ransomware

Europol seizes $46M from crypto mixer after $2.88B allegedly laundered

Law enforcement officials allege that ChipMixer laundered 152,000 BTC ($2.88 billion) over the past five years.

According to The European Union Agency for Law Enforcement Cooperation, commonly known as Europol, on March 15, the agency seized assets of cryptocurrency mixer ChipMixer for its alleged involvement in money laundering activities. Total assets seized include 1,909.4 Bitcoin (BTC) in 55 transactions amounting to 44.2 million euros ($46 million). Decentralized finance analyst ZachXBT previously alleged on Nov. 25, 2022, that the hacker(s) of defunct cryptocurrency exchange FTX laundered 360 BTC ($5.9 million) using ChipMixer after an $372 million exploit.

*ChipMixer website after law enforcement seizure. Source: Europol*

In addition, the ChipMixer website has been shut down after authorities seized four servers hosting the application. Europol claims that the application laundered over 2.73 billion euros since its inception in 2017. According to law enforcement officials:

“ChipMixer, an unlicensed cryptocurrency mixer set up in mid-2017, was specialised in mixing or cutting trails related to virtual currency assets. The ChipMixer software blocked the blockchain trail of the funds, making it attractive for cybercriminals looking to launder illegal proceeds from criminal activities.”

The investigation and subsequent enforcement was coordinated by the Belgian Federal police, the Federal Criminal Police Office of Germany, the Central Cybercrime Bureau of Poland, the Cantonal Police of Zurich Switzerland, the U.S. Federal Bureau of Investigation, the U.S. Department of Homeland Security, and the U.S. Department of Justice. Law enforcement stated that “a large share of this is connected to darkweb markets, ransomware groups, illicit goods trafficking, procurement of child sexual exploitation material, and stolen crypto assets.” Deposited funds in ChipMixer would be turned into “chips,” or small tokens with equivalent value, which were then mixed together to anonymize the initial trail of funds.

“Ransomware actors such as Zeppelin, SunCrypt, Mamba, Dharma or Lockbit have also used this service to launder ransom payments they have received. Authorities are also investigating the possibility that some of the crypto assets stolen after the bankruptcy of a large crypto exchange in 2022 were laundered via ChipMixer.”

Europol facilitated the information exchange between national authorities for the operation. The entity said it “also provided analytical support linking available data to various criminal cases within and outside the EU, and supported the investigation through operational analysis, crypto tracing, and forensic analysis.”

Russia-Ukraine war: How both sides of the conflict have used crypto to win

While tens of millions worth of crypto were donated to Ukraine in the last year, pro-Kremlin groups have also leveraged digital currencies to buy military supplies and spread propaganda.

In the Russia-Ukraine war, both sides of the conflict have been leveraging cryptocurrencies to achieve the upper hand.

Pro-Ukraine causes have collected around $200 million from crypto donations, showing how borderless and uncensorable money could be useful in time of emergency.

But the Russian side has taken advantage of crypto too: a total of about $5 million was raised by pro-Kremlin groups and propaganda outlets in the course of the invasion, as revealed by a recent Chainalysis report. These entities are small grassroots organizations that have used crypto to bypass Western financial sanctions.

“We’re really looking at individual actors. So somebody who’s on the front, somebody who’s trying to help provide more military resources to the front […] things like bulletproof vests or drones,” explained Andrew Fierman, head of Sanctions Strategy at Chainalysis and one of the authors of the report.

But those numbers don’t take into account ransomware attacks: As shown in Chainalysis data, over $450 million were paid to these entities last year, the majority of which were believed to be based in Russia. Some of them, like the cybercriminal group Conti, have openly supported the Russian government in its war effort.

“When it comes to ransomware payments, a lot of the time bad actors have some sort of political agendas behind what they’re doing,” Fierman pointed out.

To find out more about the impact of crypto in the Ukrainian conflict and how Russia leveraged it to promote its cause, check out the full interview on our YouTube channel and don’t forget to subscribe!

Crypto investors under attack by new malware, reveals Cisco Talos

Since December 2022, the two malicious files — MortalKombat ransomware and Laplas Clipper malware — have been actively scouting the internet and stealing cryptocurrencies from unwary investors.

Anti-malware software Malwarebytes highlighted two new malicious computer programs propagated by unknown sources actively targeting crypto investors in a desktop environment.

