/>
X

CryptoCore hacker group has stolen more than $200m from cryptocurrency exchanges

The hacker group is believed to operate out of Eastern Europe, based on current evidence.
catalin-cimpanu.jpg
Written by Catalin Cimpanu, Contributor on
screenshot-2019-12-04-at-15-40-28.png

An organized hacker group believed to be operating out of Eastern Europe has stolen around $200 million from online cryptocurrency exchanges, cyber-security firm ClearSky said in a report shared with ZDNet today.

Or Blatt, Research Team Leader at ClearSky, told ZDNet the group, which ClearSky has been tracking under the name of CryptoCore, has been active since 2018.

Blatt said they linked CryptoCore to five successful hacks, but they've also seen the group target another 10-20 cryptocurrency exchanges as well.

The five confirmed victims are located in the United States, Japan, and the Middle East, Blatt told ZDNet in an email today without being able to disclose victim names due to non-disclosure agreements.

cryptocore-timeline.png
Image: ClearSky

ClearSky says that some of CryptoCore's operations have been previously documented in isolated reports identifying the group as "Dangerous Password" and "Leery Turtle [PDF]" but the Israeli security firm says the group's operations have been more ample and widespread than previously documented.

Same modus operandi for the past three years

However, despite operating for almost two and a half years, ClearSky says the group has been using the same tactics all this time, with little variation in their attacks.

ClearSky says that all attacks start with an information gathering stage during which they collect the necessary details to target an exchange's management, IT staff, and other employees.

The first phishing attacks are always launched against personal email accounts, rather than the corporate ones, as they are most likely to be less secured than the official ones, and will sometime contain business information.

However, CryptoCore operators will eventually move to also target business accounts.

"It's a matter of hours to weeks until the spear-phishing email is sent to a corporate email account of an exchange's executive," ClearSky said.

"The spear-phishing is typically carried out by impersonating a high-ranking employee either from the target organization or from another organization (e.g. advisory board) with connections to the targeted employee," the cyber-security firm explained.

The end goal is to plant malware on an employee or manager's computer and steal or obtain access to a password manager account. The CryptoCore hackers will use these passwords to access accounts and wallets, disable two-factor authentication systems, and start transferring funds out of the exchange's "hot wallets."

cryptocore-tactics.png
Image: ClearSky

CryptoCore is now the second organized group that has repeatedly targeted cryptocurrency exchanges during the past 3-4 years.

North Korean state-sponsored hackers have been the biggest threat to cryptocurrency exchanges.

According to a report from the United Nations panel on threat intelligence, North Korean hackers stole around $571 million from at least five cryptocurrency exchanges in Asia between January 2017 and September 2018.

The UN report echoed two other reports published in October 2018, which also blamed North Korean hackers for two cryptocurrency scams and five trading platform hacks.

Cryptocurrency cyberattacks and breaches of 2019 (in pictures)

Related

Best early Amazon Prime Day 2022 deals on outdoor gear
Placeholder product image alt text

Best early Amazon Prime Day 2022 deals on outdoor gear

Yard & Outdoors
Hybrid work vs the office: Tech workers earn more working from home
A confident Asian woman wearing business clothes speaks toward her laptop in her home office.

Hybrid work vs the office: Tech workers earn more working from home

CXO
Global 5G subscriptions to exceed 1B by end-2022: Ericsson
5g-generic.jpg

Global 5G subscriptions to exceed 1B by end-2022: Ericsson

5G