According to Binance’s chief security officer, a “well-established” ecosystem of hackers is active on the dark web and targets cryptocurrency users with poor “security hygiene.”
According to Jimmy Su, CSO of Binance, hackers have turned their attention in recent years to crypto end users.
Su added that the team witnessed numerous hacking attempts on Binance’s internal network when it originally launched in July 2017. The focus has changed, though, as cryptocurrency exchanges have worked to strengthen their security.
Hackers always set the lowest bar possible since, to them, it’s also a business. The ecosystem of the hacker community is well-established.
Su claims that this ecosystem is made up of four distinct levels, including money launderers, hackers, data refiners, and intelligence gatherers.
Data gatherers
Su referred to this layer as “threat intelligence,” which is the most upstream. Here, criminals gather and compile stolen information about cryptocurrency users, building full spreadsheets with information about various people.
This might include the user’s name, the email addresses they use, the crypto websites they frequently visit, and whether they use social media or Telegram.
Su stated in a May interview that there is a market for this on the dark web where this information that describes the user is sold.
Su pointed out that this information is frequently collected in bulk, such as via past customer information leaks or hacks that target other companies or platforms.
Cybercriminals were selling compromised cryptocurrency accounts for as little as $30 each, according to a study paper published in April by Privacy Affairs. The dark web also sells forged documents, which are frequently used by hackers to register accounts on cryptocurrency trading platforms.
Data refiners
Su claims that after being collected, the data is then sold to a different entity, typically one that consists of data engineers who are experts in data filtering.
Consider the data set for Twitter users from the previous year. They can further improve it using the data there to determine which tweets are genuinely related to cryptocurrency based on the tweets.
Following that, these data engineers will employ “scripts and bots” to determine which exchanges the crypto enthusiast might be registered with.
They attempt to create an account using the user’s email address to accomplish this. If they utilize the exchange, they will be aware if they receive a message stating that the address is already in use. Su said that this knowledge could be useful to more targeted schemes.
Hackers and phishers
Typically, headlines are generated by the third layer. Hackers or phishing con artists will use the previously refined data to produce “targeted” phishing assaults.
Now that they are aware that “Tommy” uses exchange “X,” they can simply send an SMS to him saying, “Hey Tommy, we noticed $5,000 was withdrawn from your account. If it wasn’t you, please click this link to contact customer service.
Trezor, a company that makes hardware wallets, alerted its customers to a phishing assault in March that required users to enter their wallet recovery phrase on a phoney Trezor website in order to steal investors’ money.
Attackers under the guise of Trezor would contact victims by phone, text, or email and tell them that their Trezor account had experienced a security breach or that there had been other suspicious behavior.
Getting away with it
The final phase is escaping with the heist after the money has been taken. Su noted that in order to do this, the money might need to sit dormant for years before being transferred to a cryptocurrency mixer like Tornado Cash.
Groups that we are aware of have been known to remain motionless for two to three years after receiving their stolen goods, Su continued.
Though there isn’t much that can be done to deter cryptocurrency hackers, Su advises consumers to improve their “security hygiene.”
Decentralized financial projects may need to have their rights revoked if they stop using them, or it may be necessary to ensure that two-factor authentication communication channels like email and SMS are kept private.
