June 6, 2023

Why hackers are able to steal billions of dollars worth of cryptocurrency

Placeholder while article actions load

Welcome to The Cybersecurity 202! If you’re a regular reader you might have noticed we’ve been on a bit of an abbreviated schedule of late, but the noob whose name is atop this newsletter now (ahem, this Starks guy) has been lax about informing you of this. I’m making it up to you now: we’ll be back at you Tuesday.

Below: European lawmakers find out how many E.U. countries use NSO spyware, and the FTC is investigating a crypto hack.

What’s behind a wild stretch of cryptocurrency theft

In two incidents over the past week, hackers pilfered a total of nearly $200 million in cryptocurrency, piling on to a record year of $2 billion in industry losses to internet thieves and scammers.

The Treasury Department also sanctioned an anonymization service this week for its alleged role in laundering billions in cryptocurrency. The agency cited hackers’ use of Tornado Cash to disguise proceeds from the largest known crypto hack to date, March’s heist of $620 million.

So why are these big-ticket crypto hacks happening? There’s no one answer, and there’s plenty of reason to think they’ll keep occurring.

Answer No. 1: It’s where the money is

The first and shortest major answer might sound snarky. It’s Willie Sutton’s answer to why he robbed banks: “It’s where the money is.”

The covid-19 pandemic saw a rise in cyberattacks as well as the proliferation of cryptocurrency wallets, observed Brenda Sharton, global chair of the privacy and security practice at the Dechert law firm. Those two phenomena go hand-in-hand, she told me.

One specific variety of cryptocurrency tech has proven a particularly ripe target — and increasingly so: cross-chain bridges. 

  • My colleague Steven Zeitchik explains: “A blockchain bridge allows consumers to swap crypto from one blockchain to another — say, from bitcoin to ethereum — making it vulnerable on what security experts call ‘both sides,’ weaknesses on either blockchain.”
  • Blockchain analytics company Chainalysis estimated last week that such attacks account for 69 percent of funds hackers have stolen this year.

Answer No. 2: It’s an industry maturity and demeanor thing

“Fintech is very fast-moving,” Adam Meyer, the senior vice president of intelligence at cybersecurity firm CrowdStrike, told me. “It’s a lot of start-ups that are what they say about start-ups: ‘Move quickly and break things.’ … Some of the things that are out there are really, really new, and so they haven’t really thought through the attack vectors.”

Crypto start-ups’ more established financial industry siblings, banks, invest deeply in cybersecurity. Bank of America spends more than $1 billion annually on cyberdefense, the company’s chief executive said last year. Over the course of hundreds of years, banks have learned to prioritize security of all kinds, Scott Carlson, head of blockchain and digital asset security at Kudelski Security, told me.

What’s more, some cybersecurity companies are loath to get involved in the cryptocurrency sector, said Ryan Spanier, Carlson’s Kudelski Security teammate.They might consider crypto firms to be a fad, one that’s difficult to adapt existing protections for or an area of the economy that is bad for the environment.

It’s not 100 percent negative news. Several crypto exchanges that have suffered major hacks declined interviews or didn’t answer requests for comment, but some directed me to lengthy lists of security improvements they’ve made in the aftermath.

In addition, some technology is springing up to protect cryptocurrency from theft, like hardware wallets, and some older cybersecurity practices have caught on in the community, like bug bounty programs where ethical hackers help organizations find their weaknesses.

Answer No. 3: Crypto is the regulatory Wild West

Those traditional financial services firms? They have federal agency overlords — be they the Securities and Exchange Commission (SEC) or Financial Industry Regulatory Authority (FINRA) — that have made the sector one of the most strictly regulated when it comes to cybersecurity. Crypto organizations don’t fall neatly into any existing regulatory turf, and some maintain that’s why they’re getting hacked.

“The reason first and foremost is that crypto exchanges, unlike U.S. financial firms, don’t have to meet any of the rigorous cybersecurity standards and requirements that the SEC and FINRA and the banking regulations have in place,” independent consultant John Reed Stark told me. “So you have no idea what sort of cybersecurity protections go on in these entities.”

By their nature, the blockchain community prefers to be “lightly regulated because they want to free themselves from what they perceive as problems in the existing system,” Carlson said.

