Cryptocurrencies: An Aladdin’s Cave for Cybercriminals

Cryptocurrency has seen a surge of interest and funding in recent years but this quickly evolving market is just as susceptible to cyber-attacks and scams as conventional banking but in many cases without the same scrutiny and standards.

In many ways, traditional cyber threats remain just as applicable to crypto, said Teresa Walsh, global head of intelligence at the Financial Services Information Sharing and Analysis Center (FS-ISAC). Walsh said such threats include malware-laden phishing, social engineering and attempts to steal login credentials.

“While banks have numerous ways to detect fraudulent connections and prevent account takeovers, the same level of anti-fraud detections are not always in place for crypto exchanges/wallets,” she explained. “Additionally, accounts are not always insured, cutting off a major avenue to restore stolen funds.” 

To protect their investments, potential investors in crypto “should always take the time to understand the security and insurance parameters in place”, she added.

Crypto does not adhere to the Know Your Customer (KYC) standards prevalent in banks, Walsh said, creating more opportunity for hackers to operate.

“Additionally, anti-money laundering standards are not always present, and ease of transfers allows money to move both quicker and quieter. In response, companies are implementing more KYC and cybersecurity measures to mitigate attacks,” she added.

Konstantinos Mokos, senior content engineer at Hack The Box, said that with cryptocurrencies revolving around decentralisation and anonymity, “they are an Aladdin’s cave for cybercriminals.”

When a cybercriminal gains access to crypto assets, their first move will be to transfer the funds into a different account, where their physical identity will be hard to identify. “This leads to the inability to recover the funds, even if the account that holds the assets is identified as the lucrative work of a cybercriminal,” he said.

Crypto has grown in popularity over recent years even with non-tech savvy people, Mokos added, “which results in their increased use as a means of payment for illicit activities, such as ransomware attacks and money laundering”. 

Since crypto currencies are based on a relatively new technology – blockchain – there are some unique cybersecurity risks, Mokos added. “The number one is that with cryptocurrency, it’s almost impossible to reverse a fraudulent transaction, as this would require knowing the parties involved (both the victims and the cybercriminals) and gaining access to their holdings to perform a new transaction to reverse the effects.”

Additionally, each user is solely responsible for protecting their assets and wallet, he added, unlike a regular bank account where a central authority and the appropriate paperwork can help recover funds.

“The lack of regulation by governments or financial institutions also exposes users to an oversaturated market with myriads of cryptocurrency options that can be based on fraudulent activities, like Ponzi schemes, pump and dumps, and other market manipulations,” Mokos said.

Trading platforms can be prone to cyber-attacks and insider threats, he warned. “When a platform is compromised, the funds stored within its services can be stolen, or the services provided can be exploited. This is why it’s so important for users to choose a reputable platform with robust security measures in place that can also be held accountable in case of a security breach.”

For users, the biggest threats are scams, he added, the most common being phishing attacks.

“Another risk to consider is the vulnerabilities that lie in the inner workings of some blockchain technologies and smart contracts,” Mokos argued. “A smart contract is a self-executing digital contract between two or more parties built on a blockchain platform. Simply put, it is a software programme that handles funds based on some predefined rules. Any software can be vulnerable to coding errors, design flaws, third-party software, or even human error.”

However, Ian McShane, vice president of strategy at Arctic Wolf, noted that a crypto-focused cybercrime “is not a straightforward way of scamming someone … withdrawing money from a cryptocurrency exchange or even transferring money from a cryptocurrency exchange is not exactly the ‘one click and it’s done’ process that it could be with a bank transfer, for example.”

Still, it is clearly potentially lucrative for criminals, he said. “I think the uniqueness is in its complexity and the fact that very few people understand truly how it works and what the methods underneath it are,” McShane said. “I think another unique [aspect] is decentralisation - it's all well and good until you need to support a centralised entity, like a government or a regulator, because your exchange of choice went belly up. And I think that's the unique risk here is that there is no centralised entity that should be underwriting your risk for something as risky as this.”

Despite the risks, the sheer number of crypto platforms is pushing competing exchanges to offer better security as a competitive advantage, Walsh said. As crypto becomes more financially regulated, platforms are working towards the types of cybersecurity standards used by banks, she said, if they are not already present.

“To protect against risk, users should check if the account has protections like multi-factor authentication, uses HTTPS security and has a fraud contact prominently listed on their website. Additionally, users should be aware of phishing attempts via phone or email,” Walsh said.

Mokos highlighted three top tips for users to protect themselves. First, they should look to strong passwords, two-factor authentication (2FA) and keeping their software and devices up to date. Second, they should conduct due diligence, using only reputable platforms and exchanges. Third, they should use a hardware wallet, which provide an additional layer of security by storing private keys on a physical device; this makes them less susceptible to hacks and cyber-attacks.

Emphasising the importance of a hardware wallet, McShane explained: “A hardware wallet means you actually hold it and it's going to take you a lot longer to transfer that to someone else. It gives you that time to think about whether this is the right thing to do, whether you should be doing it. Obviously, hardware wallets are less convenient, less user friendly for the average Joe, but there's better protection there.”

Enjoyed this article? Make sure to share it!

Looking for something else?