Vulnerabilities / Threats
2/18/2014
11:35 AM
50%
50%

Bye, Bitcoin: Criminals Seek Other Crypto Currency

Law enforcement crackdowns, hack attacks, and market volatility drive Russian fraudsters to mint their own virtual currency systems.

When it comes to profiting from ill-gotten gains, have bitcoins become passé?

That appears to be the prevailing attitude on some leading Russian cybercrime forums, which have ditched well-known virtual currencies -- including Perfect Money and Bitcoin -- in favor of forum-specific alternatives, which administrators claim offer higher levels of anonymity, security, and reliability.

Blame the shift, at least partly, on the Justice Department's takedown of Liberty Reserve, which was a Costa Rica-based virtual currency system that sported one million users. After it was closed, criminals needed to find new ways to move money and store stolen funds -- preferably without having their profits picked off by either rivals or investigators. "Ever since the Liberty Reserve takedown in May of last year and the confiscation of all accounts by law enforcement, fraudsters have been busy finding a solid currency to which they can entrust their spoils without the risk of losing them in a bust," said RSA fraud intelligence analyst Daniel Cohen in a blog post.

Why not simply use existing virtual currency options? While Perfect Money and Bitcoin would seem to be "the obvious choices" for cybercriminals, said Cohen, "Perfect Money is of questionable background, while Bitcoin does not provide fraudsters the required level of anonymity and is not immune to seizure." For example, US prosecutors in November seized bitcoins worth more than $34.1 million from users of the "darknet" narcotics marketplace known as Silk Road.

[Target's breach has driven propoals for new ways to exchange funds, but none hit the bull's-eye. Learn Why Alternate Payment Schemes Get No Love.]

Criminals also risk having their bitcoin hordes stolen by rivals. Last week, for example, the administrator of a darknet site known as Silk Road 2 -- which, like its namesake, serves as a marketplace for buying and selling narcotics -- said that the site had been hacked, and all of its users' bitcoins stolen, the BBC reported.

According to a forum post from a Silk Road 2 administrator (who goes by "Defcon"), one of the site's vendors made off with the bitcoin haul -- worth an estimated $2.7 million -- by exploiting a recently discovered vulnerability involving transaction malleability. The heist led a number of bitcoin exchanges to suspend operations until they bolster their defenses. "I should have taken MtGox and Bitstamp's lead and disabled withdrawals as soon as the malleability issue was reported. I was slow to respond and too sceptical (sic) of the possible issue at hand," Defcon said in a forum posting.

Those bitcoin exchange suspensions have recently driven the value of a bitcoin to less than $300 on Mt Gox -- which typically handles about one-fifth of the world's bitcoin trades -- compared to the currency being valued Tuesday on other exchanges at about $630. Still, that's down from the $1,200 commanded by a bitcoin back in November.

That market volatility is likely another reason why many criminals have opted for an alternative cryptographic currency, digital currency expert Michael Jackson, a former COO at Skype, told The Register. "It suggests that criminals don't trust Bitcoin -- I hope this is because they think the police will find them, but I suspect it's more to do with the fact that they don't like volatility. Even an online dope seller wants predictability in his business."

Photo credit: zcopley.
Photo credit: zcopley.

What's arguably even better for criminals, however, is anonymity. "Buyers and sellers of crimeware services have long had anonymous handles with which to do business," said Sean Sullivan, security advisor at F-Secure Labs, via email. "Anonymity has allowed crimeware to evolve into a highly commoditized ecosystem. Having its own currency system adds another layer of anonymity."

Cybercriminals, however, are likely still using bitcoins for some purposes. "They probably aren’t avoiding bitcoins other than when it comes to buying and selling crimeware services," Sullivan said. "They are all probably invested in Bitcoin in order to move and launder 'real' money."

What's on offer for criminals seeking Bitcoin and Perfect Money alternatives? To date, RSA said it's been tracking three Russian-built currency systems -- MUSD, United Payment System, and UAPS -- all of which are tailor-made to help criminals evade law enforcement agencies. "These new internal currencies are carefully administered and secured, ensuring a high level of anonymity in transaction and hiding the user identities, making it more difficult for law enforcement to trace, block, or seize funds and accounts," RSA's Cohen said. The services allow users to deposit funds and cash out their holdings, sometimes to a prepaid credit card.

