Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Bye, Bitcoin: Criminals Seek Other Crypto Currency

Law enforcement crackdowns, hack attacks, and market volatility drive Russian fraudsters to mint their own virtual currency systems.

When it comes to profiting from ill-gotten gains, have bitcoins become passé?

That appears to be the prevailing attitude on some leading Russian cybercrime forums, which have ditched well-known virtual currencies -- including Perfect Money and Bitcoin -- in favor of forum-specific alternatives, which administrators claim offer higher levels of anonymity, security, and reliability.

Blame the shift, at least partly, on the Justice Department's takedown of Liberty Reserve, which was a Costa Rica-based virtual currency system that sported one million users. After it was closed, criminals needed to find new ways to move money and store stolen funds -- preferably without having their profits picked off by either rivals or investigators. "Ever since the Liberty Reserve takedown in May of last year and the confiscation of all accounts by law enforcement, fraudsters have been busy finding a solid currency to which they can entrust their spoils without the risk of losing them in a bust," said RSA fraud intelligence analyst Daniel Cohen in a blog post.

Why not simply use existing virtual currency options? While Perfect Money and Bitcoin would seem to be "the obvious choices" for cybercriminals, said Cohen, "Perfect Money is of questionable background, while Bitcoin does not provide fraudsters the required level of anonymity and is not immune to seizure." For example, US prosecutors in November seized bitcoins worth more than $34.1 million from users of the "darknet" narcotics marketplace known as Silk Road.

[Target's breach has driven propoals for new ways to exchange funds, but none hit the bull's-eye. Learn Why Alternate Payment Schemes Get No Love.]

Criminals also risk having their bitcoin hordes stolen by rivals. Last week, for example, the administrator of a darknet site known as Silk Road 2 -- which, like its namesake, serves as a marketplace for buying and selling narcotics -- said that the site had been hacked, and all of its users' bitcoins stolen, the BBC reported.

According to a forum post from a Silk Road 2 administrator (who goes by "Defcon"), one of the site's vendors made off with the bitcoin haul -- worth an estimated $2.7 million -- by exploiting a recently discovered vulnerability involving transaction malleability. The heist led a number of bitcoin exchanges to suspend operations until they bolster their defenses. "I should have taken MtGox and Bitstamp's lead and disabled withdrawals as soon as the malleability issue was reported. I was slow to respond and too sceptical (sic) of the possible issue at hand," Defcon said in a forum posting.

Those bitcoin exchange suspensions have recently driven the value of a bitcoin to less than $300 on Mt Gox -- which typically handles about one-fifth of the world's bitcoin trades -- compared to the currency being valued Tuesday on other exchanges at about $630. Still, that's down from the $1,200 commanded by a bitcoin back in November.

That market volatility is likely another reason why many criminals have opted for an alternative cryptographic currency, digital currency expert Michael Jackson, a former COO at Skype, told The Register. "It suggests that criminals don't trust Bitcoin -- I hope this is because they think the police will find them, but I suspect it's more to do with the fact that they don't like volatility. Even an online dope seller wants predictability in his business."

What's arguably even better for criminals, however, is anonymity. "Buyers and sellers of crimeware services have long had anonymous handles with which to do business," said Sean Sullivan, security advisor at F-Secure Labs, via email. "Anonymity has allowed crimeware to evolve into a highly commoditized ecosystem. Having its own currency system adds another layer of anonymity."

Cybercriminals, however, are likely still using bitcoins for some purposes. "They probably aren’t avoiding bitcoins other than when it comes to buying and selling crimeware services," Sullivan said. "They are all probably invested in Bitcoin in order to move and launder 'real' money."

What's on offer for criminals seeking Bitcoin and Perfect Money alternatives? To date, RSA said it's been tracking three Russian-built currency systems -- MUSD, United Payment System, and UAPS -- all of which are tailor-made to help criminals evade law enforcement agencies. "These new internal currencies are carefully administered and secured, ensuring a high level of anonymity in transaction and hiding the user identities, making it more difficult for law enforcement to trace, block, or seize funds and accounts," RSA's Cohen said. The services allow users to deposit funds and cash out their holdings, sometimes to a prepaid credit card.

