Crypto Hacker Groups Get More Sophisticated, Exchanges and Authorities Fight Back

crypto hacker
Popular Article
DAOs EcoSapiens
ReFi landscape
DAOs EcoSapiens

Regenerative Finance 101: A Guide to Crypto’s ReFi Movement

The crypto world has an unflattering history with security breaches and today, hacker groups are unabating in targeting investors and exchanges. So far this year, tens of millions of dollars in digital coins have been stolen from retail investors and holders.

Although the situation is foreboding, the authorities and cryptocurrency trading platforms are getting better at stopping cybercriminals and thwarting hacking attempts.

Hackers Aged Between 18 and 26 Arrested for Stealing over $50 Million in Crypto

A recent New York Post report has revealed that crypto investors have become easy targets for cybercriminals due to a combination of social engineering and digital identity stealing techniques. 

It highlights that SIM swapping has become a preferred mode of operation among a younger generation of social media and crypto hackers. Cryptocurrency investor Michael Terpin recently fell victim to such a scheme after his digital identity got changed remotely.

A hacker syndicate was able to switch his SIM to a blank that was under their control. They gained access to his email addresses using the “forgotten password” reset feature and within minutes blitzed through his accounts to retrieve his crypto wallet private keys. The heist netted them over $20 million.  

The SIM swapping tactic is believed to have its roots in gaming chat rooms on Discord. The app is used by gamers to converse while playing games. The strategy is believed to have emerged a few years ago after tech-savvy gamers banded up to try and figure out ways of taking over popular Twitter and Instagram handles. Some were sold for over $30,000.

According to an investigator who spoke to the New York Post, it is likely that a social media hacker came across a crypto wallet key by chance while on a hacking spree and hit big. He is likely to have targeted crypto investor accounts from that day on.

The young hackers apparently live exceedingly lavish and flashy lifestyles. Chris David, a private jet broker, revealed the following about 21-year-old Nicholas Truglia, a suspect in a SIM swapping hacking case. “Nick told me that [the cash] bundle contained over $100,000. At the same time, Nick showed me two thumb drives. One had over $40 million cash value of various cryptos.”

21-year-old Nicholas Truglia, a suspect in a SIM swapping hacking case.
Truglia lived in a 6,000 a month apartment and had expensive jewelry including a $100,000 Rolex.(Image Credit: Daily Mail)

The suspect lived in a 6,000 a month apartment and had expensive jewelry including a $100,000 Rolex.

The scams are said to have begun in March 2018 with Mitch Liu, a Californian executive, being among the first victims He lost some $10,000 to fraudsters.

Law enforcement units have upped their game to counter this type of crime and now use phone IMEI (International Mobile Equipment Identity) as well as advanced geo-tracking technology to find a suspect’s location. The technology can also be used to pinpoint the location of a hacker via his email address. A network connection to the nearest telecommunication mast usually betrays a hacker’s whereabouts.

In one case, the authorities were able to trace an email address to a suspect named Joel Ortiz. They were able to log into his email accounts and check out his social media posts. An announcement on one of his pages about attending an electronic dance music conference in Belgium prompted the police to move in and make the arrest. He was apprehended at the Los Angeles International Airport.

Ortiz is suspected to have pilfered over $7.5 million worth of crypto and was recently sentenced to ten years in prisons after pleading no contest to a list of felony charges. The bust was a scintillating victory for law enforcement agencies involved in the investigation.

The REACT unit comprised of law enforcement agents in the Bay Area was credited for the arrest. The team was set up to curb cybercrime in Silicon Valley.   

Some victims of such crimes have decided to sue carrier companies for allowing SIM-swapping to be executed without consent, but the legal guidance on this is still murky.

Crypto Exchanges Coordinate Crypto Assets Freeze

Crypto exchanges have traditionally been preferred by sophisticated hacker groups because the payoff is typically huge. The biggest cryptocurrency theft in history led to billions of dollars in losses.

Tens of exchanges have been targeted by hackers in recent months. Among them is Singapore’s DragonEx which recently suffered a breach. Approximately $7 million worth of cryptocurrencies was siphoned off the platform by hackers.

The exchange had initially stated that it was “upgrading its systems” before finally admitting to being hacked. It offered the following statement in the aftermath of the incident.