Since December 2022, the two malicious files in question — MortalKombat ransomware and Laplas Clipper malware — have been actively scouting the internet and stealing cryptocurrencies from unwary investors, revealed the threat intelligence research team, Cisco Talos. The campaign’s victims are predominantly located in the United States, with a smaller percentage of victims in the United Kingdom, Turkey and the Philippines, as shown below.

*Victimology of the malicious campaign. Source: Cisco Talos*

The malicious software work in partnership to swoop information stored in the user’s clipboard, which is usually a string of letters and numbers copied by the user. The infection then detects wallet addresses copied onto the clipboard and replaces them with a different address.

The attack relies on the user’s inattentiveness to the sender’s wallet address, which would send the cryptocurrencies to the unidentified attacker. With no obvious target, the attack spans individuals and small and large organizations.

*Ransom notes shared by MortalKombat ransomware. Source: Cisco Talos*

Once infected, the MortalKombat ransomware encrypts the user’s files and drops a ransom note with payment instructions, as shown above. Revealing the download links (URLs) associated with the attack campaign, Talos’ report stated:

“One of them reaches an attacker-controlled server via IP address 193[.]169[.]255[.]78, based in Poland, to download the MortalKombat ransomware. According to Talos’ analysis, 193[.]169[.]255[.]78 is running an RDP crawler, scanning the internet for exposed RDP port 3389.”

As explained by Malwarebytes, the “tag-team campaign” starts with a cryptocurrency-themed email containing a malicious attachment. The attachment runs a BAT file that helps download and execute the ransomware when opened.

Thanks to the early detection of malicious software with high potential, investors can proactively prevent this attack from impacting their financial well-being. As always, Cointelegraph advises investors to perform extensive due diligence before investing, while ensuring the official source of communications. Check out this Cointelegraph Magazine article to learn how to keep crypto assets safe.

On the flip side, as ransomware victims continue to refuse extortion demands, ransomware revenues for attackers plummeted 40% to $456.8 million in 2022.

*Total value extorted by ransomware attackers between 2017 and 2022. Source:* *Chainalysis*

While revealing the information, Chainalysis noted that the figures don’t necessarily mean the number of attacks is down from the previous year.

US Justice Department seizes website of prolific ransomware gang Hive

The group is known to have targeted critical infrastructure, healthcare providers and more over the past two years.

According to United States Federal Bureau of Investigation Director Christopher Wray on Jan. 26, international law enforcement groups have dismantled the infamous Hive cryptocurrency ransomware gang. He claimed that the operation has recovered over 1,300 decryption keys for victims since July 2022 and prevented $130 million in ransomware payments. Officials raised the example of one incident where a Hive ransomware attack on a Louisiana hospital was thwarted by law enforcement, saving the victim from a $3-million ransom payment.

Ghost servers were reportedly seized Wednesday night in an international law enforcement effort between U.S. authorities, the German Reutlingen Police Headquarters, the German Federal Criminal Police, the Netherlands National High Tech Crime Unit and Europol to track ransom payments, seize them back to victims, and dismantle the network’s infrastructure.

*Hive network dark web address has been taken down by law enforcement. Source: Twitter*

The organization had been infiltrated by undercover agents since July 2022. As told by Wray, law enforcement gained “clandestine, persistent” access to Hive’s control panels since that time and had been secretly helping victims recover their assets and locked devices unbeknownst to Hive.

Hive was behind a series of notorious ransomware incidents, such as the April-to-May 2022 Costa Rica public health service and social security fund cyberattack. The group locked key digital infrastructure and demanded $5 million in Bitcoin (BTC) ransom payments for the restoration of services. Over 4,800 individuals reportedly missed their medical appointments in the first few days following the attack. Despite the successful enforcement action, Wray also warned:

“Unfortunately, during these past seven months, we found that only about 20% of Hive’s victims reported potential issues to law enforcement. Here, fortunately, we were still able to identify and help many victims who didn’t report in. But that is not always the case. When victims report attacks to us, we can help them — and others, too.”

Enforcement goes on with Bitzlato action: Law Decoded, Jan. 16–23

Anatoly Legkodymov, founder of China-based crypto firm Bitzlato, was arrested under suspicion of money laundering related to illicit Russian finance.

The good news of the last week is that Bitcoin (BTC) has continued to rebound, making around 10% up from Jan. 16 to Jan. 23. But the worrying trend of crypto companies making headlines due to their troubles with the law has yet to change.

