As cryptocurrency exchanges beef up security measures following a relentless run of heists, cyber criminals are turning their attention to stealing digital tokens directly from users.
With the estimated total value of cryptocurrencies now in the hundreds of billions of dollars, bitcoin and its newer rivals have drawn in both amateur investors and crooks who see these inexperienced users as a soft target.
“What we’re seeing is a shift away from the exchanges to the users — so things like phishing attacks, and trying to trick people into giving money to them,” says Tom Robinson, co-founder of Elliptic, a London-based company that tracks and tries to prevent criminal activity in cryptocurrencies. It counts most major US and European exchanges as clients.
“The types of people who are starting to use and buy bitcoin are much less technically sophisticated now, and so are much more prone to phishing attacks,“ he adds.
Elliptic has seen a fivefold increase in phishing attacks since the start of the year. In this kind of attack, cyber criminals try to trick users into giving them their personal details and the private keys that open up their digital wallets, by posturing as crypto wallet-providers or exchanges. They often change just one letter of a domain address — sometimes simply adding an accent — so that users don’t even notice they are on the wrong site.
“You’re entering your credentials into a bad site and you don’t even notice. If you’re looking at it on a smartphone, which people often are when using cryptocurrency wallets, it’s even easier not to notice,” says Jeremiah O’Connor, a senior research engineer at security firm Cisco, which helps law enforcement agencies trace crypto crime.
Mr O’Connor says several hundreds of millions of dollars worth of cryptocurrencies have been stolen through such phishing attacks in the past year. One particularly successful group based in Ukraine, Coinhoarder, is thought to have stolen more than $50m this way.
Google ads, he says, were until recently the most effective and lucrative delivery mechanism for such attacks: when users searched for “bitcoin wallet”, a Google ad would pop up for “blockchien.info”, for example — a spoofed version of popular wallet-provider blockchain.info.
“People are taught: don’t click on an email that looks suspect; they’re never taught not to click on ads that don’t look legitimate,” says Mr O’Connor.
Google recently banned all advertising for cryptocurrencies in an effort to protect consumers from these scams.
While phishing attacks are on the rise, exchanges remain a target for hackers. About 1m bitcoins have been stolen by hackers on exchanges since the virtual currency began trading on them a little over eight years ago. That represents almost 6 per cent of all coins in circulation and is worth an estimated $7bn at today’s prices — and that doesn’t include the theft of other cryptocurrencies.
[Online crooks] are always coming up with new ideas . . . It’s an ever-escalating arms race
Practices have changed, however, since cyber criminals made off with about 650,000 bitcoins held at Japanese exchange Mt Gox back in 2014. Exchanges have become reluctant to leave too many coins in internet-connected “hot wallets” — which were exploited in the Mt Gox heist.
A growing number of exchanges have decided they want no responsibility for looking after users’ funds at all. One such “decentralised exchange” is ShapeShift, which allows customers to buy and sell various cryptocurrencies through its platform but does not hold any funds.
The bigger exchanges, which trade high volumes and therefore need to hold funds, are increasingly handing over custody of the coins to specialist businesses that store the private keys offline in physical vaults. Not only is such “cold storage” seen as safer, but using a custodian is a regulatory requirement for many of the larger hedge funds that have entered the space.
One such custodian company, Xapo, holds about $10bn worth of cryptocurrency across widely geographically spread vaults, including one in a former military bunker in the Swiss Alps.
Even so, keeping ahead of the hackers is tough, says Ted Rogers, president of Xapo. “[Cyber criminals] are always coming up with new ideas . . . so we’re constantly trying to anticipate that. It’s an ever-escalating arms race.”