The exchange had initially stated that it was “upgrading its systems” before finally admitting to being hacked. (Image Credit: Twitter)

“After tracking and investigation, DragonEx found that part of funds has flown into other exchanges. DragonEx has been working on retrieving back more assets and communicating with the leaders of those exchanges for more support,”

The management stated that normal operations would resume once a preliminary investigation was complete and a compensation scheme was agreed upon.

Another crypto exchange, Bithumb, also recently suffered a breach. The hacking incident led to a loss of about $18 million in digital assets. This is the second successful intrusion in two years. In June 2018 malicious actors were able to steal around $30 million worth of cryptocurrencies.

Customers’ funds were unaffected in the latest attempt but those belonging to the exchange were stolen. Bithumb recently disclosed that the theft may have been an inside job, although investigators are still yet to determine the actual perpetrators of the attack. The following was the statement issued by the company.

“As a result of the internal inspection, it is judged that the incident is an ‘accident involving insiders.’ Based on the facts, we are conducting intensive investigations with KISA, Cyber Police Agency and security companies. At the same time, we are working with major exchanges and foundations and expect to recover the loss of the cryptocurrency equivalent.”

The exchange temporarily disabled deposits and withdrawals as investigations commenced. Industry analysts following the digital money trail soon revealed that a significant portion of the stolen funds had been transferred to ChangeNow by hackers.

Primitive Ventures co-founder, Dovey Wan was among the first to break the news revealing, “Hacker has been disposing the stolen EOS via ChangeNow, a non-custodial crypto swap platform does not require KYC/account”, via Twitter.

The agency soon issued a statement announcing that it had temporarily disabled deposits and withdrawals on the platform pending an investigation. Wallets that were suspected of being involved in the scheme were also frozen. 

The hacker also transferred some crypto assets to Exmo, Huobi, KuCoin,  CoinSwitch, HitBTC, Changelly, and Binance. The platforms subsequently stopped the assets from being moved.

Cybercriminals Launch More Sophisticated Hacking Attacks

Hackers continue to develop more sophisticated hacking and obfuscation techniques to carry out incredibly audacious heists. The infamous Lazarus unit alone has reportedly stolen over a billion dollars in cryptocurrencies within the past year and apparently uses sophisticated malware and advanced obfuscation systems to exploit the budding industry.

A recent attempt unearthed by Kaspersky revealed that the syndicate had modified the code on seemingly legitimate crypto exchange software and bundled it with fake verification certificates to bypass security triggers.

The malware was not directly present in the software but its updater had been configured to download the payload remotely at a later date. The trojanized application was developed to work on both MacOS and Windows platforms.

Common Techniques Used by Hackers to Illicitly Obtain Cryptocurrencies

Clipboard Hijackers

A strain of malware commonly referred to as “crypto clipboard hijackers” is widely used to steal user data from exchanges. The malware hides in Windows processes and replaces copied wallet addresses with another controlled by hackers.

The malicious software monitors clipboard operations to detect cryptocurrency wallet keys and once one is confirmed a replacement code is triggered. Double-checking the pasted code and using reliable anti-malware solutions usually helps thwart this type of attack.

Some types of malware have been found to monitor over 2 million virtual wallet accounts.

Phishing Site Scam

Hackers have for decades now used phishing scams to defraud users of funds. And now cryptocurrency hackers are continuing to exploit this technique by sending fake notification emails to holders. The emails are usually designed to trick users into entering their private keys.

Deceptive messages usually alert crypto users of a hacking attempt on their account and prompt them to change their password to a new one. Upon entering the “old password” the keys are relayed to the fraudsters who then transfer the funds to their own wallets.

The spoofed address usually resembles that of the legitimate site, for example, [email protected]. Users are therefore advised to exercise due diligence if they happen to receive notifications related to their crypto account.

Email Hacking

Email hacking has been around for a long time and with the growing popularity of social media and networking platforms, it has become easier for cybercriminals to target crypto users.

Hackers usually use social media platforms to find and target crypto investors and holders based on the types of posts that they share and topics they are engaged in and then try to obtain his email address. Access to one account is likely to lead to other addresses belonging to the victim.

Others belonging to associates involved in the sector are also included in the scheme. Hacked email accounts can be used to reset virtual wallet passwords.

