Cryptocurrency like bitcoin is easy money for criminals

Bitcoin and its brethren have earned a reputation for fast returns on investment, but they're vehicles for exploitation too.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
6 min read
Aaron Robinson/CNET

This is part of "Blockchain Decoded," a series looking at the impact of blockchain, bitcoin and cryptocurrency on our lives.

The Winklevoss twins aren't the only ones getting rich off cryptocurrency. Criminals are raking it in too.

Blockchain Decoded graphic

See more from Blockchain Decoded.

Thanks to the meteoric rise of bitcoin over the past year, you've probably heard of cryptocurrency, or digital money that uses blockchain encryption technology for transaction security. By mid-December, the value of one bitcoin reached more than $19,000. It's since fallen below $7,000, though it's recovered some ground over the past week.

Bitcoin is the best-known cryptocurrency on the market. However, there are more than 1,500 cryptocurrencies out there, some with goofy names like Dogecoin, PinkDog and Californium.

Before you get too excited about using or trading this new form of money, be aware that cryptocurrencies are rife with criminal activity. Cryptocurrency, for instance, is the preferred form of payment when hackers lock up your computer for ransom, such as in last year's widespread WannaCry attack. Likewise, there are viruses that turn computers into slave machines mining for cryptocurrency. Hackers have also created malware disguised as cryptocurrency apps, tricking folks who think they're cashing in on the trend.

"It's usually being used for something illegal," said Steve McGregory, the application and threat intelligence director at security firm Ixia. He estimates that 99 percent of illegal activities online use cryptocurrency.

This is cryptocurrency's dark side, which sometimes gets lost in the hype over the rocketing value of  bitcoin  and its brethren. But just as digital currency has turned into a hot new investment vehicle, it's given hackers and cybercriminals new opportunities for exploitation.

Even old-school cons have taken a new blockchain twist, with consumers excitedly buying new forms of cryptocurrency only to find they're little more than hot air and false promises.

"With cryptocurrency, it's like choose-your-own adventure," said Rick Holland, a cybercrime researcher at security company Digital Shadows. "People can pick so many routes to target victims now."

Hide the money

The reasons that cryptocurrency has become a trusted, valued form of money are the same reasons it has become an invaluable asset for cybercriminals, who want to get paid for their efforts.

All cryptocurrency transactions use a mix of public and private keys to keep payments secure and, in some scenarios, completely secret. You can see where the money goes and which wallets its headed to. But if you can't link the wallet to a person, the identity remains secret.

Watch this: Cryptojacking: The hot new hacker trick for easy money

That anonymity allows cybercriminals to sell information from massive breaches, such as the 145.5 million Social Security numbers stolen from Equifax or data from 3 billion hacked Yahoo accounts, without worrying about law enforcement tracking who's buying or selling it. Likewise, the WannaCry hackers demanded victims each pay $300 worth of bitcoin to get their devices back to normal last year. Criminals even use cryptocurrency to pay for online classes that teach ways to use stolen credit card numbers.

"The cryptocurrency world allowed bad guys to start collecting in ways that made them less vulnerable to being identified or caught," said Michael Kaiser, the former executive director of the National Cyber Security Alliance.

That cover has helped boost the ranks of cybercriminals, despite the nascent efforts of governments to crack down. For example, the European Union and the UK are working to crack down on the anonymous nature of cryptocurrency, out of concern that it helps terrorist groups and their money-laundering efforts.

"We should be looking at these very seriously precisely because of the way they can be used, particularly by criminals," British Prime Minister Theresa May told Bloomberg last month.

The EU plans to require platforms where bitcoins are traded to report suspicious sales and to monitor users, while the UK wants officials to oversee online transactions. In November, Stephen Barclay, then-economics secretary to the UK treasury, said the government expects these changes to take effect this year.

Banking on botnets

Botnets, a mass of hijacked computers under the control of a hacker, were once primarily used to fire off spam emails or initiate distributed denial-of-service attacks, which essentially block a website by overwhelming it with traffic.

But with cryptocurrency, hackers found another purpose for botnets: making money. 

Cryptocurrency is bought and sold, but it must also be mined, or verified, with immense computing power. Given the processing chops needed to mine cryptocurrency, the cost of the electricity to run the machines can be higher than the mining revenue. But if you're not using your own computer, there's little expense eating into your profits. When the Mirai botnet hit in 2016, hackers took control of thousands of connected devices around the world.

"We were expecting DDoS attacks, but then we started seeing loads of people dropping bitcoin-mining payloads on the routers and cameras," McGregory said. "If you get thousands of these, you can make money off of someone else's machine and it's easy pickings."

McGregory spotted malware designed to stay hidden on hacked machines and mine for cryptocurrency in the background. If you owned one of these computers, the effect would be a dramatic slowdown in performance. And that wasn't even a sophisticated attack. 

Mining malware is sold online for as cheap as $35, according to security researchers from Recorded Future.

McGregory said mining apps in the Google Play Store have been downloaded more than 10 million times. He's found them in fake puzzle games, crosswords and tic-tac-toe apps. He's also spotted one called Reward Digger, in which the player earns virtual coins but in actuality is helping hackers mine bitcoin.

Mugging malware

If you can't mine cryptocurrency or get a botnet to do it for you, there's always the old-fashioned way: stealing it.

Some malware searches for cryptocurrency wallets and empties them via virtual burglary. In October, antivirus company Kaspersky Lab researchers discovered CryptoShuffler, a trojan that lets hackers change the wallet address from a victim's computer to their own, essentially diverting the funds away from the intended person.

Because of the anonymity of transactions, a victim doesn't know what happened until it's too late. Since Kaspersky discovered it, the trojan has stolen 23 bitcoins, now worth around $210,000.

"Lately, we've observed an increase in malware attacks targeted at different types of cryptocurrencies, and we expect this trend to continue," Sergey Yunakovsky, malware analyst at Kaspersky Lab, said in a statement.

In December, NiceHash, another cryptocurrency mining marketplace, said it had been hacked to the tune of $62 million. And unlike money stolen from a bank, police can't find it and victims won't ever get it back.

Old crimes, new tech

The connection between cryptocurrency and crime is only going to get worse as investments continue to boom.

The US Securities and Exchange Commission last year cracked down on a cryptocurrency scheme that it said raised more than $15 million before it was busted. The alleged scammers promised wild returns on the launch of a new digital currency, but the SEC said that investments went toward their personal expenses instead.

Holland predicts that it'll be five to 10 years before governments can get a handle on digital currency crimes, and even then it may not be possible. That's because the schemes will just evolve.

"It's a new twist on an old game," Holland said. "But now the scale at which you can do this is high and the likelihood of you being busted is low." 

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

Virtual reality 101: CNET tells you everything you need to know about VR.