsible for more than 65% of all stolen crypto: They’re believed to have stolen at least $2 billion of cryptocurrency.
“Guys like the North Koreans — state sponsored cybercriminal gangs — they are the most well-resourced and sophisticated,” says Lazarenko. “Regular cyber-criminal gangs are just stealing money but those guys have other things to do than just stealing money.”
Jevans says North Korean gangs are the most sophisticated in terms of target choice, techniques and surveillance.
“We’ve seen them steal $250 million from one exchange in a swoop,” he says. “They’re attacking inside, targeting the employees and IT systems, breaking in, looking for vulnerabilities, figuring how the hot wallets work, the cold wallets, and then using those private keys to move large amounts out. We have evidence they’re doing infiltration into exchanges and sitting there waiting to do surveillance.”
Building a bot
The Lazarus Group’s March 2019 attack on the DragonEx exchange that netted $7 million is a good example of the lengths they’ll go to. The hackers set up a fake LinkedIn profile for ‘Gabe Frank’, the supposed CTO of a wallet company called WFC Proof and used the account to connect with DragonEx executives.
To lend the ruse legitimacy, they created a slick website for WFC and a social media presence for the company’s non-existent employees. They even built a working crypto trading bot for the DragonEx executives to play with. Of course, the bot was really just the delivery vector for malware to steal the private keys from users and the exchange’s cold wallet.
The Scam: And Like That… He’s Gone.
Criminal sophistication level: the greatest trick the Devil ever pulled…
But the cleverest and most ingenious crypto crimes are so technical and complex they sail over the heads of many people.
Even the experts are scratching their heads over an incident in June when two small value Ethereum transactions were sent with a combined gas fee of $5.2 million. Various people including Ethereum co-founder Vitalik Buterin have suggested that hackers had gained partial control of an exchange’s funds, and were wasting millions on gas fees as leverage to force the exchange to pay a ransom. But Jevans isn’t so sure about that. “A technical attack is finding, for example, a smart contract that has vulnerabilities and exploiting them,” he says. “So that to me looked like the fallout of a technical attack.”
Lazarenko divides this category of crime into smart contract vulnerabilities, and source code vulnerabilities — where a flaw is exploited in software that runs the front end, or the server. An example of the latter saw Poloniex lose more than 12.3% of its Bitcoin in 2014. Owner Tristan D’Agosta explained at the time:
“The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.”
But even source code exploits are old hat to Lazarneko, who reserves his admiration for blockchain specific smart contract exploits.
“A lot of old-fashioned ways of hacking into something works pretty well with cryptocurrency exchanges, like phishing, social engineering attacks. Nothing really new,” Lazerenko explains. “But with smart contracts vulnerabilities we can see a lot of new things going on because you have to use specific features of blockchains.”
DAO to DeFi
The most famous example of a smart contract exploit was the 2016 DAO hack. One of the creators of the DAO Stephan Tual actually identified the ‘recursive call bug’ a few days before it was used to drain 3.6 million Ether.
There have been a wave of attacks this year on DeFi projects including dForce/LendF.me, Uniswap, Maker and Opyn — which exploited a similar bug to The DAO attack. With some of the incidents it’s debatable whether these are even thefts or hacks, because the attacker is still playing by the (albeit badly drafted) rules. For example, in the bZx exploit in February, a very clever person was able to leverage the complexities in the ways DeFi protocols interact to make $318,000 in ETH. The person:
- Took out a loan for 10,000 ETH from dYdX.
- Used 5,500 ETH to collateralize a 112 wrapped Bitcoin loan on Compound.
- Used 1,300 ETH to open a 5x leveraged position on the ETH/BTC pair on bZx’s Fulcrum trading platform.
- Borrowed 5,637 ETH through Kyber’s Uniswap and swapped them for 51 WBTC, causing large slippage.
- Swapped the 112 WBTC from Compound to 6,671 ETH, resulting in a profit of 1,193 ETH.
- Repaid the 10,000 ETH loan on dYdX.
“It’s also a philosophical question: is that a vulnerability or not,” asks Lazarenko, “because … source code is the law and if the source code allows you to do something then you can do that.”
The biggest hack that will ever happen
Lazarenko says the example of the DAO – where even Buterin missed the bug when auditing the code — means that it’s conceivable that in future hackers could take down the ultimate target: an entire blockchain platform. While blockchain itself can’t be hacked he explains, “You have source code which is managing this, which manages the operations of miners which manages the operation of the peer to peer network,” he says.
“The biggest hack that will happen is when somebody can bring down a blockchain platform like Ethereum.”