So far, the most advanced option appears to be UAPS -- a.k.a. the "First Commercial Bank" -- which first appeared more than a year ago on a Russian cybercrime forum. The currency system reportedly sports its own development team, gets frequent updates, and, per its data-retention policy, holds related data for only two months before purging it from the system.

Four different cybercrime boards, meanwhile, appear to have standardized on the United Payment System currency system. According to RSA, each board has its own exchange agent, who's overseen by a site administrator charged with keeping the dealings "honest." That approach highlights how cybercrime forums rely on members to stay straight with each other. "Doing business with crimeware suppliers is based on trust -- karma systems, feedback -- like [on] eBay," Sullivan said. "Buyers rate sellers. A currency provider will have to earn trust -- and heaven help him if he breaks that trust with a large number of cybercriminals."

The MUSD currency first appeared in November 2013. It's only being used on one forum, and it allows users to buy or sell services, as well as procure forum advertising. The currency's developers say their system offers anonymity, a built-in escrow service, and the ability to cash out the currency in person. "Two verified exchange agent services currently work with MUSD in this board, with one offering to cash out MUSD for hard currency in person at an office in Kiev, Ukraine," said Cohen.

On a related note, Russian authorities have recently been signaling that they'll crack down on users of any type of virtual currency, including bitcoins. "Citizens and legal entities risk being drawn -- even unintentionally -- into illegal activity, including laundering of money obtained through crime, as well as financing terrorism," according to a warning issued last month by Russia's central bank.

Earlier this month, Russian authorities warned that only rubles are legal tender inside Russia, and that trading in bitcoins is illegal. "Systems for anonymous payments and cybercurrencies that have gained considerable circulation -- including the most well-known, Bitcoin -- are money substitutes and cannot be used by individuals or legal entities," according to a statement by the Russian Prosecutor General's Office.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
s404n1tn0cc
100%
0%
s404n1tn0cc,
User Rank: Apprentice
2/20/2014 | 9:14:34 AM
So much for Law proofing.
      Seems sence the US invented the Ethernet it owns it and all Backdoors. Obviously they some how where able to get subpoenas. And direct access to the accounts. but when they did that the 34000000 dollars is now worth only 8500000. A tremendous shock to the system. 
asksqn
0%
100%
asksqn,
User Rank: Ninja
2/19/2014 | 9:04:08 PM
Bitcoin, We Hardly Knew Ye
Notwithstanding the negative nellie approach to cryptocurrencies, Bitcoin will always be remembered for causing the widespread soiling of jockey shorts worn by members of the Federal Reserve, Greenspan, Bernanke and other keepers of the fiat money cartel.
Thomas Claburn
0%
100%
Thomas Claburn,
User Rank: Moderator
2/18/2014 | 6:49:07 PM
Re: Why tie to physical location?
It would be fitting if cybercriminals took to using actual cans of Hormel Spam as currency.
Brian.Dean
0%
100%
Brian.Dean,
User Rank: Apprentice
2/18/2014 | 4:06:59 PM
Re: Why tie to physical location?
This is one area where technology is not being used for the good of society. The easiest way to limit illegal activities is by limiting/restricting free movement of finance. However, it is not all negative as technology that enables agencies to detect narcotics using sensors etc restores some of the balance.

I feel since Bitcoin is not doing too good even for legal activities, I wonder whether another crypto currency will every gain the kind the hype and value that Bitcoin gained during the month of November last year.  
Mathew
50%
50%
Mathew,
User Rank: Apprentice
2/18/2014 | 12:30:52 PM
Re: Why tie to physical location?
Good question. These are add-ons to Russian-language cybercrime forums. It doesn't mean that the admins or users reside in Russia. But if they do, they might want a way to cash out large amounts of money in rubles, for local spending.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/18/2014 | 12:00:58 PM
Why tie to physical location?
Mat, why would a group looking to launch a cyber-currency tie itself to a specific country, especially Russia? The U.S., EU and China also seem like bad bets. It's CYBER after all, so why not be completely separate from any physical location?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5426
Published: 2014-11-27
MatrikonOPC OPC Server for DNP3 1.2.3 and earlier allows remote attackers to cause a denial of service (unhandled exception and DNP3 process crash) via a crafted message.

CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?