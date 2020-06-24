One shadowy group of cyber criminals might be behind attacks on various crypto exchanges (including âdecentralizedâ exchanges) dating back to 2018, Israeli cybersecurity firm ClearSky claimed in a report released on Wednesday.

âWe estimate that the group managed to rake in more than $200 million in two years,â the ClearSky report says about the cybercriminal collective the report calls CryptoCore. âWe assess with medium level of certainty that the threat actor has links to the East European region, Ukraine, Russia or Romania in particular.â

ClearSky co-founder Boaz Dolev said his firm found at least five exchange hacks over the past two years that followed a particular pattern, though he declined to identify these exchanges on the record.Â

âThey can attack very quickly,â Dolev said of CryptoCore, which he claimed once deployed an attack just 12 hours after registering fresh domain names. âTheyâre not a big group, maybe three to four people â¦ a small but effective operation.âÂ

So far, ClearSky estimates the cyber criminal group stole $200 million over the past two years. Other firms have called the same group different names, such as âLeery Turtle.â

Or Blatt, ClearSkyâs threat intelligence team leader, said he believes the alleged thieves are rogues without military training or support. He described the attacks as âmuch less sophisticatedâ than ones conducted by Russian military intelligence officers indicted for influencing American elections while using bitcoin in 2016.Â

âThey are cyber criminals and we know of other similar cybercrime groups,â Blatt said. âIn order for such an attack to succeed, usually the [crypto exchange] employees need to be vulnerable to social engineering â¦ [We] didnât see this attacker exploiting VPN [virtual private networks], for example, which is something we often see with other groups.â

Human error

Dolev said crypto exchanges that donât use the same level of security practices as banks are vulnerable to such attacks.Â

The report details how the hacker group allegedly gained access to several exchange executivesâ private email accounts, then used spear-phishing â impersonating a high-ranking employee â âeither from the target company itself or from a company that deals with the target,âÂ to acquire information that grants access to crypto wallets.

Nicholas Percoco, head of security at the crypto exchange Kraken, said, âWe routinely see attempts through multiple attack vectors, including social engineering attempts,â so his company often shares information with other exchanges targeted by such criminal campaigns.Â

Ignoring CryptoCore specifically (Kraken was not mentioned in ClearSkyâs report), Percoco said it is common for such cyber criminals to target several institutions in the same sector, especially the individuals who work at exchanges.

The concept of such a social engineering campaign, as ClearSky described, makes sense to Percoco. This is why Krakenâs security chief said, in addition to technical controls, he focuses on training sessions across the staff because you âcanât patch a human.â Plus, Kraken Security Labs routinely tries to penetrate the exchange system and find vulnerabilities, he said.Â

âWe will take all our employees, executives included, through extensive security training,â Percoco said. âWe go very deep about home network security, social network security, even their own personal device security.âÂ

Dolev warned that, especially considering the mass exodus to remote work caused by COVID-19, crypto exchanges face a âhigher riskâ in 2020. Indeed, Blatt added that CryptoCore appears to be more active since the coronavirus crisis began.Â

âIf you put your money on an exchange, you donât know if itâs secure or not,â Dovel concluded.