It’s a hot subject on Capitol Hill, where bipartisan legislation would define who is responsible for overseeing the crypto industry and direct agencies to develop cybersecurity rules for digital assets like cryptocurrency. The bipartisan bill from Sens. Kirsten Gillibrand (D-N.Y.) and Cynthia M. Lummis (R-Wyo.) would grant oversight to the Commodity Future Futures Trading Commission, as opposed to the SEC, which has taken a hard stance against crypto abuses.

But the focus on regulation is misplaced, Sharton said. The government can best help by putting crypto thieves in prison, she said. (In one peculiar case, a $500 Walmart gift card led law enforcement to the alleged culprits behind a considerable 2016 hack.)

There is an assortment of other possible explanations, too.

For years, analysts have been trying to get to the bottom of what’s behind the spiral of crypto hacks. Other avenues: 

  • It’s easier than other kinds of hacks.
  • Targets have smaller cybersecurity staffs.
  • Stealing passwords and other key information is possible on a wider scale.
  • Sometimes the causes of a theft vary from case-to-case, like a fake job offer, of all things.

What’s certain is that crypto hacks are costing a lot of money. Only last month, creditors of defunct cryptocurrency exchange Mt. Gox said they were close to being repaid — from the fallout of a hack in 2014.

Many E.U. countries have used spyware firm NSO Group’s technologies, lawmakers find

Law enforcement agencies in 12 of the European Union’s 27 member states use NSO spyware, and ties with two other European countries have been cut, Haaretz’s Omer Benjakob reports. All told, NSO has 22 European clients, some of which hail from the same country, Benjakob reports. 

The discovery of those figures by a European Parliament committee investigating use of NSO and other spyware sheds light on how widespread use of such tools is on the continent. NSO’s Pegasus spyware has been used to hack journalists, activists and executives, an investigation by The Post and 16 media partners found.

“If just one company has 14 member states for customers, you can imagine how big the sector is overall,” committee member Sophie in ‘t Veld told Haaretz. “There seems to be a huge market for commercial spyware, and E.U. governments are very eager buyers. But they are very quiet about it, keeping it from the public eye.”

The FTC is investigating a hack of a cryptocurrency exchange

The Federal Trade Commission probe into a December 2021 hack of the BitMart cryptocurrency exchange represents the first known investigation into cryptocurrency markets by the regulator, Bloomberg News’s Leah Nylen reports. The FTC disclosed the investigation in an order denying an attempt by BitMart’s operators to block an FTC demand for information, which operators Bachi.Tech and Spread Technologies said was too broad and involved information that is located overseas.

“The FTC had sent civil subpoenas in May to the BitMart operators, seeking details on what the companies told consumers about the security of their crypto assets and how they have handled customer complaints. The consumer-protection agency — which has penalized dozens of companies from Wyndham Hotels & Resorts Inc. to Uber Technologies Inc. over lax cyber practices — expects these details to help it determine whether the firms engaged in unfair or deceptive business practices.” The FTC is also investigating compliance with the Gramm-Leach-Bliley Act, which requires financial institutions to secure important data.

The FTC declined to comment to Bloomberg News. Lawyers representing BitMart’s operators didn’t respond to the outlet’s requests for comment.

CISA releases guide for election workers to deal with digital threats ahead of midterm elections

The Cybersecurity and Infrastructure Security Agency’s new tool kit warns election workers about threats like phishing and ransomware, StateScoop’s Benjamin Freed reports. It comes from the agency’s Joint Cyber Defense Collaborative, an initiative that aims to boost the agency’s private-sector collaboration.

“Much of the recent national discussion on election security has focused on harassment of election workers, disinformation and misinformation and insider threats at local election offices — all largely fueled by ongoing falsehoods about the 2020 presidential election,” Freed writes. “The cyber tool kit, CISA said, is meant to help address technological resiliency.”

Finland’s parliament hit with cyberattack following US move to admit the country to NATO (The Hill)

Security firm finds flaws in Indian online insurance broker (Associated Press)

7-Eleven Denmark confirms ransomware attack behind store closures (Bleeping Computer)

‘Hack DHS’ bug bounty program to begin second phase with new contract request (NextGov)

Former CISA chief wants a new, cross-cutting new agency to lead federal cyber (FCW)

  • National Cyber Director Chris Inglis and CISA Director Jen Easterly speak at the annual DEF CON hacking conference on Friday.

Thanks for reading. See you next week.

Be the first to comment

Leave a Reply

Your email address will not be published.