Experts from ClearSky states that a hacker group tracked as CryptoCore, which is believed to be operating out of Eastern Europe, has stolen around $200 million from cryptocurrency exchanges.
The CryptoCore group, aks Crypto-gang, “Dangerous Password”, and “Leery Turtle” has been active since 2018.
“CryptoCore is a group that targets almost exclusively cryptocurrency exchanges and companies working with them via supply-chain attack. The CryptoCore group is known for having accumulated a sum of approximately 70 million USD from its heists on exchanges. We estimate that the group managed to rake in more than 200 million USD in two years.” reads the report published by the experts.
According to the experts, the group is not extremely technically advanced and was responsible for five successful hacks in the United States, Japan, and the Middle East. The hacker group also targeted tens of other cryptocurrency exchanges.
The main goal of CryptoCore operations is to gain access to cryptocurrency exchanges’ wallets, the researchers pointed out that modus operandi was the same for the last two and a half years.
The attack chain begins with an extensive reconnaissance phase that targets the company and focuses on its executives, officers and IT personnel.
“While the group’s key infiltration vector to the exchange is usually through spear-phishing against the corporate network, the executives’ personal email accounts are the first to be targeted.” continues the report. “Infiltrating the personal email accounts is an optional phase; however, it’s a matter of hours to weeks until the spear-phishing email is sent to a corporate email account of an exchange’s executive.”
The initial phishing messages are always sent to personal email accounts, rather than the corporate ones, due to their lower level of security. Experts explained that it’s a matter of hours to weeks until CryptoCore attackers target business accounts of an exchange’s executive.
Attackers impersonated a high-ranking employee either from the target organization or from another organization (e.g. advisory board) with connections to the targeted employee.
The spear-phishing messages attempt to trick the victims into installing malware on their computer that allows attacker to steal or obtain access to a password manager account.
Then threat actors use the stolen passwords to access accounts and wallets, disable multi-factor authentication, and start transferring funds out of the exchange’s “hot wallets.”
The report published by ClearSky includes technical details along with Indicators of Compromise (IoCs).
Online cryptocurrency exchanges are a privileged target for cybercrime groups and nation-state actors.
North Korea-linked APT Lazarus stole around $571 million from cryptocurrency exchanges in Asia between January 2017 and September 2018.
(SecurityAffairs – hacking, CryptoCore)