CAI0031
Written evidence submitted by Mandiant
Crypto-assets are an attractive target for both financially motivated and state-sponsored cyber operations. This is due to their popularity and the potential high profits linked to successful compromises.
This evidence submission provides a strategic overview of the key cyber threats facing the crypto-asset industry and their policy implications for the UK, which should be taken into consideration as the Government considers the risks associated with increased use and adoption of crypto-assets.
The volume and severity of cyber operations targeting crypto-assets means effective cyber security measures will be an essential component for the UK Government to realise its aim to make the “UK a global crypto-asset technology hub.”
Cyber operations targeting cryptocurrency can negatively impact various victims including UK citizens, cryptocurrency exchanges, and financial institutions leveraging digital assets.
Financially motivated cybercriminal threat actors regularly target cryptocurrency wallets and platforms. They will likely continue this activity in the near-to-midterm due to the success of these operations.
State-sponsored threats, especially those from North Korea, pose a high risk to cryptocurrency platforms. Mandiant believes North Korean actors have targeted financial entities, investment services, eCommerce, cryptocurrency users and exchanges, as well as transaction processing organizations throughout the globe as part of an effort to identify alternative government revenue streams.
Because non-fungible tokens are bought, sold, and stored similarly to other digital tokens like cryptocurrency, they are susceptible to many of the same threats targeting cryptocurrency platforms and users.
While cryptocurrencies are not inherently tied to illicit uses and are also frequently employed for legitimate purposes, cyber criminals often leverage cryptocurrencies as a means of payment for illicit goods and services, collecting extortion payments, or as a method to launder money stolen through other malicious activity.
The cyber threat landscape reflects broader societal and technological developments. The growing popularity and prominence of crypto-assets in society has therefore been accompanied by an uptick in cyber operations targeting cryptocurrency exchanges and wallets. This evidence submission provides a strategic overview of the key cyber threats facing the crypto-asset industry and their policy implications for the UK.
The popularity and potentially high profit from compromises makes cryptocurrency services an attractive target for both financially motivated and state-sponsored actors.
Cybercriminals and state-sponsored actors compromising cryptocurrency accounts and exchanges have directly monetised these assets by stealing funds. They have also raised money via other means including selling illicit accesses, knowledge of vulnerabilities discovered, and databases associated with cryptocurrency exchanges and/or users via criminal underground forums. Many of these activities would facilitate additional malicious cyber operations.
Figure 1: How cyber threats benefit from targeting crypto currency platforms and exchanges.
Financially-Motivated Cybercriminal Activity Targeting Crypto-Assets
Financially motivated cybercriminal threat actors regularly target cryptocurrency wallets and platforms.
For example, media reports highlighted that the Coinbase exchange suffered a compromise in which threat actors managed to bypass SMS two-factor authentication to compromise user accounts and steal funds. The company later sent out breach notifications, explaining between March and May of 2022, funds were stolen from approximately 6,000 users.[1]
Likewise, in January 2021, the India-based cryptocurrency exchange BuyUcoin allegedly suffered a "security incident" during which a threat group was suspected to have gained access to and leaked personally identifiable information (PII) belonging to 325,000 of the exchange's users on the dark web.
Additional notable heists are depicted in Figure 2 below.[2]
Cyber threat actors use various means to compromise cryptocurrency exchanges, including exploiting vulnerabilities and misconfigurations in platform websites, applications, and authentication mechanisms. Protecting exchanges therefore requires a holistic cyber security strategy that covers a range of potential attack vectors and targets. Mandiant has also observed cybercrime actors exploit vulnerabilities in decentralized finance ("DeFi") smart contracts directly for financial gain.
Figure 2: Notable threat activity targeting cryptocurrencies.
Cryptocurrency scams have also targeted other accounts and systems that are not directly related to cryptocurrency. For example, Twitter accounts belonging to high-profile individuals were compromised in mid-2020 and used to solicit cryptocurrency "donations."
Figure 3: Compromised Twitter accounts used in cryptocurrency scam.[3]
Outlook: Financially motivated actors will likely continue to develop methods to compromise wallets and platforms for at least the near-to-midterm due to the likely perceived success of recent operations.
State-Sponsored Cyber Operations Targeting Crypto-Assets
State-sponsored threats, especially those from North Korea, pose a high risk to cryptocurrency platforms. Mandiant believes North Korean actors have targeted financial entities, investment services, eCommerce, cryptocurrency users and exchanges, and transaction processing organizations throughout the globe as part of an effort to identify alternative government revenue streams. Observed tactics include credential theft, spearphishing, mobile targeting, and strategic web compromise.
