Why do hackers target cryptocurrencies?

Cyber Security Hub explores why and how hackers are targeting cryptocurrency investors.

With more than 420 million cryptocurrency users, more than 12,000 cryptocurrencies worldwide and an estimated value of US$2.2bn by 2026, the digital currency marketplace is growing rapidly. This rapid growth, however, has made it a target for cyber attackers looking to defraud victims. 

Here, Cyber Security Hub explores the threat vectors used and vulnerabilities exploited by hackers specific to cryptocurrency-based cyber crime.

Why do hackers target cryptocurrency?

Cryptocurrency attacks can have large payouts

With Bitcoin, Ethereum and Tether having market caps of $330.6bn, $152.6bn and $68.2bn respectively, cryptocurrency traders and wallets can be an attractive target to hackers. So much so that Blockchain data platform Chainanalysis reported that a total of $3.8bn in cryptocurrency was stolen by crypto hackers in 2022.

In September 2022, malicious actors compromised cryptocurrency market maker Wintermute’s hot wallet to steal $162.5mn. The term hot wallet refers to a cryptocurrency wallet that is available online and can facilitate transactions between the owner and others’ wallets.

To do this, the hackers exploited a vulnerability in private keys generated by the Profanity app. Private keys are a secure code proving ownership of a cryptocurrency wallet and allowing the holder of the wallet to make transactions. If these keys are unsafe, however, it can allow malicious actors access to a cryptocurrency wallet.

Cryptocurrency companies may be more vulnerable to cyber attacks

While the first cryptocurrency, eCash, was created in 1990 by Digicash, cryptocurrency did not reach the mainstream until the introduction of Bitcoin in 2009. With around 100 new cryptocurrencies created and minted each day, the urge to join the market may mean so-called cryptopreneurs are more focused on creating and launching their cryptocurrency over protecting their business.

Luke Willmott, co-founder and COO of crypto-based car marketplace AutoCoinCars notes that this enthusiasm to launch can lead to security issues that are a big draw for hackers. He notes that as people do not need to invest a large amount of money to form startups in the cryptocurrency space, this can mean that their investment focus is on the front end of the company, for example making an attractive webpage, rather than protecting the back end of their business. This leaves them vulnerable to cyber attacks. 

"Even some of the larger cryptocurrency companies likely do not have sophisticated enough cyber defenses to outsmart hackers. With the cryptocurrency industry growing at such a rapid rate it is understandable why this may be difficult to keep up with. Add on top of that the rate at which both hackers and technology grow in intelligence, you would need a full-time person to deploy a strong cyber defense strategy and infrastructure,” Wilmott explains.

In January of this year, it was revealed that collapsed cryptocurrency exchange FTX had $415mn worth of cryptocurrency stolen by hackers. The loss was discovered after FTX lawyers and advisors identified $5.5bn worth of assets to be recovered, with the stolen cryptocurrency making up around a tenth of the assets to be recovered.

Global news company Insider suggested that the stolen cryptocurrency “could be linked to a hack that took place just hours after FTX filed for bankruptcy” and prosecutors noted that more than $370mn in crypto had “vanished from the exchange”.

Cryptocurrency transfers cannot be reversed

Cryptocurrency transfers take place on a decentralized network, meaning that when funds are transferred they cannot be cancelled or reversed, only refunded by the receiver. This is due to the immutable nature of the blockchain making it impossible for any data within the network to be edited. Digital currency protocols put in place by cryptocurrency companies to allow merchants to accept digital currency without chargebacks also prevent funds being cancelled or reversed.

This means that if hackers are able to gain access to and transfer funds from a victim’s cryptocurrency wallets, it is very unlikely that they will be able to regain these funds. 

On January 15, a cryptocurrency and NFT influencer who uses the moniker NFT God poster to Twitter that their “entire digital livelihood was violated” after hackers gained access to and stole “a life changing amount of [their] net worth” in funds and NFTs from their digital wallet.

Every channel I have with my community, friends, and family was compromised over the last 24 hours

My Twitter, Substack, Gmail, Discord, and wallets were all invaded and taken over by bad actors

Significantly less important than all of that I lost all of my digital assets

— NFT God (@NFT_GOD) January 15, 2023

In a series of tweets, NFT God explained that they believed hackers had gained access to their computer and digital wallet after they mistakenly downloaded malware they believed  was video streaming software. The hackers stole all of NFT God’s digital assets.  

