Report: how cybercriminals abuse API keys to steal millions

Pierluigi Paganini May 21, 2021

CyberNews researchers found that crooks could abuse cryptocurrency exchange API keys and steal cryptocurrencies.

Original post available here:

CyberNews researchers found that cybercriminals are able to abuse cryptocurrency exchange API keys and steal cryptocurrencies from their victims’ accounts without being granted withdrawal rights. At the same time, more than $1,000,000 in cryptocurrency is being held in accounts that have their API keys exposed on public code repositories.

As the cryptocurrency market exploded over the past few years, companies began to offer apps and services to help traders streamline their trading process.

To use these services, traders can grant third-party programs access to their personal accounts on cryptocurrency exchanges via API keys that allow these programs to perform actions on their behalf, including opening and executing automatic trade orders without logging into the exchange.

Each set of API keys includes two important elements: the public key and the private key, commonly referred to as the public key and the secret key. The secret key is used by third-party apps to sign operation requests and tells the cryptocurrency exchange that the app is authorized to access a trader’s account and carry out the operations supported by the API key.

Naturally, having your API keys exposed or stolen by cybercriminals can result in catastrophic consequences. With that said, even if someone else steals your secret API key, they shouldn’t be able to simply transfer your cryptocurrency balance to their own wallet, as cryptocurrency exchanges disable API withdrawal permissions by default.

However, while conducting threat intelligence operations, our researchers found that in recent weeks, the number of trade offers for stolen cryptocurrency exchange API keys appeared to be steadily increasing across hacker forums. 

Apparently, there’s an emerging criminal business model, with ‘experienced trader’ teams offering to ‘clear out’ crypto exchange accounts by exploiting stolen API keys.

Needless to say, this caught our attention. To help cryptocurrency exchange users protect their hard-earned coins, we decided to investigate this emerging trend and learn as much as we can about how these API keys are being exploited by threat actors.

What we found was incredibly alarming: it appears that stolen API keys for cryptocurrency trading apps are being used by cybercriminals to easily empty their victims’ accounts on all major cryptocurrency exchanges. 

Even worse, criminals can easily circumvent “trade-only” settings on the API keys and steal money from traders’ accounts even without obtaining their account credentials or withdrawal rights. 

How cybercriminals abuse stolen API keys

Usually, cryptocurrency exchanges offer three types of API permissions to traders:

  • Data permissions allow APIs to read your exchange account data, including open orders, balances, and trade history, without making any changes to your account. 
  • Trade permissions allow APIs to execute trades, place open orders, and close orders on your behalf.
  • A withdrawal permission allows APIs to withdraw cryptocurrencies from your exchange account and transfer them to another location. With this permission enabled, an app would be able to move your funds to another wallet without your say-so.

For security reasons, cryptocurrency exchanges disable the withdrawal permission by default. With that said, most of the ads posted on cybercriminal forums claim that their owners were able to withdraw up to 80% of their victims’ cryptocurrency balance, which they would then split with the owner of the stolen API keys.

(An example of an API key exploit service ad on a hacker forum: ‘experienced traders’ offering to withdraw up to 80% of funds from compromised exchange accounts, depending on the exchange)

This would make you think that the criminal service providers behind those ads would require stolen API keys that have been granted withdrawal permissions. However, after conducting a series of tests, we were not able to find a single stolen API key for sale with withdrawal rights enabled. 

Were criminals able to withdraw funds without withdrawal rights?

Unfortunately, to steal funds from exchange accounts, threat actors don’t even need to withdraw them directly: by trading on their victims’ behalf with the appropriate permissions, they can simply trade away their balances via outrageously unprofitable trades against bots set up by the criminals themselves.

During our investigation of the stolen exchange API key abuse techniques used by cybercriminals, we learned that threat actors primarily employ two API key exploitation methods to steal funds from traders: ‘sell wall’ buyouts and price boosting. 

Note: we successfully tested these methods ourselves on our own account on the Binance cryptocurrency exchange, and it seems that accounts on all popular crypto exchanges can be potentially exploited this way.

Buying ‘sell walls’

‘Sell walls’ are a common market manipulation technique employed both in the stock and cryptocurrency markets. In the world of crypto, these are massive market sell orders artificially created by market manipulators in order to lower cryptocurrency prices or keep them below the maximum threshold and buy up a lot of coins on the cheap.

In many cases, these massive orders will only appear for minutes or even seconds at a time, and then get removed altogether.

Our investigation found that cybercriminals use the same ‘sell wall’ technique, but with a twist. In this case, the ‘sell walls’ are created by threat actors using compromised trader accounts, set up using their stolen API keys.

According to CyberNews researcher Martynas Vareikis, in order to generate a price movement, criminals set up their trading bots to open many small sell orders below market value – or a single massive sell order if the victim’s account balance is big enough – while at the same time, the same bot opens automatic buy orders for the coins that the victim is forced to ‘sell’.

