Group-IB, one of the leading information security companies has investigated and analyzed 720 account leaks (logins and passwords) from 19 cryptocurrency exchanges. The study was based on the data gathered from Group-IB Threat Intelligence system.
According to its report, the number of compromised login data is massively increasing. In comparison with year 2016, the number of compromised accounts in 2017 surged by 369%.and in the year 2018 because of unnecessary or excessive excitement about cryptocurrencies it increased by 689%. The report further said that every third user from USA is a victim of cryptocurrency cyber attack. The top 3 victims countries are the USA, Russia and China.
The Group-IB said that
Increased fraudulent activity and attention of hacker groups to cryptoindustry, additional functional of malicious software related to cryptocurrencies, as well as the significant amounts of already stolen funds signals that the industry is not ready to defend itself and protect its users. In 2018 we will see even more incidents.
The Group-IB researchers found that 5 of 19 cryptocurrency exchanges faced targeted cyberattacks that caused $80 million financial loss. They also found approximately 50 active botnets which were performing these leaks. The hackers foundation is spreaded geographically mostly in the USA (56,1%), the Netherlands (21,5%), Ukraine (4,3%) and Russian Federation (3,2%). Hackers are continuously using various malicious programs or scripts and due to that the number is increasing. They are also modifying their hacking tools regularly. The malicious softwares used to steal user accounts are AZORult stealer, Pony Formgrabber and Qbot and many more.
The report further said that,
Criminals have adapted patterns of attack on banks and used the same tools to hack cryptocurrency exchanges and wallets and make attacks on users.
Group-IB researchers investigated 720 events when hackers were able to get access to login data on the websites of cryptocurrency exchanges. The following cryptocurrency exchanges’ accounts were compromised: Binance, Bit-z, Bitfinex, Bithumb, Bitstamp, Bittrex, BTCC, CEX.io, Coinone, Gate.io, GDAX, Gemini, HitBTC, Huobi, Kraken, KuCoin, OKEx, Poloniex, Wex.nz. Researchers also concluded that there was not a single cryptocurrency exchange which have not been compromised.
There were 174 compromised accounts of Poloniex, 111 of Bittrex, 95 of CEX.io, 83 of HitBTC and 61 Kraken accounts. Following figure is showing us the distribution
Investigators further found that the first 5 events in June 2014. By the end of 2016, there were 139 account leaks. Following figure is showing us the monthly account leaks from January 2016 to January 2018.
After analyzing distribution, researchers further found that hackers had used “bulletproof” hosts – a service given by some web hosting companies that permits their clients freehand in the kinds of material they may upload and distribute. Every third user of cryptocurrency from USA and the Netherlands are victims because infrastructure in both of these countries is cheap (both on the legal and the black market), these countries are major infrastructure hubs. Hackers then used the malicious softwares like AZORult. With the help of AZORult, attackers were able to steal passwords from browsers and dat files of crypto wallets. This malicious software also allows attackers to steal email clients, FTP-clients, IM-clients: Chrome, Mozilla Firefox, Opera, Yandex Browser, Comodo Dragon, Internet Explorer, Microsoft Edge, Outlook, Thunderbird, Amigo, Pidgin, PSI, PSI + and much more. The main reason behind a successful cyberattack is absence of two-factor authentication and if 2FA is available then users generally do not use it.
RECOMMENDATIONS FROM GROUP-IB
The study has also given some recommendations to both cryptocurrency users and cryptocurrency exchanges. These are as follows:
For Users: Researchers suggested to choose strong and complex passwords. They further suggested to use different emails and passwords on different exchanges. Users should turn on two-factor authentication wherever possible and they should avoid using an exchange that does not have 2FA available. Users should never use public Wi-Fi and they must keep their devices and gadgets clean and updated. They have also suggested to not to disclose advertising possession of cryptocurrencies on social media platforms.
For Exchanges: Cryptocurrency exchange platforms should enable 2FA and make it mandatory. Exchanges should perform regular audits of IT infrastructure and related processes and patching of systems. They should also provide resources for training and awareness campaigns. Researchers further suggested that cryptocurrency exchanges must develop a strong cybersecurity and incident response policies. They should implement anti-phishing system and Install Anti-APT services like Group-IB Threat Detection system.
In this study, the sample consisted of 720 accounts leaks happened between 2014 to 2018 and data from 19 cryptocurrency exchanges. The researchers also contacted all exchanges from their research methodology- sample and informed them informed them about the current study.