Cryptocurrency news site Metaverse Zeus reported that blockchain data showed that these assets included “at least 19 ETH, worth almost $27,000 at the time, a Mutant Ape Yacht Club (MAYC) NFT with a current floor price of 16 ETH ($25,000), and several other NFTs”.

Speaking on the hack, NFT God tweeted: “There's no recourse. It's not fixable. You can't revert blockchain transactions.”

Hackers have even capitalized on the fact that those who lose their digital assets will want to regain them. The prevalence of hackers exploiting this desperation has led to the US Federal Trade Commission (FTC) issuing a warning to cryptocurrency owners not to trust individuals or companies that offer cryptocurrency recovery services. In this scams, malicious actors will tell victims they can return their funds and assets to them, then either charge them a fee or ask for their financial information to do so. This leads to the victim being further defrauded.

How do malicious actors target cryptocurrency users and companies? 

Social engineering attacks against unsuspecting investors

As those looking to invest in cryptocurrencies feel pressure to buy in at the most opportune moment, malicious actors exploit this pressure in social engineering attacks. An example of this was seen in July 2022, after the US Federal Bureau of Investigation (FBI) warned cryptocurrency investors that fake cryptocurrency applications had led to losses of $42.7m in just six months.

Between November 1, 2021 and May 13, 2022, the FBI identified 244 victims who lost between $900,000 to $5.5mn each to fake cryptocurrency apps. 
The scams involved fraudsters posing as legitimate US investment services and specifically targeting those who had an interest in cryptocurrency and mobile banking. During communications with the victims, the hackers used the logos and names of said investment services to make themselves appear more legitimate. Using these techniques, the hackers were able to convince the investors to download mobile apps, which led to them being defrauded.

The two companies the scammers created fake websites for were YitBit, which is the name of former legitimate cryptocurrency service and Supayos, an Australian currency exchange business. The FBI suggested this was an attempt to make the scam apps seem more legitimate.

The criminals were able to defraud at least four victims of $5.5mn while posing as YitBit, by waiting for investors to deposit funds into the fake accounts, then telling them via the app that to withdraw any funds, they must pay taxes. This meant that the victims were unable to withdraw any investments from the fraudulent app.

Research by cyber security resource site Privacy Affairs has found that malicious actors launched up 15 cryptocurrency-based scams every hour in 2022, leading to hackers stealing $4.3bn worth of cryptocurrency from January to November.

Hacking into token bridges to steal funds

Blockchain bridges are used by cryptocurrency users to transfer cryptocurrency between different blockchain. The bridges work by depositing the assets as ‘wrapped’ tokens across the bridge. Wrapping the tokens allows them to function on the blockchain they are being transferred to. Unfortunately, this makes bridges more susceptible to attacks as they have vulnerabilities on each end of the transfer.

In August 2022, US-based cryptocurrency firm Nomad confirmed that $190mn worth of cryptocurrency had been stolen via a hack of the Nomad token bridge.  

The funds were stolen after hackers exploited a flaw in the bridge’s code that allowed malicious actors to replace the intended destination wallet with their own account.

Phishing attacks to gain access to digital wallets

Similar to the use of fake cryptocurrency companies to defraud investors, hackers will similarly pose as cryptocurrency companies to gain access to cryptocurrency users’ wallets via phishing attacks.

In October 2022, a hacker known as Monkey Drainer used phishing attacks to steal $1mn worth of Ethereum and NFTs in just 24 hours.

Monkey Drainer is notorious for using phishing-based hacking techniques to steal from victims by setting up fake cryptocurrency and NFT sites. To make these fake sites more believable, Monkey Drainer has been known to pose as legitimate blockchain sites including RTFKT and Aptos. After logging in to the fraudulent sites, victims enter sensitive details about their cryptocurrency wallets and sign off on transactions,  allowing Monkey Drainer to access their wallets and their funds.

The most prominent victims in the October 2022 attack were referred to only as 0x02a and 0x626. The pair lost a collective $370,000 via malicious phishing sites operated by Monkey Drainer, with 0x02a losing 12 NFTs worth around $150,000.

0x626 held around $2.2mn in their cryptocurrency wallet at the time, however, some of the transactions pushed by Monkey Drainer were rejected by the network the wallet was on as they were marked as suspicious. This meant that the overall actual loss was $220,000 worth of cryptocurrency.