Bitcoin, a digital currency or a form of cryptocurrency, is an example of the disconnect between online practice and legislation. Bitcoin is unregulated and there is no national regulatory body accountable for its protection in several countries. Bitcoin is a decentralised and Peer-to-Peer (P2P) network-based virtual currency that is traded online and exchanged into US [...]

The Sunday Times Sri Lanka

Bitcoins, a currency used by Cyber criminals

View(s):

Bitcoin, a digital currency or a form of cryptocurrency, is an example of the disconnect between online practice and legislation. Bitcoin is unregulated and there is no national regulatory body accountable for its protection in several countries. Bitcoin is a decentralised and Peer-to-Peer (P2P) network-based virtual currency that is traded online and exchanged into US dollars or other currencies. This makes it possible for illicit money transfers and manipulation through the use of malware and botnets.

At a recently concluded annual European Security Conference, the head of Europol (European Police) warned against the “completely unregulated” online financial market saying that crime involving digital currencies such as “Bitcoin” is only a taste of things to come. The unregulated nature of Bitcoins provides opportunities for criminals to transfer, launder and steal funds. Since Bitcoins do not have a centralised authority to detect suspicious activity, identify users, obtain transaction records, this is a huge problem for law enforcement. Hence, cybercriminals use electronic payment systems and digital currencies in furtherance of their criminal objectives.

Extortion group
In recent times, a group called DD4BC has been responsible for a large number of Bitcoin extortion campaigns. This group expanded its extortion and Distributed Denial of Service (DDoS) campaigns to target a wider range of business sectors globally, including financial services, media and entertainment, online gaming and retailers. This group uses emails to inform its target that a low-level DDoS attack will be launched against the victim’s website. The attacks increased from low-level to more than 20 Gbps in some cases. The group would then demand a Bitcoin ransom to protect the company from a larger DDoS attack designed to make its website inaccessible.

Their ransom demands ranged from between 1 and 100 Bitcoins, depending on the perceived financial standing of the victim and their willingness to comply with the attacker’s instructions. To increase the credibility of their claim, the group often launched a small attack against the victim’s infrastructure first. Companies that pay the ransom risk being approached by the group or other attackers once again, for a higher amount.

Bitcoins have increasingly enabled individual criminals to become criminal entrepreneurs who operate based on a business model known as “crime-as-a service” (CaaS). Individual criminals come together on an ad-hoc basis to boost the CaaS business model without the need for a sophisticated criminal infrastructure to receive and launder money. DDoS extortion attacks have become a well-established criminal enterprise and further benefit from availability of DDoS capable malware and increasing popularity of pseudonymous payment mechanisms. These are indications that Bitcoin is establishing itself as a single common currency for cybercriminals and is increasingly adopted for other types of cybercrime as well.

Here are some criminal schemes around Bitcoins:
- Criminal-to-Criminal Payments Schemes include any transaction where one cybercriminal makes a payment to another for purchase of, or access to, a crime-related product or service. This is a common scenario within the CaaS business model of cybercrime. Further, the hidden services on the Darknet such as Agora or the now defunct Evolution used Bitcoin for payment, with the mechanisms to handle payment and escrow functions built into the market interfaces.

- Victim Payments Schemes are where a cybercrime victim is not just subject to a malicious, destructive attack but there will be a frequent attempt to obtain funds from the victim. The cyber-extortion is becoming increasingly common, particularly with the growing pervasiveness of ransomware and threat of DDoS attacks. Victims have also made payments to attackers in less flagrant attacks if they were victims of fraud, either as a result of social engineering or when paying for non-existent or bogus goods or services such as fake anti-virus software.

- Money Movement and Laundering Schemes are where a cybercriminal does not transfer funds to a third party, but simply moves money from one location or payment system to another. This includes the ‘cashing out’ of compromised financial accounts and credit cards and the use of exchangers to exchange to, from or between digital and fiat currencies.

- Payment for Legitimate Services Schemes represent scenarios where a cybercriminal is required to make a payment to a legitimate, public company for such things as hosting, hardware purchase, software or travel and accommodation. In these scenarios, the cybercriminals rarely feel the need to hide their identities and use traditional financial instruments such as credit cards or transfers from bank accounts, which may be legitimate, compromised or fraudulently obtained.

Criminal conspiracy
Bitcoin has started to feature as a common payment mechanism across almost all payment scenarios, a trend which can only be expected to increase. As the Bitcoin community continues to expand and more businesses accept it as a payment method, it will become impossible to even gauge the extent of the digital money circulating in the criminal landscape.

Digital currencies are slowly gaining acceptance at a government level, with a number of countries either proposing regulation of digital currencies or already recognising them under existing legislation. It is inevitable that more countries will follow suit although it would appear that there is currently a lack of harmonisation in approaches. Any regulation of digital currencies would only be applicable and enforceable when applied to identifiable users such as those providing exchange services. The inability to attribute transactions to end users makes it difficult to imagine how any regulation could be enforced for everyday users. The only possible solution to this mess is the regulation of digital currencies by national regulatory bodies. In the absence of any regulatory framework, freelance criminal entrepreneurs will continue unabated with their anti-national motives as well as activities likely also growing at an unprecedented rate over the coming years.

(The writer is a Governance, Risk and Compliance professional and Director at Layers-7 Seguro Consultoria (Pvt) Ltd. He is the founding member and Secretary of the (ISC)2 Chennai Chapter, Founder/President of Information Security Professional Associates (iSPA) and a board member of the (ISC)2 Colombo Chapter. He can be emailed at sujit@layers-7.com)

Advertising Rates

Please contact the advertising office on 011 - 2479521 for the advertising rates.