So far, the most advanced option appears to be UAPS -- a.k.a. the "First Commercial Bank" -- which first appeared more than a year ago on a Russian cybercrime forum. The currency system reportedly sports its own development team, gets frequent updates, and, per its data-retention policy, holds related data for only two months before purging it from the system.

Four different cybercrime boards, meanwhile, appear to have standardized on the United Payment System currency system. According to RSA, each board has its own exchange agent, who's overseen by a site administrator charged with keeping the dealings "honest." That approach highlights how cybercrime forums rely on members to stay straight with each other. "Doing business with crimeware suppliers is based on trust -- karma systems, feedback -- like [on] eBay," Sullivan said. "Buyers rate sellers. A currency provider will have to earn trust -- and heaven help him if he breaks that trust with a large number of cybercriminals."

The MUSD currency first appeared in November 2013. It's only being used on one forum, and it allows users to buy or sell services, as well as procure forum advertising. The currency's developers say their system offers anonymity, a built-in escrow service, and the ability to cash out the currency in person. "Two verified exchange agent services currently work with MUSD in this board, with one offering to cash out MUSD for hard currency in person at an office in Kiev, Ukraine," said Cohen.

On a related note, Russian authorities have recently been signaling that they'll crack down on users of any type of virtual currency, including bitcoins. "Citizens and legal entities risk being drawn -- even unintentionally -- into illegal activity, including laundering of money obtained through crime, as well as financing terrorism," according to a warning issued last month by Russia's central bank.

Earlier this month, Russian authorities warned that only rubles are legal tender inside Russia, and that trading in bitcoins is illegal. "Systems for anonymous payments and cybercurrencies that have gained considerable circulation -- including the most well-known, Bitcoin -- are money substitutes and cannot be used by individuals or legal entities," according to a statement by the Russian Prosecutor General's Office.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/20/2014 | 9:14:34 AM
So much for Law proofing.
      Seems sence the US invented the Ethernet it owns it and all Backdoors. Obviously they some how where able to get subpoenas. And direct access to the accounts. but when they did that the 34000000 dollars is now worth only 8500000. A tremendous shock to the system. 
User Rank: Ninja
2/19/2014 | 9:04:08 PM
Bitcoin, We Hardly Knew Ye
Notwithstanding the negative nellie approach to cryptocurrencies, Bitcoin will always be remembered for causing the widespread soiling of jockey shorts worn by members of the Federal Reserve, Greenspan, Bernanke and other keepers of the fiat money cartel.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
2/18/2014 | 6:49:07 PM
Re: Why tie to physical location?
It would be fitting if cybercriminals took to using actual cans of Hormel Spam as currency.
User Rank: Apprentice
2/18/2014 | 4:06:59 PM
Re: Why tie to physical location?
This is one area where technology is not being used for the good of society. The easiest way to limit illegal activities is by limiting/restricting free movement of finance. However, it is not all negative as technology that enables agencies to detect narcotics using sensors etc restores some of the balance.

I feel since Bitcoin is not doing too good even for legal activities, I wonder whether another crypto currency will every gain the kind the hype and value that Bitcoin gained during the month of November last year.  
User Rank: Apprentice
2/18/2014 | 12:30:52 PM
Re: Why tie to physical location?
Good question. These are add-ons to Russian-language cybercrime forums. It doesn't mean that the admins or users reside in Russia. But if they do, they might want a way to cash out large amounts of money in rubles, for local spending.
Lorna Garey
Lorna Garey,
User Rank: Ninja
2/18/2014 | 12:00:58 PM
Why tie to physical location?
Mat, why would a group looking to launch a cyber-currency tie itself to a specific country, especially Russia? The U.S., EU and China also seem like bad bets. It's CYBER after all, so why not be completely separate from any physical location?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via the alert_name or alert_message parameter to the /a...
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via /alert_check/action=delete_alert_checker/alert_test...
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via la_id to the /syslog_rules URI for delete_syslog_ru...
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur in pages/contacts.inc.php.
PUBLISHED: 2020-09-25
IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the sy...