Bitcoin Heists Cause More Trouble

Attackers continue to pummel bitcoin "banks," exchanges, and crypto-currency users themselves via malware that steals virtual wallets.

deducted 12.3% from every user's bitcoin balance, although he promised to refund that by raising the exchange fee, as well as via donations.

That theft was in fact the second crypto-currency heist to hit Poloniex, after an anonymous attacker -- using the handle "Guy Fawkes" -- last month boosted 35,000 units of Counterparty currency (XCP). That relatively new crypto-currency is billed as being a "distributed financial system built on top of the Bitcoin blockchain" and was created to facilitate the use of financial instruments, such as floating company stocks, creating derivatives, and hedging trades.

The attacker converted the XCP into 150 bitcoins, then withdrew 115 of them, which as of Wednesday was worth over $70,000.

But in an odd twist, the attacker -- who claimed to work as a cleaner in a Brazilian hostel, though he dreamed of becoming a security expert -- later returned all of the stolen bitcoins, and detailed how he'd stolen the XCP in the first place. He cited not a flaw at Poloniex, but rather in the Counterparty software used by the exchange, which has since been patched. In exchange for the safe return of the bitcoins, the owner of Poloniex agreed to not press charges.

Pony botnet steals crypto-currency wallets
Beyond those exploits of Bitcoin exchanges and banks, hackers have also continued to directly attack people who buy, sell, and store crypto-currencies. Between September 2013 and mid-January 2014, for example, attackers used an instance of the Pony botnet to steal 85 virtual wallets, which were then used to trade more than $200,000 in crypto-currency, including 355 bitcoins, 280 litecoins, 33 primecoins, and 46 feathercoins.

"The source code for Pony leaked last year, which means that any cyber gang that gets access to that code can take it and make any modifications that it wants," Ziv Mador, director of security research at Trustwave SpiderLabs, which discovered the botnet, said in a phone interview. That firm was also behind the discovery of another Pony botnet, which was recently used to steal 2 million credentials, primarily for Facebook, Google, Yahoo, Twitter, and LinkedIn, but for a range of other sites too, including payment processor ADP.

In the latest case, however, attackers used a Pony botnet to steal 700,000 credentials, including website and email logins, as well as FTP secure shell and remote desktop credentials. But the attackers also modified their version of the Pony botnet to target crypto-currency virtual wallets, which are typically generated by Bitcoin software or other virtual currency tools, and stored as "wallet.dat" files. While most of those tools include an option to encrypt the wallet.dat file -- typically, it's not active by default --Mador said the owners of the 85 stolen wallets failed to encrypt them.

Crypto-currency transactions lack fraud controls
"Once a legitimate wallet is stolen, and if it wasn't encrypted, both the legitimate owner and the attacker can generate transactions," Mador said. Since crypto-currency transactions are anonymous -- they only carry a long number, which is their public key -- researchers can't tell who made the trades using the 85 wallets. "There's no way for us to determine whether the money was stolen, or if they were legitimate transactions," he added.

Attackers target bitcoins and other virtual currencies because of their value, as well as the degree of anonymity they afford. But another way in which they're "ideal for criminals," Mador said, is because once a transaction is made, it can't be reversed. For example, even if the owner of a virtual wallet realized he'd been hacked, so long as the attacker was able to cash out the wallet before its legitimate owner, there would be nothing the owner could do.

"A user in a commercial bank, for example, if they're the victim of a fraudulent transaction, most likely the bank will pay them back or reimburse them for the loss," said Mador. "That's not the case for virtual currencies. If the site doesn't stand up to reimburse the user, then the money is lost."

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5