The United States Department of Justice launched a “major international cryptocurrency enforcement action” against China-based crypto firm Bitzlato and arrested its founder, Anatoly Legkodymov. The department considers Bitzlato to be a “primary money laundering concern” connected to Russian illicit finance. While the exchange attracted little attention until the DOJ action, it had reportedlyreceived $206 million from darknet markets, $224.5 million from scams and $9 million from ransomware attackers.

The United States Financial Crimes Enforcement Network stated that crypto exchange Binance was among the “top three receiving counterparties” of Bitzlato in terms of Bitcoin transactions. However, it didn’t mention Binance as being among the top sending counterparties.

The United States Securities and Exchange Commission has followed the Commodity Futures Trading Commission in filing parallel charges against the crypto user allegedly behind the multimillion-dollar exploit of decentralized exchange Mango Markets. Avraham Eisenberg is accused of manipulating Mango Markets’ MNGO governance token to steal roughly $116 million worth of cryptocurrency from the platform.

Iran and Russia want to issue new stablecoin backed by gold

The Central Bank of Iran is reportedly cooperating with the Russian government to jointly issue a new cryptocurrency backed by gold. The “token of the Persian Gulf region” would serve as a payment method in foreign trade. The stablecoin aims to enable cross-border transactions instead of fiat currencies like the United States dollar, the Russian ruble or the Iranian rial. Reportedly, the potential cryptocurrency would operate in a special economic zone in Astrakhan, where Russia started to accept Iranian cargo shipments.

Continue reading…

EU postpones final vote on MiCA for the second time

The final vote on the European Union’s much-awaited set of crypto rules, the Markets in Crypto Assets (MiCA) regulation, was deferred to April 2023. It marks the second delay in the final vote, which was previously postponed from November 2022 to February 2023. The latest delay is due to a technical issue where the official 400-page document couldn’t be translated into the 24 official languages of the EU. Legal documents like the MiCA, which are drafted in English, must comply with EU regulations and be published in all 24 official languages of the union.

Continue reading…

Japanese regulators want crypto treated like traditional banks

“If you like to implement effective regulation, you have to do the same as you regulate and supervise traditional institutions,” said the deputy director-general of Japan’s Financial Services Agency’s Strategy Development and Management Bureau, Mamoru Yanase. The official added that countries “need to firmly demand” consumer protection measures from crypto exchanges, also asking for money laundering prevention, strong governance, internal controls, auditing and disclosure for crypto brokerages.

Continue reading…

Further reads

Going cashless: Norway’s digital currency project raises privacy questions

FTX fallout: SBF trial could set precedent for the crypto industry

Crypto to play “major role” in UAE trade, according to its foreign trade minister

Central African Republic eyes legal framework for crypto adoption

Cybercrooks to ditch BTC as regulation and tracking improves: Kaspersky

The cybersecurity firm predicted that crypto-related cybercrime won’t slow down in 2023, but it will move on from Bitcoin as a source of payment.

Bitcoin (BTC) is forecasted to be a less enticing payment choice by cybercriminals as regulations and tracking technologies improve, thwarting their ability to safely move funds.

Cybersecurity firm Kaspersky in a Nov. 22 report noted that ransomware negotiations and payments would rely less on Bitcoin as a transfer of value as an increase in digital asset regulations and tracking technologies will force cybercriminals to rotate away from Bitcoin and into other methods.

As reported by Cointelegraph, ransomware payments using crypto topped $600 million in 2021, and some of the biggest heists, such as the Colonial Pipeline attack, demanded BTC as a ransom.

Kaspersky also noted that crypto scams have increased along with the greater adoption of digital assets. However, it said that people have become more aware of crypto and are less likely to fall for primitive scams such as Elon Musk-deepfake videos promising huge crypto returns.

It predicted malicious actors will continue trying to steal funds through fake initial token offerings and nonfungible tokens (NFTs), and crypto-based theft such as smart contract exploits will become more advanced and widespread.

2022 has largely been a year of bridge exploits with more than $2.5 billion already pilfered from them as reported by Cointelegraph.

The report also noted that malware loaders will become hot property on hacker forums as they are harder to detect. Kaspersky predicted that ransomware attackers may shift from destructive financial activity to more politically-based demands.

Back to the present, the report noted an exponential rise in 2021 and 2022 of “infostealers” — malicious programs that gather information such as logins.

Cryptojacking and phishing attacks have also increased in 2022 as cybercriminals employ social engineering to lure their victims.

