Cyber Crime

CryptoCore hacker group stole over $200M from cryptocurrency exchanges

The CryptoCore hacker group that is believed to be operating out of Eastern Europe has stolen around $200 million from online cryptocurrency exchanges.

Experts from ClearSky states that a hacker group tracked as CryptoCore, which is believed to be operating out of Eastern Europe, has stolen around $200 million from cryptocurrency exchanges.

The CryptoCore group, aks Crypto-gang, “Dangerous Password”, and “Leery Turtle” has been active since 2018.

“CryptoCore is a group that targets almost exclusively cryptocurrency exchanges and companies working with them via supply-chain attack. The CryptoCore group is known for having accumulated a sum of approximately 70 million USD from its heists on exchanges. We estimate that the group managed to rake in more than 200 million USD in two years.” reads the report published by the experts.

According to the experts, the group is not extremely technically advanced and was responsible for five successful hacks in the United States, Japan, and the Middle East. The hacker group also targeted tens of other cryptocurrency exchanges.

The main goal of CryptoCore operations is to gain access to cryptocurrency exchanges’ wallets, the researchers pointed out that modus operandi was the same for the last two and a half years.

The attack chain begins with an extensive reconnaissance phase that targets the company and focuses on its executives, officers and IT personnel.

“While the group’s key infiltration vector to the exchange is usually through spear-phishing against the corporate network, the executives’ personal email accounts are the first to be targeted.” continues the report. “Infiltrating the personal email accounts is an optional phase; however, it’s a matter of hours to weeks until the spear-phishing email is sent to a corporate email account of an exchange’s executive.”

The initial phishing messages are always sent to personal email accounts, rather than the corporate ones, due to their lower level of security. Experts explained that it’s a matter of hours to weeks until CryptoCore attackers target business accounts of an exchange’s executive.

Attackers impersonated a high-ranking employee either from the target organization or from another organization (e.g. advisory board) with connections to the targeted employee. 

The spear-phishing messages attempt to trick the victims into installing malware on their computer that allows attacker to steal or obtain access to a password manager account.

Then threat actors use the stolen passwords to access accounts and wallets, disable multi-factor authentication, and start transferring funds out of the exchange’s “hot wallets.”

The report published by ClearSky includes technical details along with Indicators of Compromise (IoCs).

Online cryptocurrency exchanges are a privileged target for cybercrime groups and nation-state actors.

North Korea-linked APT Lazarus stole around $571 million from cryptocurrency exchanges in Asia between January 2017 and September 2018.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CryptoCore)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

12 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

18 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.