Cryptocrime Digest (27 July 2020)
A weekly summary of news and commentary about criminal activity related to cryptocurrencies brought to you by Merkle Science.
Subscribe here to receive this in your inbox every Monday.
Our Top 5 Articles From the Week
U.S. says son of ex-Nissan boss Ghosn made cryptocurrency payments for escape from Japan
The son of former Nissan Motor Co chairman Carlos Ghosn made about $500,000 in cryptocurrency payments to one of the two Massachusetts men who helped him escape from Japan, U.S. prosecutors said in a court filing. The cryptocurrency, or digital currency, payments from Ghosn’s son, Anthony Ghosn, were on top of $862,500 Ghosn himself had wired to a company Peter Taylor managed in October, two months before his Dec. 29, 2019 escape, prosecutors said. (Reuters)
Twitter Hacking for Profit and the LoLs
The New York Times last week ran an interview with several young men who claimed to have had direct contact with those involved in last week’s epic hack against Twitter. These individuals said they were only customers of the person who had access to Twitter’s internal employee tools, and were not responsible for the actual intrusion or bitcoin scams that took place that day. But new information suggests that at least two of them operated a service that resold access to Twitter employees for the purposes of modifying or seizing control of prized Twitter profiles. (Krebs on Security)
Prometei botnet and its quest for Monero
Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency. The actor employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits. The adversary also uses several crafted tools that helps the botnet increase the amount of systems participating in its Monero-mining pool. (Talos Intelligence)
‘Superman29’ May Do Time: California Resident Pleads Guilty to Laundering Millions Using Illegal Bitcoin ATMs
Kais Mohammad, aka “Superman29,” has agreed to plead guilty to federal charges he ran an unlicensed Bitcoin ATM network that laundered up to $25 million, including funds that originated in criminal activity. According to a recent press release by the Department of Justice, the Orange County, California, resident is pleading guilty to one count each of money laundering, operating an unlicensed money transmitting business and failure to maintain an effective anti-money laundering program. (Coin Desk)
Most ransomware attacks still come from Russia, China, and North Korea, says VMware exec
Since 2015, the number of ransomware attacks multiplied by 15 and since 2018 companies and private individuals paid $1.8 billion to attackers, according to Shlomi Aviv, the Israel country manager for Dell Technologies subsidiary VMware Inc. Aviv spoke Sunday with CTech’s Editor in Chief Elihay Vidal, as part of Calcalist’s online convention on cybersecurity. “We detect over 1 million attacks a day, most of them originating from Russia, China, and North Korea,” Aviv said. “The attackers target every sector, including health, industrial production, and financial institutions,” he said, adding that “no one is immune.” (Calcalistech)
Download
2020 SonicWall Cyber Threat Report — Mid Year Update
The SonicWall Capture Labs threat research team published the mid-year update to the 2020 SonicWall Cyber Threat Report, highlighting increases in ransomware, opportunistic use of COVID-19 pandemic, systemic weaknesses and growing reliance on Microsoft Office files by cybercriminals. Key takeaways:
- 20% jump in ransomware globally, 109% spike in United States
- 24% drop in malware attacks worldwide
- 7% of phishing attacks capitalized on COVID-19 pandemic
- 176% increase in malicious Microsoft Office file types
- 23% of malware attacks leveraged non-standards ports
- 50% rise of IoT malware attacks
- Report analyzes threat intelligence data gathered from 1.1 million sensors in over 215 countries and territories
Merkle Science News
UPDATED: Hack Track: #Twitterhack bitcoin scam
The Merkle Science team updated our analysis of the bitcoin fund flows that were collected during the Twitter hack. As of Monday, 20 July 2020 we could determine that a cluster of bitcoin addresses linked to one of the major known addresses from the scam contains 10 different addresses (including the main scam address), which means all these addresses are controlled/owned by the hacker. More than 99.99% of the funds from this cluster has been transferred to other addresses.
Based on our analysis* it seems the hackers have transferred the bitcoin to addresses associated with several exchanges including Binance, Paxful and CoinPayments. The breakdown is as follows:
- BTC 0.0011 transferred to Binance
- BTC 0.016 transferred to Paxful
- BTC 0.0090 transferred to CoinPayments
The hackers have also used coin mixing services such as Wasabi Wallet and ChipMixer to obfuscate the flow of funds:
- BTC 2.89 transferred to Wasabi Wallet
- BTC 0.1092 transferred to ChipMixer
Upcoming Webinar: The Current State of Cryptoasset Institutionalization: Capital, Compliance and Custody
This Thursday, 30th July at 15:00 SGT, Merkle Science will be hosting a webinar panel discussion that will look at the current state of institutional grade capital, compliance and custody solutions for cryptoassets.
Panelists include:
- Mriganka Pattnaik, CEO and Co-Founder, Merkle Science
- Irfan Ahmad, Vice President & APAC Team Lead for Digital Product Development and Innovation (DPDI), State Street
- Stephen Richardson, Vice President of Product Strategy, Fireblocks
- Henry Chong, CEO, Fusang Group
Topics to be discussed:
- The reality behind the headlines
- What institutions are actually involved
- What technology and regulatory infrastructure improvements have been made
- What still needs to be done to facilitate further institutional adoption
Following the panel discussion there will be an opportunity for audience Q&A.
Register here!
About Merkle Science
Merkle Science provides blockchain transaction monitoring and intelligence solutions for cryptoasset service providers, financial institutions and government agencies to detect, investigate and prevent the use of cryptocurrency for money laundering, terrorist financing and other criminal activities. Merkle Science is headquartered in Singapore with offices in Bangalore, Seoul and Tokyo and backed by Digital Currency Group, Kenetic, SGInnovate and LuneX.
