In a three-weeks-old report authored by threat-intelligence firm Intel471’s chief cybercrime reporter Greg Otto, the author revealed that Russian cybercrime forums are crowdsourcing new crypto attack vectors in the same way that security conferences create programming for their speaker panels: Requesting white paper submissions that document new exploits.
In an announcement made “on one of the top Russian-language cybercrime forums” on April 20, wrote Otto, “the forum’s administrator called for papers that covered unorthodox ways to steal private keys and wallets, unusual cryptocurrency mining software, smart contracts, non-fungible tokens (NFTs) and more.”
“Submissions were accepted over 30 days, with the administrator saying $100,000 in prizes would be awarded to winners. Shortly thereafter, a reputable forum member added $15,000 to the prize pool.”
While Otto’s report was covered by several cyber-focused outlets, this critical threat-intel find predictably escaped the attention of crypto-media news organizations, some of which claim to be the authoritative source of information for and charge bloated subscriptions to traders and institutional investors.
Shadow Banker would have written something on it way earlier too, but they were too busy vacationing in Miami and politicking with diamond-ringed cartel lawyers, in the hope of scoring an exclusive interview with one of their most notorious clients, a logistics pioneer who revolutionized the Latin American drug trade.
Regardless, the contest reported by Otto is significant because it highlights the fast-growing singularity between cyber and financial-crime risks, succinctly articulated years ago at a money-laundering conference in Hollywood, Florida by former Internal Revenue Service Criminal Investigations Chief Richard Weber, as “cyber-enabled financial crime.”
That is to say, crypto anti-money-laundering (AML) compliance has inherently become an intertwined cybersecurity systems resilience proposition from endpoints to the cloud and every application programming interface (API) in between.
This paradigm shift also flies in the face of what leading crypto-compliance executives said last December following the SolarWinds hack when Shadow Banker pitched them on pursuing cybersecurity partnerships and authoring thought leadership in anticipation of the inevitable and easy-to-see evolution of the crypto-AML industry.
“Cybersecurity isn’t really our focus,” said the executive. The next month Chainalysis announced a partnership with Flashpoint, Intel471’s top competitor, that would eventually yield a report on Russian dark-net market (DNM) Hydra, which isn’t as cool nor as insightful as the thing Shadow Banker wrote about it earlier this year.
Crypto API Risks
Anywho, the most critical decentralized-ecosystem threat highlighted in Otto’s report was one cybercrime contest submission focused on “manipulating APIs from popular cryptocurrency-related services or decentralized-file technology in order to obtain private keys to cryptocurrency wallets.”
Similarly illuminated by the recent SolarWinds and Microsoft Exchange hacks, Intel471’s report aligns with broader, longstanding industry concerns over API security in general. In fact, as far back as 2017, market research firm Gartner predicted that APIs would become the most frequent attack vector for enterprise data breaches.
In crypto, APIs present significant attack vectors as institutional traders and decentralized finance (DeFi) ecosystems rely on myriad integrated data feeds and exchange interface to exploit arbitrage opportunities and place wagers via high-frequency algorithmic trading bots.
Therefore, the notion that threat actors could exploit API weakness or, even worse, introduce a malicious API into crypto-ecosystems constitutes a systemically significant supply-chain, cyber-threat for financial integrity in decentralized markets.
Highlighting crypto-specific API risks, Cyber News researchers published a report last month that said cybercriminals have been exploiting API keys to “steal millions” worth of virtual currency on “all major cryptocurrency exchanges.”
“While conducting threat intelligence operations,” said the report, Cyber News “researchers found that in recent weeks, the number of trade offers for stolen cryptocurrency exchange API keys appeared to be steadily increasing across hacker forums.”
Specifically, cybercriminals have been targeting vulnerabilities in third-party programs that enable traders to “access to their personal accounts on cryptocurrency exchanges via API keys that allow these programs to perform actions on their behalf, including opening and executing automatic trade orders without logging into the exchange.”
Threat actors are targeting three API permissions in particular, according to Cyber News. These three permissions pertain to data, which enable APIs to read users’ exchange account data like open orders and balances, trade permissions that allow APIs to execute trades, and withdrawal permissions, which enable exchange account funds to be transferred to another wallet address.
“Even worse,” found Cyber News, “criminals can easily circumvent ‘trade-only’ settings on the API keys and steal money from traders’ accounts even without obtaining their account credentials or withdrawal rights.”
While most cryptocurrency exchanges disable withdrawal permissions by default, Cyber News found that “most of the ads posted on cybercriminal forums claim that their owners were able to withdraw up to 80% of their victims’ cryptocurrency balance, which they would then split with the owner of the stolen API keys.”
The thing is, once the API keys are compromised, threat actors don’t even need to withdraw crypto directly noted Cyber News. Instead, cybercriminals “can simply trade away their balances via outrageously unprofitable trades against bots set up by the criminals themselves.”
Two Common Crypto-API Attack Vectors
The two most common crypto-API attack vectors uncovered by Cyber News researchers were sell-wall buyouts and price boosting. Sell walls are a common market manipulation technique where massive sell orders are spoofed by deceptive traders to lower asset prices, so they can purchase larger blocks of a security or commodity at steeply discounted rates.
Often, these large orders will only appear for minutes or seconds – just enough time to create lucrative price discrepancies – before vanishing from trade queues. In crypto, Cyber News researchers found that threat actors launch sell-wall attacks, but with a unique “twist.”
“In this case, the ‘sell walls’ are created by threat actors using compromised trader accounts, set up using their stolen API keys,” wrote Cyber News. “In order to generate a price movement, criminals set up their trading bots to open many small sell orders below market value – or a single massive sell order if the victim’s account balance is big enough – while at the same time, the same bot opens automatic buy orders for the coins that the victim is forced to ‘sell’.
The second attack vector identified by Cyber News researchers is price boosting, where threat actors purchase cheap and thinly traded crypto-assets to briefly pump their price, before selling them back to buyers at artificially inflated rates.
According to the report, threat actors initiate this exploit by depositing a cheap and thinly traded virtual currency “within their own middleman account.” Using hijacked API credentials, hackers then use 80 percent of victim funds to execute a large buy order, instantly pumping up the price of the asset. As the shitcoin’s price increases, hackers then liquidate their middleman account with market-manipulated alpha.
How to PWN API Keys
Remarkably, jacking peoples’ API keys doesn’t require hackers to have previously infected victim devices with malware or spyware. Instead, this exploit is entirely executable by mining open-source intelligence (OSINT) on public code repositories like GitHub.
All threat actors have to do is scan “publicly accessible web application environment files and public code repositories for leaked private keys,” according to Cyber News. The report found that most “web applications use environment (ENV) files to store framework settings that are essential for an application to work and may in certain cases include API keys.”
“In most cases, these files are stored under lock and key. However, sometimes they are left unprotected,” which means that anyone can access their contents and extract any useful information found therein.
Open-code repositories like GitHub are also “goldmines” for cybercriminal OSINT looting, according to Cyber News, “with some storing hundreds of thousands of leaked credentials, files, and – you guessed it – API keys.” Cybercriminals typically grab these credentials via unsecured Amazon Web Services S3 buckets. These architectures are public cloud storage resources that are native to AWS.
Amidst reports that crypto AML compliance firms like Austin,TX-based BlockTrace are launching API-based products to improve blockchain data coverage, and that the U.S. government is developing a Blockchain Vendor Specifications Document that includes prescribed API standards and requirements, it is not immediately clear if these vulnerabilities are being provisioned for.
Causing Grief to the Bleeding Eyes
Cybercriminals “will also soon target NFTs,” reported Otto – and as they should. These rotting, back-alley dumpster assets are no different than the second coming of ICO shitcoins, as evidenced by all of the PR hucksters and scam artists and celebrities encircling them like desert vultures swooping down on days-old highway roadkill.
When you consider that back in March, rapper, raconteur, and Pet Sematary-reminiscent culinaire Azelia Banks’s abomination of a sex tape was being resold on the secondary NFT market for $260 million – more than half of the latest auction price for the legendary “Salvator Mundi” painting allegedly illustrated by Leonardo Da Vinci – that pretty much tells you everything you need to know about this derelict asset class that has distorted value systems even more than the Federal Reserve.
On the bright side, another intriguing forum-contest exploit identified by Otto was a submission that “detailed how to create a phishing website that allowed criminals to harvest keys to cryptocurrency wallets and their seed phrases (a list of words which store all the information needed to recover lost cryptocurrency).”
Obviously, the upshot from this report is that crypto exchanges and software operators need to monitor the cybercriminal underground to get the drop on hacker counter-intelligence. This approach can help crypto enterprises protect their platforms and users from unsafe API integrations, not to mention increasing regulatory risks surrounding these specific exploits.
To the last point, recall that back in 2019, that the Federal Trade Commission fined Facebook $5 billion over the Cambridge Analytica API scrape that allegedly swung the 2016 election in former President Donald Trump’s favor.
The Facebook fine is $3 billion more than what the Department of Justice fined multinational bank HSBC for laundering industrial sums of Sinaloa Cartel and Al-Qaeda cash back in 2012, which pretty much tells you everything you need to know about this country’s national security priorities.
But, on the topic of cybercriminal underground monitoring, Shadow Banker spoke with the founder of the most-hyped decentralized exchange (DEX) on the English-speaking dark web, where users celebrate this DEX’s non-existent Know-Your-Customer processes.
Back in the Mana convention center in Miami’s hipster Wynwood district, the founder clarified that they weren’t even technically a DEX. “We don’t have any servers. It’s just a piece of software,” they said.
If true, this distinction would present a challenge for regulatory enforcement because even music-file-sharing service Napster, a pioneer in peer-to-peer data exchange connected users to a “central server,” which helped provide a legal basis for civil litigation. This lawsuit initiated by rock group Metallica eventually led to a landmark federal injunction, where a judge in San Francisco shut down the website in 2006.
But when asked if they were concerned about being targeted by U.S. law enforcement in the same way the Justice went after Russian crypto-laundromat BTC-e and one of its operators, Alexander Vinnik, some years ago, they replied: “We’re bitcoiners. Why would we care about laws?”