Widespread implementation of decentralized finance (DeFi) systems since 2020 has created new fertile ground for a variety of threat actors to shift the development of cyberattack tactics, techniques, and procedures (TTPs). The number of threat actors participating in DeFi activity has grown substantially over the past two years. Current threat actor activity is incentivized by a broad attack surface represented through high volumes of users and systems, and high potential profits represented through the variety of cryptocurrency offerings. Types of threat actors range from advanced persistent threat (APT) groups and small loosely organized groups of cybercriminals to individual threat actors of varying skills.
EclecticIQ Analysts Expect the Number of Threat Actors Attacking Defi Systems Will increase Significantly Through at Least The Next Two Years Despite Any Dips in Cryptocurrency Value
Attack volume carried out by individual attackers is expected to grow at the greatest rate overall, while attacks from APTs will retain the greatest impact. Ransomware attack rates will continue upward due to the malware’s ease of use combined with increased anonymity afforded by some cryptocurrencies. The rate of that growth will parallel increases or decreases in both DeFi adoption and value; value increases will incentivize higher attack volume rates and value decreases will incentivize lower attack volume rates. The risks and impacts of future cyberattacks on cryptocurrency systems will be greatly shaped by the types of threat actors currently establishing new TTPs for cyberattacks and malicious activity. This paper examines threat intelligence regarding the most prominent types of threat actors establishing cyberattacks and activities related to DeFi.
Individual Threat Actors
Individual Threat Actors Produce the Highest Number of Attacks But Are Easiest to Defend Against Because They Engage in Low Skill TTPs Easily Mitigated with Security Products
Individual threat actors are most likely to participate in opportunistic cyberattacks against other individuals that produce marginal profits. Their attacks are usually low-skill and low-resource, such as using social engineering (phishing) for fraudulent redirects to malicious websites. Cyberattacks by individuals that yield cryptocurrency are easiest to disrupt because their attack infrastructure is very simple (1, 2). It is easy to detect and block things like malicious cryptocurrency apps or crypto-phishing websites.
Money Laundering and Fraud Are Rising at The Greatest Rates in Attacks by Individual Threat Actors
Cyberattacks targeting DeFi systems carried out by individuals include simple fraud, cryptojacking , hacking for profit, money laundering, or user-to-user cryptocurrency stealing malware like malicious dApps. Of these, money laundering and fraud are rising at the greatest rates. One report estimated that 2021 experienced a 30% increase in fraudulent cryptocurrency transactions compared to the prior year. Cryptojacking - stealing computer resources to participate in cryptocurrency networks - is decreasing at the greatest rate after greatly increasing in both 2020 and 2021 when it hit record highs (3, 4, 5).
Open Source Reporting Indicates Lone Wolf Threat Actors Are Far Less Likely Than Groups to Execute Large-Scale Attacks
Of the top 15 highest profiting cyberattacks targeting DeFi, the August 2021 Poly Network hack is the only cyberattack attributed to a lone wolf threat actor (6). The Poly Network attacker demonstrated sophisticated reverse engineering skills. In general, organized groups of individuals pose greater risk than lone actors because the group will benefit from the expertise brought by all group members.
Cybercriminal and non-Cyber Criminal Groups
Cybercriminal Groups Making Use of Cryptocurrency Are the Most Difficult to Disrupt Because They Form Complex and Obscure Networks to Enable Malicious Activity
The risk of cyberattack and theft from threat actor groups is much higher than from individuals because groups have additional resources which enable more sophisticated cyberattacks. In addition to targeting individuals, groups also have the capabilities to target larger DeFi organizations. Cybercriminal groups coordinate loosely through public and private channels. Group organization is evident on hacking forums and from analysis of the more complex TTPs used in their kill-chains. Further analysis of the complex TTPs present in major DeFi cyberattacks can be found in our other related DeFi article (6). Cybercriminal groups operate larger cryptocurrency-based fraud rings and more complex laundering schemes that are designed to hide large volumes of maliciously gained assets (7). Increasingly, these fraud rings are leveraging legitimate DeFi services to launder illicitly gained funds and shifting away from riskier backchannels such as black-market peer-to-peer money mules. Through their intermediary fraud activities, these groups help enable malicious activities of other individuals and groups who cooperate in networks directly or via related services that facilitate malicious cyberactivity.
Non-cybercriminal Groups Are Very Likely to Increase Use of Cryptocurrency Resources to Avoid Detection
There is currently no evidence indicating cryptocurrency comprises the majority of funds raised for any threat actor group, however, groups designated as terrorists and extremists are beginning to use cryptocurrency to provide increased resource support. United States (US) government crackdown on traditional finance operations that supported terrorist groups (8) likely prompted terrorist groups to begin increasing their reliance on cryptocurrency because of the enhanced privacy and personal control that decentralized finance systems can offer. In 2019, terror groups based in the Middle East were reported fundraising small amounts (less than $1000) with cryptocurrencies (9). In 2020 the US government seized millions of dollars worth of crypto assets from three terrorist fundraising organizations in a move representing the largest terrorism-related cryptocurrency seizure to date (10). Various social media platforms are used by these groups to advertise and broadcast fundraising efforts.
Fringe Groups Use Cryptocurrency to Fundraise
Groups in the United States were reported switching to cryptocurrency-based funding when centralized major payment providers began shunning extremist groups prior to the January 6th, 2021 riot at the US Capitol building (11). Chainalysis reported that between January 2017 and April 2021 twelve “far-right” entities accumulated a total of 213 Bitcoin worth millions of dollars (12). The ease of funding with cryptocurrency is spreading further because more and more people are becoming familiar with how to use cryptocurrency and there remains less oversight of DeFi than of fiat currencies (13). Additional entities outside the US, identified as politically extreme-leaning, use cryptocurrency-based fundraising to continue spreading and challenging mainstream ideologies (14, 15).
Increased Transaction Visibility on The Blockchain Will be Most Effective Mitigating Risk of Misuse from Cybercriminal Groups
The effectiveness of large cybercriminal organizations operating partly through blockchains is aided by their ability to create large obscure networks of wallets with which to disguise activities. Tools to identify suspicious transaction patterns or networks of wallet activity will help drive fraud and fringe groups out of legitimate services that are easier to use and towards backchannels that impose additional operational security costs
Advanced Persistent Threats
Advanced Persistent Threat (APT) Groups Launch the Highest-Impact Cyberattacks Aimed at Extracting Assets from Defi Systems
APTs deploy the most advanced kill chains seen to date against DeFi exchanges to penetrate and dwell deep inside DeFi network s. Attribution is not widely shared publicly, but based on open-source reporting, some evidence of APT activity presented in a UN report accuses the government of North Korea of sponsoring major DeFi attacks against Kukoin and Ronin Bridge, and using profits to finance weapons programs (14, 15).
Open-source reporting implicates APT Lazarus (assessed to be based in North Korea) is the most active APT in the cryptocurrency space (14, 15, 16, 17). The government of North Korea is also alleged to have sponsored the AppleJeus malware family, which is tailored to steal end-user wallet keys using sophisticated TTPs (16).
EclecticIQ analysts agree with the North Korea attribution, but evaluate it is very likely that many cryptocurrency thefts are unreported and hence the volume of reporting potentially misrepresents Lazarus versus other APT operations. It is very likely APT attacks have already proliferated to other states outside of North Korea.
A Focus Building and Maintaining Highly Decentralized and Transparent Infrastructure Running on Blockchains Will Best Mitigate Risk to Defi Systems and End-Users from APT Attacks
APTs are proven to be successful with attacks that leverage centralized systems implemented within DeFi, such as in the case of the attack against Ronin Bridge. Ronin Bridge used fewer than ten validator nodes that were monitored centrally and whose operation was not fully transparent to users. It is possible that a more open validator node design may have allowed users to spot the APT’s attempts to target and compromise the nodes sooner through community monitoring. In the case of Kucoin, an APT compromised a poorly configured hot wallet that contained a special key - an example of centralized design - allowing the APT access to many tokens to steal.
Ransomware Threat Actor Syndicates Are the Most Well Established in Cryptocurrency and Represent the Smallest Threat
Ransomware remains a significant threat to users and organizations outside of cryptocurrency, but their malicious activity does not target DeFi systems in ways that affect blockchains or many cryptocurrency users. These threat actors leverage specialized malware to steal data, which is exchanged for a cryptocurrency ransom payment. Ninety-eight percent of ransoms paid in ransomware attacks are paid in Bitcoin, with Monero being a distant second (18, 19).
The US Financial Crimes Enforcement Unit (FINCEN) reported a total of 5.2 billion dollars in cryptocurrency was paid in ransoms by US businesses in the first half of 2021 (20). An estimated 15.8 trillion dollars in cryptocurrency was paid out in ransom transactions over the entire 2021 calendar year (20). Despite these huge figures, the US ransom payment figure represents just 0.015 % of all cryptocurrency exchanged that year. EclecticIQ analysts evaluate there is no consensus regarding the correlation between cryptocurrency value and the use of cryptocurrency as payment in ransomware attacks. Data indicate ransomware attack rates reached an inflection point after the Wannacry attack received global attention at the same time as the rising Bitcoin value (21). Ransomware attack volume began to increase at greater rates after the Wannacry campaign.
Ransomware syndicate operations are increasingly complex and engage the other three threat actor-types discussed above in different ways.
- Individual threat actors participate in launching the actual ransomware executable on a victim network. Individuals can provide compromised accounts or other network access that is sold to ransomware groups for easier access with which to launch their malware. This incentivizes further individuals into cybercrime.
- The developers and administrators of a particular ransomware family form the syndicate’s foundation. Groups of ransomware developers work together to maintain ransomware repositories for syndication to others. They may also manage ransom negotiations. This incentivizes further group operation through cooperation.
- APTs are known to have links with ransomware groups, passing profits or data stolen in the attack to state-affiliated organizations (24). Increased resources provided by some APT-State relationships help further support and grow new APT operations.
One or all of these threat actor types combine to form robust ransomware syndicates (ransomware family), creating value from data and transferring it into cryptocurrency, but not affecting DeFi systems or cryptocurrency prices in the way that APT attacks do, stealing hundreds of millions of dollars, for example. Tools designed to track and trace cryptocurrency transactions from ransoms could have the biggest impact on syndicate operations.
EclecticIQ Analysts Expect Future Attack Activity Over the Next Three Years Will Follow Closely to The TTPs Established Now by Each Threat Actor Type
Individual attackers play the greatest role in driving up attack volume for quick personal gain, but better-organized groups will develop more sophisticated TTPs with greater impact on DeFi systems and users of those systems. Both groups will help increase cryptocurrency fraud and laundering. APTs represent the pinnacle of sophistication and impact due to the skill, resources, and state connections they retain. Ransomware syndicates, while related to each of the other groups, deserve special discussion. They leverage TTPs for actions on objectives without directly impacting cryptocurrency, unlike the other groups. Ransomware will remain impactful despite any cryptocurrency changes.
All groups outlined here are having ranging impacts on the cryptocurrency landscape that are still currently playing out in many ways. EclecticIQ analysts expect threat actor TTPs will continue closely tracking the patterns described here for at least the next three years. Analysis of intelligence surrounding malicious activity relating to cryptocurrency to date helps users and administrators of cryptocurrency dial into specific attacks by threat actor type, so they can be better prepared and informed for the cyberattacks taking advantage of the next decentralized finance surge.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at firstname.lastname@example.org or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.