Cryptojacking involves injecting malware into a system to steal or mine digital assets. Phishing is a technique using targeted emails or messages to lure a victim into revealing personal information or clicking a malicious link.

US Treasury sanctions Iran-based ransomware group and associated Bitcoin addresses

The Office of Foreign Asset Control sanctioned 7 Bitcoin addresses allegedly connected to Iranian nationals Ahmad Khatibi Aghada and Amir Hossein Nikaeed Ravar.

The United States Treasury Department’s Office of Foreign Asset Control has added 10 individuals, 2 entities, and several crypto addresses allegedly tied to an Iranian ransomware group to its list of Specially Designated Nationals, effectively making it illegal for U.S. persons and companies to engage with them.

In a Wednesday announcement, the U.S. Treasury said the individuals and companies in the ransomware group were affiliated with Iran’s Islamic Revolutionary Guard Corps, a branch of the country’s military. The group allegedly “conducted a varied range of malicious cyber-enabled activities,” including compromising the systems of a U.S.-based children’s hospital in June 2021 and targeting “U.S. and Middle Eastern defense, diplomatic, and government personnel.”

OFAC listed 7 Bitcoin (BTC) addresses allegedly connected to 2 of the Iranian nationals — Ahmad Khatibi Aghada and Amir Hossein Nikaeed Ravar — as part of its secondary sanctions. According to the Treasury Department, Khatibi has been associated with technology and computer services firm Afkar System — one of two entities sanctioned in the same announcement — since 2007. The governmental department alleged Nikaeed “leased and registered network infrastructure” to assist the ransomware group.

“Ransomware actors and other cybercriminals, regardless of their national origin or base of operations, have targeted businesses and critical infrastructure across the board — directly threatening the physical security and economy of the United States and other nations,” said Brian Nelson, undersecretary of the Treasury for Terrorism and Financial Intelligence. “We will continue to take coordination action with our global partners to combat and deter ransomware threats.”

In a coordinated action across the U.S. Government, OFAC designated a dozen Iran-based persons for their roles in malicious cyber acts, including ransomware activity. The U.S., Australia, Canada & the UK are also publishing a joint cyber security advisory. https://t.co/OVnr3jprBA

— Treasury Department (@USTreasury) September 14, 2022

The notice came as the Justice Department announced an indictment against Khatibi, Nikaeed and Mansour Ahmadi — also one of the individuals listed in OFAC’s sanctions — for allegedly “orchestrating a scheme to hack into the computer networks” of entities and individuals in the United States, including the attacks cited by the Treasury. According to the Justice Department, the Iranian ransomware group targeted a New Jersey-based accounting firm in February 2022, having Khatibi demand $50,000 in cryptocurrency in exchange for not selling the company’s data on the black market.

On Aug. 8, OFAC added more than 40 cryptocurrency addresses connected to controversial mixer Tornado Cash to its list of Specially Designated Nationals, prompting criticism from many figures in and out of the space. Treasury clarified on Tuesday that U.S. persons and entities were not prohibited from sharing Tornado Cash’s code, but also required a special license to complete transactions initiated before the sanctions were imposed or make withdrawals.

FBI seeks Bitcoin wallet information of ransomware attackers

The FBI, along with two other federal agencies, CISA and MS-ISAC, asked U.S. citizens to report information that helps track the whereabouts of the hackers.

Three federal agencies in the United States — the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center — jointly issued an advisory seeking information to curb ransomware attacks.

As part of the #StopRansomware campaign, the joint cybersecurity advisory alerted citizens of Vice Society, a ransomware-type program that encrypts data and demands ransom for decryption.

The trio anticipates a spike in ransomware attacks, primarily aimed at educational institutions, adding that “School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable.”

While proactive measures remain vital to counter ransomware, the FBI asked US citizens to report information that helps track the whereabouts of the hackers. Some key information the FBI seeks includes Bitcoin (BTC) wallet information, ransom notes and IP addresses linked to the attacker.

By using wallet addresses, authorities can backtrack illicit transactions on Bitcoin’s immutable blockchain without worrying about the trail going cold.

While Bitcoin enables frictionless cross-border transactions, most attackers prefer using fiat currencies to fund their illicit activities. It was also found that only 0.15% of activity on blockchains in 2021 was crime-related, which has been going down consistently year over year.

Moreover, the three federal agencies strongly discourage Americans from paying ransom “as payment does not guarantee victim files will be recovered.” Individuals affected by ransomware attacks can report the details by visiting a local FBI office or through official communication channels.

The Dutch Public Prosecution Service recently tracked down crypto wallets associated with a ransomware attack on Netherland-based Maastricht University (UM).

In 2019, a ransomware hack froze all assets of UM, such as research data, emails and library resources. UM later agreed to pay the hacker’s demand of €200,000 (or $198,760)in BTC, which is currently valued at roughly €500,000 (or $496,900).

‘Cryptojacking’ rises 30% to record highs despite crypto slump: Report

Cryptojacking has become a lucrative choice for cybercriminals as many victims are unaware they have been compromised.

New research shows that despite falling digital asset prices, cryptojacking has reached record levels in the first half of 2022.

According to a mid-year update on cyber threats by American cybersecurity company SonicWall, global cryptojacking volumes rose by $66.7 million, or 30%, in the first half of 2022 compared with the same period last year.

Cryptojacking is a cybercrime whereby malicious actors commandeer a victim’s computer resources by infecting the machine with malware designed to mine cryptocurrencies. It is often executed through vulnerabilities in web browsers and extensions.

The report stated that the overall rise in cryptojacking can be attributed to a couple of factors.

Firstly, cybercriminals are leveraging the Log4j vulnerability to deploy attacks in the cloud. In December 2021, a critical vulnerability affecting java-based logging utility was discovered in the Open Source Library managed by software company Apache. Hackers can exploit it to gain remote access to a system.

Secondly, cryptojacking is a lower-risk attack than ransomware, which needs to be made public to succeed. Cryptojacking victims are often unaware that their computers or networks have been compromised.

Finance sector beware

Attackers also appeared to have changed their preferred targets during the period, moving from the government, healthcare and education sectors to the retail and financial sectors.

Cryptojacking attacks targeting the finance sector skyrocketed 269% in the period, more than five times greater than the second highest industry, retail, which saw attacks increase by 63%.

“The number of attacks on the finance industry is five times greater than the second highest industry — retail, which used to be at the very bottom of the list,” the researchers noted.

The researchers, however, noted that the volume cryptojacking attacks began to fall alongside the crypto markets in the first half of the year, as attacks were becoming less lucrative.

They observed a pattern of significantly higher volumes in the first quarter, followed by “cryptojacking summer slump” in Q2. The firm said that based on past trends, Q3 volumes will likely also be low, with attacks likely to pick up again in Q4.

This year’s summer decline has also been attributed to a fall in crypto asset prices, as markets have shrunk by 57% since the beginning of the year.

Dutch University set to recover more than twice the paid BTC ransom in 2019

The university reluctantly paid €200,000 in Bitcoin in December 2019 to avoid losing critical research data and resources.

Netherland-based Maastricht University (UM) is set to recover nearly €500,000 ($512,150) worth of Bitcoin (BTC) after the police authorities managed to solve the infamous ransomware attack in December 2019.

In 2019, a ransomware hack targeted the said university and froze all its research data, emails and library resources. The hackers demanded €200,000 in BTC and the university, fearing losing critical research data, decided to pay the said amount .

The Dutch Public Prosecution Service (DDPS) managed to track down one of the crypto wallets associated with the hack in 2020 to Ukraine and froze funds in the account valued at only €40,000 at the time. In the next two years, the DPPS managed to secure the contents of the account including nearly one-fifth of the stolen BTC.

The value of the part ransom recovered by the authorities has reached €500,000, more than double the amount university paid two and a half years ago, thanks to the price surge of the top cryptocurrency during the bull run in 2021.

The university in its official statement said that even though the monetary value of the recovered ransom is higher, it cannot undo the damages done by hackers. The university in an official blog post said:

“The Netherlands Public Prosecution Service was able to seize cryptocurrencies worth approximately €500,000, which may be made available to UM. This is still less than the damages incurred by the university, but it is a nice sum to be used to support students in need.”

The seized funds are currently with the DPPS and a legal proceeding has been initiated to transfer the funds to the university. The executive board of the university has decided to utilize the recovered funds to help students in financial need.

The seizure of crypto funds by authorities highlights the importance of th decentralized and transparent public ledger system used by BTC and crypto in general. While critics often portray crypto as an opaque and anonymous system preferred by criminals, research data indicate that less than 1% of current crypto in circulation is associated with illicit activities.

Even stolen and ransom crypto funds are often tracked down and recovered. For example, the United States authorities managed to recover $2.3 million in crypto from the Colonial Pipeline ransom.