Darknet bad actors work together to steal your crypto, here’s how — Binance CSO

Lurking in the shadiest corners of the dark web 3.0 is a “well-established” ecosystem of hackers that target cryptocurrency users with poor “security hygiene,” according to Binance’s chief security officer.

Speaking to Cointelegraph, Binance CSO Jimmy Su said in recent years, hackers have shifted their gaze toward crypto end-users and crypto.com users.

Su noted when Binance first opened in July 2017, the team saw plenty of hacking attempts on its internal network. However, as crypto exchanges continued to beef up their security, the focus has shifted to what is web 3.0 and crypto today.

“Hackers always choose the lowest bar to achieve their goals, because for them it’s a business as well. The hacker community is a well-established ecosystem.”

According to Su, this ecosystem comprises four distinct layers — intelligence gatherers, data refiners, hackers and money launderers.

Data gatherers

Su described the most upstream layer as “threat intelligence”, which is where bad actors collect and organize data about crypto.com users, creating databases with their details. This may include the sites they use, emails, names, and if they are on Telegram or other social media.

Su mentioned that this info is sold on the dark web, and can even be bought in bulk, such as after customer information leaks or hacks on other vendors or platforms. In April, a research paper by Privacy Affairs showed that hacked crypto accounts can be bought for as little as $30. Additionally, forged documents, which are often used by hackers to open accounts on crypto trading sites, can also be found on the dark web.

Data refiners

Su explains that the data gathered is then sold to another group, usually consisting of data engineers that specialize in refining data. For instance, there was a data set last year for Twitter users. Through this data, they can refine it further to identify which tweets are related to crypto.

These data engineers use scripts and bots to detect which exchanges the crypto enthusiast might be registered with. They do this by creating an account with the user’s email address. If they receive an error message that the address is already in use, it could signify that the user is connected to the exchange, which could be beneficial information for more precise scams, as Su stated.

Hackers and phishers

The third layer of crypto security is often what causes alarm. In particular, phishing scammers or hackers utilize the previously refined data to launch “targeted” phishing attacks.

“For example, they know that ‘Tommy’ is a user of crypto.com exchange, they can send an SMS saying, ‘Hey Tommy, we noticed someone withdrew $5,000 from your account, please click this link and contact customer service if it wasn’t you.’”

In March, hardware wallet provider Trezor alerted its users about a phishing attack designed to steal investors’ funds by making them enter the wallet’s recovery phrase on a fake Trezor website.

The phishing campaign involved attackers pretending to be Trezor and contacting victims via phone calls, texts, or emails claiming that there has been a security breach or suspicious activity on their Trezor account.

Getting away with it

Once the funds are taken, the last step is to evade the heist. Su explained that this could involve keeping the funds inactive for a few years and then transferring them to crypto mixers like Tornado Cash.

“We know there are groups that can stay put with their stolen assets for two or three years without any movement,” said Su.

Although there is not much that can be done to stop crypto hackers, Su urges crypto users to practice better “security hygiene.”

This could include revoking permissions for decentralized finance projects if they are no longer needed, or making sure communication channels like email or SMS used for two-factor authentication are kept secure.

Categorized in:

Tagged in: