Full Metal Cryptojacket

By: James Trusty

In retrospect, it all seems so predictable. International capitalism creates virtual currencies. Banks are avoided. Millennials hail a new world order of anonymous or nearly untraceable market transactions. Numerous parties and exchanges hold on to large quantities of virtual currencies. But then the bad guys show up. And I’m not talking about the regulators.

Last month, in what looks like the biggest cryptocurrency breach in history, hackers stole over $534 million in NEM coins from the Japan-based exchange Coincheck. In 2014, $430 million in Bitcoin disappeared, and just a couple of months before the NEM theft, $70 million in Bitcoin was taken during a mining operation. Yes, that’s right – mining. The scale and techniques involved in this form of virtual bank robbery are evolving by the minute. Mining operations involve large amounts of processing functionality and power usage to “drill down” and remove virtual currencies from host electronic devices. The latest incarnation of these efforts is truly out of a science fiction novel – cryptojacking.

Cryptojacking takes these mining operations to the next step – remote control robbery. The jackers send malware that take over the tablet, phone, or computer being victimized, using the device’s CPU to host the mining. Different vulnerabilities can be exploited, and the malware scripts are apparently pretty good at finding that weak password or creating that plausible email link to use.  In the case of a cryptojacked water utility company in Europe, the CPU usage was so profound that the normal functions of the utility – like switching on or off major water arteries—was sluggish in response. If your device starts draining energy like a broken hourglass leaking sand or becomes hot enough to fry an egg on its cover, you might be unwittingly hosting a cryptojacking. Shudder to think about a cryptojacking ‘s effect on a dam or nuclear power plan CPU.

There is a certain of economy of scale by going after currency exchanges rather than the individual holders, so most of the protection to fight off these robbers will likely come from there. Those exchanges will have every incentive to develop countermeasures and make them available so we do not have more stories of hijacked water utilities. As to individuals, the best guidance appears to be the same old stuff we have heard (and yeah, ignored) for years – do not open emails from strangers, avoid unusual links, keep changing your password, and make it complex. Aside from that, keeping the assets in software or hardware wallets will help, although the best mining operations are drilling right into those wallets.[1]

Virtual currencies are basically like the marked bills at the bank. So, the bank robbers should have a hard time getting away with spending the proceeds. Virtual currency transactions are public, and Coincheck has located and published 11 online addresses where more than 90% of the stolen coins reside. But, not surprisingly, the addresses do not actually identify account holders. Not to be outdone, Coincheck tagged the accounts with notice that the account holders are hackers and they have even created a tracking tool to allow exchanges to automatically reject stolen funds.[2] But, in this endlessly complex Spy vs. Spy world of techno-battling, the bad guys may still end up succeeding in spending the stolen money by using either cryptocurrency trading platforms that do not require personal data or “tumbler” services that could anonymize at least some smaller cash-outs of stolen NEM currency. It’s the same money laundering dilemma that bank robbers and drug dealers face – possessing a whole bunch of currency while having a need to transform it into an apparently clean asset. The Pablo Escobar option of simply burying millions of dollars to buy time does not yet appear to have a computer-based equivalent, but… check back with me next week.

[1] How to Steal $500 Million in Cryptocurrency, Fortune (Jan. 31, 2018), http://fortune.com/2018/01/31/coincheck-hack-how.

[2] Inside the World’s Biggest Cryptocurrency Hack – and How the Scammers Pulled it Off, Time (Jan. 29, 2018), http://time.com/money/5123018/coinchec-nem-hack-how-the-hackers-pulled-it-off.