By the numbers
Bitcoin remained the most-discussed crypto in the threat actor community and the most-used crypto for accepting illicit payments this year. Flashpoint analysts identified over 50,000 unique Bitcoin addresses circulating in Flashpoint collections in 2022.
Flashpoint observed 125,513 mentions of Bitcoin addresses within our collections since January 1, with 54,629 distinct addresses. These addresses have transacted on the blockchain 20,621 times during 2022.
Crypto-centered fraud: CEX and NFTs
Throughout 2022, threat actors committed fraud targeting cryptocurrency entities, investors, and users. Centralized exchanges (CEXs) and nonfungible token (NFT) markets were the primary targets of fraud schemes over the past year. CEXs are exchange platforms that allow users to buy and sell crypto and function as an intermediary service between buyers and sellers of digital currencies. Decentralized exchanges (DEXs), in contrast, do not use intermediaries to execute crypto asset exchanges, and instead facilitate trades through self-executing smart contracts.
Throughout 2022, automatic transfer system kits, fraudulent verified accounts, one-time password bypasses, and account checkers all represented major threats to CEXs. The largest threats to NFT markets were account takeover (ATO) attacks, third-party compromises, spoofed pages, and various scams. In general, the NFT fraud landscape grew dramatically from 2021 to 2022. Threat actors increasingly leveraged the emerging technology of NFTs to steal from inexperienced users unfamiliar with the platforms or general best security practices.
Flashpoint analysts have also tracked threat actors’ use of blockchain technologies to embed malicious content within different websites masquerading as legitimate entities. Threat actors accomplish this through the use of typosquatting, or the use of a malicious domain that closely resembles a legitimate domain to trick would-be users of the real domain.
Crypto exchange risks
Although crypto exchanges are prone to many of the risks associated with financial sector entities, they also face their own set of unique risks. Crypto exchanges range in nature from highly centralized CEXs, in which a company controls the private keys of users’ crypto wallets, to highly decentralized DEXs, in which users entirely control their funds and wallet keys.
In 2022, threat actors have moved toward increasingly targeting DEXs and decentralized finance (DeFi) protocols. Analysts assess threat actors are likely homing in on decentralized applications because they are fully transparent and typically have less security than traditional fiat-based financial institutions. Threat actors are able to review decentralized applications’ open source algorithms to identify potential vulnerabilities, such as those present in smart contracts, multisignature wallets, and pricing oracles. Threats against CEXs have remained consistent in both type and volume from 2021 and include databases for sale, cash-out operations, crypto exchange insiders, and account bypasses.
Cryptocurrency as investment
The market value of all cryptos has decreased throughout 2022, constituting a bear market. Consequently, all crypto stakeholders, including threat actors using crypto, have been affected.
On January 1, Bitcoin was trading for $46,311. On November 30, Bitcoin was trading for $16,445—only 35 percent of its market valuation at the beginning of the year. Bitcoin, however, was not alone in its major devaluation. The total market capitalization for the top 100 digital currencies dropped 70 percent, from $2.7T in November 2021 to $830B in November 2022.
From a valuation standpoint, several major events impacted the value of crypto’s most-valuable currencies. The collapse of Terra’s native currencies UST and Luna, the completion of the Ethereum blockchain merger to a proof-of-stake consensus mechanism, and the collapse and bankruptcy of the CEX FTX all separately had large, negative impacts on the crypto market. Crypto users have colloquially referred to the downward crypto market trend as a “crypto winter” and are discussing strategies to mitigate losses during it. Analysts have tracked users mainly discussing the safest cryptos to invest in, how to manage the changing regulatory landscapes, and the best services to exchange cryptos.
Exploits affecting crypto
Crypto exchanges, platforms, protocols, and other crypto projects faced various attacks throughout 2022, resulting in losses totaling over $3B. Commonly exploited vulnerabilities affecting crypto projects include flaws in smart contracts, weaknesses in flash loan algorithms, and a lack of control over private keys to wallets.
Crypto companies are considered lucrative targets for threat actors because of their usually large holdings of crypto assets, which, if compromised, can quickly be transferred to private wallets under threat actor control. Unlike other financial transactions, crypto transactions are immutable—once they are confirmed on a blockchain, they cannot be reversed.
In addition to trying to compromise large crypto platforms, threat actors also target crypto and NFT users through stealer malware and drainer malware. These attacks are designed to target the users’ host and steal sensitive crypto information or transfer crypto assets to the attacker. Although such attacks are on a much smaller scale than platform attacks stealing hundreds of millions of dollars’ worth of assets, they can proliferate clandestinely to affect many victims and accrue funds more discreetly than large exchange attacks.
Prominent attacks on crypto entities in 2022
The following are the most prominent attacks against crypto entities in 2022 and their corresponding tactics, techniques, and procedures (TTPs):
Incident date: October 6, 2022
Exploited: Cross-chain bridge
TTPs: On October 6, attackers stole 2 million Binance coins (~$571M at the current exchange rate). The attackers stole the Binance Coins (BNB) by exploiting a low-level proof in the cross-chain bridge between BNB Beacon Chain and the BNB Smart Chain. A cross-chain bridge is a protocol that allows cryptocurrencies to go from one blockchain to another and introduces interoperability between blockchain solutions. The proof is an authentication measure that allows the bridge to verify the integrity of the transaction the bridge will process. In this attack, the attacker exploited the proof-to-bypass authentication process and fraudulently deposited 2 million BNBs into their account. Binance’s CEO announced that Binance was able to freeze most of the fraudulently obtained funds. It appears at this time that approximately $100M of the funds were unrecoverable.
Type: DeFi protocol
Incident date: August 1
Exploited: Smart contracts
TTPs: Threat actors discovered that the authentication mechanism for legitimate trades on the Nomad platform was broken. Threat actors could duplicate a successful transaction on Nomad but substitute their address for the receiving address and rebroadcast the transaction to get the funds. This attack was then widely exploited by many threat actors over the course of two hours to drain Nomad’s holdings to under $1,000.
Type: DeFi protocol
Incident date: June 23
Exploited: Multisignature wallet private keys
TTPs: Horizon Bridge has a crypto transaction validator architecture that requires two of four validator nodes to approve a transaction. Validator nodes are a critical component in how a blockchain’s consensus mechanism works. In the attack on Horizon Bridge, two of the four private keys were compromised by attackers, which allowed them to approve transactions sending them the equivalent of $100M in cryptocurrencies. It is unknown exactly how the hackers were able to acquire the private keys from two of the multisignature wallet addresses. Social engineering of Harmony One employees is most likely how the threat actors gained access. Analysts note that this is a known tactic of the North Korea-sponsored Lazarus Group. In addition, the transaction timing and amount of funds laundered into a mixing service was consistent with that used in the March 2022 hack affecting the Ronin Bridge, which indicates that not only are the actors likely the same but they are also likely using the same programs to automate the laundering process.
Type: Stablecoin protocol
Incident date: April 17
Exploited: Protocol governance mechanism
TTPs: Beanstalk, a stablecoin…