Illicitly acquired digital assets are in many cases sold on exchanges with lax KYC policies or laundered via dark web marketplaces.

The latter option is actually the least reliable because it’s hard to find someone with let’s say $20 million to trade for crypto. There’s simply very little fiat liquidity in this market segment available for such trades.

Two-factor authentication is one way of securing an email account against hacking attempts. It is however not the last word when it comes to email security. As previously mentioned, SIM swapping is a common tactic used to bypass this procedure.

Browser Extensions

Some malicious browser add-ons have access to sensitive data, including user crypto accounts and keys. Most usually appear to perform legitimate tasks such as blocking ads, for example. To date, over 2 billion user credentials have been stolen by hackers this way. These databases continue to be sold on underground hacker forums.

Some browser add-ons also have embedded cryptocurrency mining scripts that harness CPU power. In April last year, Google banned all cryptocurrency extensions from the Chrome store after a sharp increase in malicious add-ons. Google issued the following statement in regard to this.

“Until now, Chrome Web Store policy has permitted cryptocurrency mining in extensions as long as it is the extension’s single purpose, and the user is adequately informed about the mining behavior.

Unfortunately, approximately 90% of all extensions with mining scripts that developers have attempted to upload to Chrome Web Store have failed to comply with these policies, and have been either rejected or removed from the store.”

Social Media Scams

Hackers have continued to grow their social media hacking arsenal. Slack bots, for example, have in the past been used to target investor channels. Hackers have used them to distribute spoofed messages designed to swindle investors. The notifications usually ask members to send funds to an ICO crypto wallet but the address provided is actually controlled by fraudsters.

The Aventus incident is among the most notable episodes involving this technique. Investors got notified by a slack bot about an Aventus Presale. Members were asked to send funds in Ethereum to an account controlled by cybercriminals. About 40 ETH was stolen from 15 community members.

Twitter is another platform that has had its fair share of crypto scams. In the recent past, scammers have taken over popular accounts to indulge users in fake giveaways. Community members are usually asked to send funds and get yields that are several times their initial investment.

In the recent past, Club 8’s Twitter account was hijacked and altered to resemble Telegram CEO Pavel Durov’s. The social media handle belonging to the Swedish band was used to solicit funds from fans through a fake giveaway.

The fraudsters were able to get approximately 1 bitcoin in a few minutes from victims.


Cryptojacking has for a long time now topped the list of cybersecurity threats. In many cases, mining code is placed on web pages to implicitly harness a visitor’s computer resources for the purposes of mining digital currencies.

A recent case involving two Romanian hackers, Bogdan Nicolescu, 36, and Radu Miclaus, 37, shone a light on the inner workings of a sophisticated network that was able to control over 400,000 computers for this purpose. The hackers were also able to steal sensitive user information such as credit card details from the hacked machines, which they then sold on dark web marketplaces.

According to court documents, “They used the stolen credit card information to fund their criminal infrastructure, including renting server space, registering domain names using fictitious identities and paying for Virtual Private Networks (VPNs) which further concealed their identities.”

Advanced Cryptojacking Malware Used to Target Asian Enterprises

The recent closure of CoinHive, a website-based cryptojacking code developer is said to have led to an 80 percent decline in cryptojacking incidences.

That said, however, cybercriminals are still using malware to mine cryptocurrencies. According to a recent Microsoft Korea report, South Korea is still grappling with these types of attacks. The company revealed this during a recent conference in Seoul.

According to the firm’s security program manager, Kim Gwi-ryun, cryptojacking threats rise and fall in lockstep with overall cryptocurrency market price movements. They increase sharply during positive price movements and decrease once cryptocurrencies drop in value.

According to Symantech, Beapy, a file-based miner is now being used to target enterprise networks in China, Japan, South Korea, and Vietnam. It utilizes an EternalBlue exploit to spread and DoublePulsar to create a remote access backdoor on infected machines. The malware then downloads and installs the coinminer. Last year, South Korea blamed its northern neighbor for such attacks.

(Featured Image Credit: Pixabay)

[thrive_leads id=’5219′]

Legal Disclaimer

CoinCentral’s owners, writers, and/or guest post authors may or may not have a vested interest in any of the above projects and businesses. None of the content on CoinCentral is investment advice nor is it a replacement for advice from a certified financial planner.