By the numbers
Bitcoin remained the most-discussed crypto in the threat actor community and the most-used crypto for accepting illicit payments this year. Flashpoint analysts identified over 50,000 unique Bitcoin addresses circulating in Flashpoint collections in 2022.
Flashpoint observed 125,513 mentions of Bitcoin addresses within our collections since January 1, with 54,629 distinct addresses. These addresses have transacted on the blockchain 20,621 times during 2022.
Crypto-centered fraud: CEX and NFTs
Throughout 2022, threat actors committed fraud targeting cryptocurrency entities, investors, and users. Centralized exchanges (CEXs) and nonfungible token (NFT) markets were the primary targets of fraud schemes over the past year. CEXs are exchange platforms that allow users to buy and sell crypto and function as an intermediary service between buyers and sellers of digital currencies. Decentralized exchanges (DEXs), in contrast, do not use intermediaries to execute crypto asset exchanges, and instead facilitate trades through self-executing smart contracts.
Throughout 2022, automatic transfer system kits, fraudulent verified accounts, one-time password bypasses, and account checkers all represented major threats to CEXs. The largest threats to NFT markets were account takeover (ATO) attacks, third-party compromises, spoofed pages, and various scams. In general, the NFT fraud landscape grew dramatically from 2021 to 2022. Threat actors increasingly leveraged the emerging technology of NFTs to steal from inexperienced users unfamiliar with the platforms or general best security practices.
Flashpoint analysts have also tracked threat actors’ use of blockchain technologies to embed malicious content within different websites masquerading as legitimate entities. Threat actors accomplish this through the use of typosquatting, or the use of a malicious domain that closely resembles a legitimate domain to trick would-be users of the real domain.
Crypto exchange risks
Although crypto exchanges are prone to many of the risks associated with financial sector entities, they also face their own set of unique risks. Crypto exchanges range in nature from highly centralized CEXs, in which a company controls the private keys of users’ crypto wallets, to highly decentralized DEXs, in which users entirely control their funds and wallet keys.
In 2022, threat actors have moved toward increasingly targeting DEXs and decentralized finance (DeFi) protocols. Analysts assess threat actors are likely homing in on decentralized applications because they are fully transparent and typically have less security than traditional fiat-based financial institutions. Threat actors are able to review decentralized applications’ open source algorithms to identify potential vulnerabilities, such as those present in smart contracts, multisignature wallets, and pricing oracles. Threats against CEXs have remained consistent in both type and volume from 2021 and include databases for sale, cash-out operations, crypto exchange insiders, and account bypasses.
Cryptocurrency as investment
The market value of all cryptos has decreased throughout 2022, constituting a bear market. Consequently, all crypto stakeholders, including threat actors using crypto, have been affected.
On January 1, Bitcoin was trading for $46,311. On November 30, Bitcoin was trading for $16,445—only 35 percent of its market valuation at the beginning of the year. Bitcoin, however, was not alone in its major devaluation. The total market capitalization for the top 100 digital currencies dropped 70 percent, from $2.7T in November 2021 to $830B in November 2022.
From a valuation standpoint, several major events impacted the value of crypto’s most-valuable currencies. The collapse of Terra’s native currencies UST and Luna, the completion of the Ethereum blockchain merger to a proof-of-stake consensus mechanism, and the collapse and bankruptcy of the CEX FTX all separately had large, negative impacts on the crypto market. Crypto users have colloquially referred to the downward crypto market trend as a “crypto winter” and are discussing strategies to mitigate losses during it. Analysts have tracked users mainly discussing the safest cryptos to invest in, how to manage the changing regulatory landscapes, and the best services to exchange cryptos.
Exploits affecting crypto
Crypto exchanges, platforms, protocols, and other crypto projects faced various attacks throughout 2022, resulting in losses totaling over $3B. Commonly exploited vulnerabilities affecting crypto projects include flaws in smart contracts, weaknesses in flash loan algorithms, and a lack of control over private keys to wallets.
Crypto companies are considered lucrative targets for threat actors because of their usually large holdings of crypto assets, which, if compromised, can quickly be transferred to private wallets under threat actor control. Unlike other financial transactions, crypto transactions are immutable—once they are confirmed on a blockchain, they cannot be reversed.
In addition to trying to compromise large crypto platforms, threat actors also target crypto and NFT users through stealer malware and drainer malware. These attacks are designed to target the users’ host and steal sensitive crypto information or transfer crypto assets to the attacker. Although such attacks are on a much smaller scale than platform attacks stealing hundreds of millions of dollars’ worth of assets, they can proliferate clandestinely to affect many victims and accrue funds more discreetly than large exchange attacks.
Prominent attacks on crypto entities in 2022
The following are the most prominent attacks against crypto entities in 2022 and their corresponding tactics, techniques, and procedures (TTPs):
Incident date: October 6, 2022
Exploited: Cross-chain bridge
TTPs: On October 6, attackers stole 2 million Binance coins (~$571M at the current exchange rate). The attackers stole the Binance Coins (BNB) by exploiting a low-level proof in the cross-chain bridge between BNB Beacon Chain and the BNB Smart Chain. A cross-chain bridge is a protocol that allows cryptocurrencies to go from one blockchain to another and introduces interoperability between blockchain solutions. The proof is an authentication measure that allows the bridge to verify the integrity of the transaction the bridge will process. In this attack, the attacker exploited the proof-to-bypass authentication process and fraudulently deposited 2 million BNBs into their account. Binance’s CEO announced that Binance was able to freeze most of the fraudulently obtained funds. It appears at this time that approximately $100M of the funds were unrecoverable.
Type: DeFi protocol
Incident date: August 1
Exploited: Smart contracts
TTPs: Threat actors discovered that the authentication mechanism for legitimate trades on the Nomad platform was broken. Threat actors could duplicate a successful transaction on Nomad but substitute their address for the receiving address and rebroadcast the transaction to get the funds. This attack was then widely exploited by many threat actors over the course of two hours to drain Nomad’s holdings to under $1,000.
Type: DeFi protocol
Incident date: June 23
Exploited: Multisignature wallet private keys
TTPs: Horizon Bridge has a crypto transaction validator architecture that requires two of four validator nodes to approve a transaction. Validator nodes are a critical component in how a blockchain’s consensus mechanism works. In the attack on Horizon Bridge, two of the four private keys were compromised by attackers, which allowed them to approve transactions sending them the equivalent of $100M in cryptocurrencies. It is unknown exactly how the hackers were able to acquire the private keys from two of the multisignature wallet addresses. Social engineering of Harmony One employees is most likely how the threat actors gained access. Analysts note that this is a known tactic of the North Korea-sponsored Lazarus Group. In addition, the transaction timing and amount of funds laundered into a mixing service was consistent with that used in the March 2022 hack affecting the Ronin Bridge, which indicates that not only are the actors likely the same but they are also likely using the same programs to automate the laundering process.
Type: Stablecoin protocol
Incident date: April 17
Exploited: Protocol governance mechanism
TTPs: Beanstalk, a stablecoin protocol project, was targeted by a “flash loan” attack that caused the company to lose $182M in seconds. A vulnerability in Beanstalk’s protocol governance mechanism allowed users with a supermajority of Beanstalk tokens (aka “beans”) to approve any transaction on the platform. The threat actor behind the attack leveraged a flash loan, or a cryptocurrency loan that allows users to borrow large sums of cryptocurrencies for a short period of time, to quickly accumulate enough Beanstalk tokens to gain supermajority voting power and ultimately approve transactions worth $182M into their own private wallets. They then fulfilled their loan, which left the attacker with a net profit of $80M.
Type: DeFi protocol
Incident date: March 2022
Exploited: Transaction validator nodes
TTPs: The Ronin chain consists of nine validator nodes; at least five are needed to approve any transactions on the blockchain. Ronin is an Ethereum sidechain closely tied to Axie Infinity. The Lazarus Group was able to acquire five private keys associated with five nodes and authenticate transactions to send themselves funds under Ronin Bridge’s control. It is unknown how the Lazarus Group exploited four Ronin validators, but the threat actor gained the fifth validator by compromising Axie DAO, a third-party organization that aims to support the Axie Infinity project. Axie DAO controlled a Ronin chain validator node, and the Lazarus Group obtained its private key through a backdoor exploit leveraging a gas-free remote procedure call node.
Type: DeFi protocol
Incident date: February 2
Exploited: Guardian signatures
TTPs: Attackers forged a valid signature on a guardian account that allowed a threat actor to mint 120,000 Ether coins. The threat actors then transferred 93,750 tokens into private wallets they controlled on the Ethereum blockchain. Wormhole’s GitHub activity reveals that this security vulnerability was fixed in the codebase three weeks prior but had not been deployed to production.
Incident date: January 17
Exploited: Customer accounts
TTPs: 483 Crypto.com users had unauthorized withdrawals on their account. Transactions were approved without two-factor authentication authorization. In response, Crypto.com revoked all two-factor authentication tokens and cleared all user sessions, forcing logins and enrollment in two-factor authentication. Users were unable to make withdrawals for fourteen hours following the identification of the incident. $15.2M of the stolen funds were Ether tokens that were subsequently laundered through Tornado Cash. Analysts note that as of this writing, no funds have been recovered.
Cashing out with crypto
Threat actors relying on crypto to cash out have faced multiple challenges in 2022 due to increased scrutiny by regulatory agencies and law enforcement across the world. Throughout 2022, several major crypto services and underground services that relied on crypto transactions were taken down.
- On April 5, German law enforcement took down the illicit market and mixer service Hydra. As a mixer and market, Hydra represented a highly popular one-stop shop that threat actors used to purchase illicit goods and launder their funds. After the takedown of Hydra, threat actors have flocked elsewhere, including forums such as RuTor, to find ways to cash out.
- In May, the US Department of the Treasury’s Office of Foreign Asset Control (OFAC) sanctioned the popular mixer service Blender.io, representing the first mixer to be sanctioned by OFAC.
- In August, OFAC sanctioned the mixer Tornado Cash, becoming the first decentralized project to be sanctioned by OFAC. Tornado Cash was responsible for over $7B dollars in laundered cryptocurrencies since 2019 and helped enable the Lazarus Group’s cash-out operations.
In the aftermath of the sanctions, threat actors have relied more heavily on peer-to-peer crypto cash-out operations, such as using the peer-to-peer exchange Localbitcoins.
Illicit financing and extremist groups
Throughout the past year, Flashpoint tracked multiple extremist groups relying on anonymous crypto donations. While most extremist groups mainly use Bitcoin as their coin of choice for donations, 2022 also showed extremist groups gradually accepting the use of altcoins, particularly stablecoins such as USDT.
Extremist groups often broadcasted their crypto addresses within public and private channels on social media applications to garner additional funding. It is important to note that publicizing crypto addresses in this manner removes the privacy of anonymized addresses and allows analysts to monitor the flow of funds to and from the addresses. Consequently, when threat actor groups broadcast their addresses, they are prioritizing the proliferation and branding of their addresses over their operational security.
Crypto and the Russia-Ukraine War
To help support its efforts against Russia in the ongoing Russia-Ukraine war, Ukraine began advertising government-owned crypto addresses at the beginning of the war for humanitarian and military aid. In under three weeks, over $60M was donated to Ukrainian war causes. As of late October, the Ukrainian government has raised over $100M in crypto for the war. Ukraine has used those funds to purchase military equipment, including bulletproof vests, drones, and technology equipment.
Flashpoint analysts previously reported on Russian neo-Nazi and white supremacist mercenary groups using crypto to fundraise their efforts against Ukraine. Although they are receiving funds on a much smaller scale than the Ukrainian government, they appear to be using the same techniques to communicate addresses to solicit donations from supporters across the world. Flashpoint has observed a plethora of scammers using the notoriety of the war to fraudulently raise money for themselves under the guise of donations to Ukraine across Telegram and other social media services.
The North Korea-sponsored advanced persistent (APT) threat group “Lazarus Group” was the most prolific and prominent threat group targeting crypto platforms in 2022, and was responsible for stealing over $700M in stolen cryptocurrency in 2022. The APT group is supported by the North Korean government and military. The Lazarus Group was responsible for several high-profile crypto heists in 2022, including the Horizon Bridge and Ronin Bridge hacks. In addition, the mixers Blender.io and Tornado Cash were sanctioned by OFAC for their connection to Lazarus Group, as the group was tied to using the mixers to launder upwards of $470M in illicit proceeds. The Lazarus Group’s TTPs include the utilization of insiders, the use of sophisticated phishing schemes, the deployment of credential-stealing malware, and the exploitation of public-facing vulnerabilities within exchanges.
Prepare for the crypto threat landscape in 2023
Even if the general public loses trust in cryptocurrency due to the fallout of large crypto entities like FTX and Terra’s LUNA, cryptocurrency will likely remain a viable option to evade sanctions and crowdsource financial donations for governments and/or extremist groups. Sign up for a free trial today to learn how Flashpoint’s cyber threat intelligence can help you better understand crypto-related risk.