Lurking in the shadowiest corners of the dark web is an “established” ecosystem of hackers targeting cryptocurrency users with poor “security hygiene,” said Binance’s chief security officer.
Speaking to Cointelegraph, Binance CSO Jimmy Su said hackers have shifted their gaze to crypto end users in recent years.
Su noted that when Binance first opened in July 2017, the team saw a lot of hacking attempts on its internal network. However, as crypto exchanges have continued to improve their security, the focus has shifted.
“Hackers always choose the lowest bar to achieve their goals, because it is also a business for them. The hacker community is a well-established ecosystem.”
According to Su, this ecosystem consists of four different layers: intelligence collectors, data refiners, hackers and money launderers.
The most upstream layer is what Su described as “threat intelligence.” Here, bad actors collect and collect illegitimate information about crypto users, creating entire spreadsheets detailing various users.
This could include crypto websites that a user visits frequently, what emails they use, their name, and whether they are on Telegram or social media.
“There is a market for it on the dark web where this information is sold […] that describes the user,” Su explained in an interview in May.
Su noted that this information is usually collected in bulk, such as past customer information leaks or hacks targeting other vendors or platforms.
In April, a Privacy Affairs research paper revealed that cybercriminals have been selling hacked crypto accounts for as little as $30 each. Counterfeit documentation, often used by hackers to open accounts on crypto trading sites, can also be purchased on the dark web.
According to Su, the collected data is then sold downstream to another group — usually made up of data engineers who specialize in refining data.
“Last year, for example, there was a dataset for Twitter users. […] Based on the information there, they can further refine it to see which tweets are actually crypto-related.”
These data engineers will then use “scripts and bots” to find out which exchanges the crypto enthusiast may be registered with.
They do this by attempting to create an account using the user’s email address. If they get an error that the address is already in use, they’ll know if they’re using the exchange — this could be valuable information that could be used by more targeted scams, Su said.
Hackers and phishers
The third layer usually takes care of the headlines. Phishing scammers or hackers will use the previously refined data to perform “targeted” phishing attacks.
“Since they now know that ‘Tommy’ is a user of exchange ‘X’, they can just send a text saying, ‘Hey Tommy, we’ve detected that someone has deducted $5,000 from your account, click this link and contact customer service if it wasn’t you.’”
In March, hardware wallet provider Trezor warned its users about a phishing attack designed to steal investors’ funds by making them enter the wallet’s recovery phrase on a fake Trezor website.
In the phishing campaign, attackers impersonated Trezor and contacted victims via phone calls, texts, or emails claiming a security breach or suspicious activity on their Trezor account.
Get away with it
Once the money is stolen, the last step is to get away with the robbery. Su explained that this could mean leaving the funds dormant for years and then moving them to a crypto mixer like Tornado Cash.
Related: The Arbitrum-based Jimbos protocol was hacked and lost $7.5 million worth of Ether
“There are groups that we know can sit on their stolen profits for two, three years without any movement,” Su added.
While there isn’t much to stop crypto hackers, Su urges crypto users to practice better “security hygiene”.
This may include revoking permissions for decentralized finance projects if they no longer use them, or keeping communication channels such as email or SMS used for two-factor authentication private.
Magazine: Tornado Cash 2.0 — The race to build safe and legal coin mixers