North Korean threat actors have demonstrated a history of targeting cryptocurrency platforms to potentially provide the regime with direct financial gain and serve as a medium for money laundering and sanctions evasion.
Open-source reporting details North Korean efforts to gain employment at cryptocurrency-focused organizations in April and May 2022.[4]
These activities appear to be consistent with a May 2022 U.S. government advisory on North Korean IT workers posing as non- North Korean nationals to gain employment to generate revenue for Democratic People's Republic of Korea (DPRK) programs.[5]
Media reports highlight how North Korean operators stole nearly $400M USD in cryptocurrency during 2021.[6]
Additionally, court documents reveal how these state-sponsored actors can launder and convert assets stolen in compromises of cryptocurrency exchanges into fiat currency and gift cards.[7]
Outlook: We anticipate that North Korean state-sponsored threat actors will continue to share resources and target these services in the mid- to long-term, given the financial success of their operations so far.
Cryptocurrencies Use in Illicit Payment
While cryptocurrencies are not inherently tied to illicit uses and are also frequently employed for legitimate purposes, cyber criminals often leverage cryptocurrencies as a means of payment for illicit goods and services, collecting extortion payments, or as a method to launder money stolen through other malicious activity.
The obfuscation of these transactions makes them especially attractive for threat actors seeking payment for ransomware campaigns or to complicate tracking their activity.
Cyber criminals have also used cryptocurrency as part of their robust monetisation and money laundering capabilities. For example, cyber criminals have leveraged legitimate online exchange services to monetize illicitly obtained gift cards, particularly services that offer the exchange of gift cards for cryptocurrencies.
Figure 4: Overview of cash out operations leveraging cryptocurrency.
Non-fungible tokens (NFTs) are marketed as unique and/or limited edition, blockchain-based, digital assets that can be used to represent media downloadable in a file form, including art and music. NFTs have seen a rise in popularity over the last few years given their significantly high market valuations and perceived immutability; open sources estimate that the NFT marketplace represented $41 billion in 2021, coming close to the $50 billion value of the conventional art and antiquities market.
Because NFTs are bought, sold, and stored similarly to other digital tokens like cryptocurrency, they are susceptible to many of the same threats targeting cryptocurrency platforms and users.[8] Mandiant has observed threat actors that have leveraged social engineering and credential theft to compromise both NFT user accounts and exploit software vulnerabilities and misconfigurations in NFT marketplace platforms to steal digital assets. Additionally, we have detected threat actors advertising stolen databases, compromised user accounts, phishing pages, and soliciting partners for NFT scams in late 2021 and early 2022.
Open-source reporting suggests that the NFT marketplace has also created opportunities for art fraud, copyright infringement, and brand damage. For example, artists who have had their work tokenized into NFTs without their consent[9] have become the latest victims..[10]
Similar to other exchange platforms, threat actors have leveraged insider trading to illegally profit from NFT marketplaces[11], with the United States Department of Justice making its first charge for insider trading of digital assets in June 2022.[12]
Outlook and Policy Implications
Both state-sponsored and criminal cyber operations regularly target crypto-assets. Understanding the threats to the industry and building security practices to counter them is therefore essential.
Cyber operations targeting crypto-assets can impact a variety of different demographics, ranging from large cryptocurrency exchanges and financial services organisations with large cyber security teams to individual cryptocurrency wallet holders with minimal understanding of cyber threats and cyber security. This makes understanding different defensive capabilities of relevant organisations and individuals as well as more vulnerable groups vital.
Cyber operations targeting crypto-assets can impact a variety of systems, including platform websites, applications, and authentication mechanisms. A holistic cyber security strategy that protects the wider ecosystem of crypto-asset-related systems is therefore required. This will involve identifying prominent attacker techniques used in malicious operations targeting crypto-assets, before introducing specific security controls and protection measures to prevent and detect them.
Cryptocurrency users should consider risk mitigation strategies to reduce the risk of account or wallet compromise, including use of multi-factor authentication, and reputable anti-virus software to detect potential credential theft malware in downloaded files or web browsing. With respect to wallets, users could benefit from cold wallets or wallets that have been encrypted on the client-side, as well as multi-signature wallets that require multiple keys be provided to create and conduct a transaction. Users are also encouraged to scrutinize transaction requests and destination addresses carefully.
September 2022