“This creates a visible ‘sell wall’ in the buy/sell order chart of the cryptocurrency exchange, where legitimate trading bots usually manage to buy up to approximately 20% of the ‘wall’ before their trade balances become exhausted, leaving the other 80% to the trading bots set up by the criminals,” says Vareikis. 

After completing one sell order at an incredibly low price, another order is immediately set up to sell more coins, causing an even bigger loss to the victim. Rinse and repeat, however many times it takes to gradually sell the victim’s entire account balance to the threat actors’ trading bots at deflated prices. 

This way, the victim’s funds can completely evaporate in mere milliseconds, as this is all the time needed for such automatic trade order executions to take place.

Price boosting

Price boosting is the second technique commonly used by criminals to exploit stolen API keys. This method involves buying cheap coins whose trading volume is very low to briefly increase their price, and then selling them back to the victim at extortionary rates. 

Criminals begin their operation by depositing an extremely cheap, unpopular cryptocurrency within their own middleman account before exploiting the victim’s account. 

Then, around 80% of the victim’s account is used to initiate a big buy order for the same cryptocurrency. The low trading volume is what allows cybercriminals to massively inflate the price of the coin simply by initiating large buy orders.

At the same time, the middleman account is used to SELL the inflated coin to the victim for a boosted price. After the orders are executed, the trade volume and price go back to normal, leaving the victim with a bunch of virtually worthless coins that they were forced to buy from the threat actors at outrageous prices.

How cybercriminals obtain stolen API keys

There are several ways for cybercriminals to acquire someone else’s API keys without installing malware or spyware on their device. This includes scanning publicly accessible web application environment files and public code repositories for leaked private keys. 

Most web applications use environment (ENV) files to store framework settings that are essential for an application to work, and may in certain cases include API keys. In most cases, these files are stored under lock and key. However, sometimes they are left unprotected, which means that anyone, including cybercriminals, can access their contents and extract any useful information found within.

Similarly to ENV files, files stored in public code repositories can contain exposed authentication tokens. Public repositories such as GitHub are notorious for being goldmines for cybercriminals, with some storing hundreds of thousands of leaked credentials, files, and – you guessed it – API keys.

Aaron Jones, Lead Cyber Instructor at University of Advancing Technology, says that API keys are valuable, which makes them highly sought after by cybercriminals. “API keys should NEVER be pushed to websites like Github or Gitlab but instead should be abstracted from your application in a file that has been added to a gitignore file,” adds Jones.

“Criminals usually snag API keys the easy way, harvested in sitting duck S3 buckets, hard-coded into github-posted source code, or even phishing. You’d be amazed how often 

this happens. API access is, by definition, a network event. Log and analyze your activity so you see the attempts early on. This is especially true with crown jewels like API keys,” says Stel Valavani, founder and CEO at onShore Security.

Our own tests conducted during this investigation have shown that on average, exchange API keys found in public repositories belong to accounts that hold about $5,000 worth of cryptocurrency, with the highest account balance reaching $154,000 – with trade rights enabled. 

The overall net worth of exchange accounts that had their API keys exposed on public code repositories was more than $1,000,000 in cryptocurrency.

(Example of publicly committed source code of a cryptocurrency trading bot, with Binance API keys visible to everyone)

Even though no exposed API keys we found during our investigation had withdrawal rights enabled, more than 90% had granted trade permissions, which would let cybercriminals easily empty out the victims’ trading accounts.

How to protect your API keys

If you’re a crypto trader, here are a few simple steps you can take to protect your API keys from being abused by ‘experienced traders’ who like to advertise their services on hacker forums:

  • Whitelist your IP address. Major cryptocurrency exchanges allow whitelisting IP addresses for API key usage. Enabling this feature will stop most criminals from trading away your balance, as long as they don’t have access to your trading bot control panel.
  • Treat your API keys as the private key of your cryptocurrency wallet. Namely, don’t store them on your hard drive and do not disclose them to anyone. If your API keys get into someone else’s hands – your money is as good as stolen.

Alex Bodryk, Managing director at Cyberlands, adds that rotating your API keys and passwords each quarter will help protect against cybercriminals leveraging old data leaks to gain access to your exchange account. “Be vigilant and don’t reply to any communication from a crypto exchange. Instead, reach out to them via official channels. Install and update antivirus software from a well-known vendor. Use a password manager for protecting your secrets – and never store any API keys or passwords in clear text,” says Brodyk.

According to Troy Gill, GPEN, threat hunter, and manager of security research at Zix, due to the risky nature of enabling trades via APIs, it can be a good idea to have a dedicated personal machine that is used solely for this purpose. “Avoid connecting to any public networks, do not use that machine for browsing, email, or other web-related activities. If you suspect you may have exposed your API data, delete your key (in the exchange) immediately,” concludes Gill.

Original post available here:

About the Author: Edvardas Mikalauskas

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, API keys)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment