With the implosion of the FTX exchange putting a punctuation mark on the cryptocurrency crash of 2022, one of the natural questions for those in the cybersecurity world is, how will this rapid decline of cryptocurrency valuations change the cybercrime economy?
Throughout the most recent crypto boom, and even before then, cybercriminals have used and abused cryptocurrency to build up their empires. The cryptocurrency market provides the extortionary medium for ransomware; it’s a hotbed of scams against consumers to steal their wallets and accounts. Traditionally, it’s provided a ton of anonymous cover for money laundering on the back end of a range of cybercriminal enterprises.
Even so, according to cybersecurity experts and intelligence analysts, while there certainly have been some shifts in trends and tactics that they believe are loosely tied to the crypto crash, the jury’s still out on long-term impacts.
Shifting Crypto Trends & Tactics in 2022
Regardless of crypto values, cybercriminals this year have definitely become more sophisticated in how they use cryptocurrencies to monetize their attacks, says Helen Short, cyber-threat intelligence analyst for Accenture, who points to the use by some ransomware groups taking advantage of yield farming within decentralized finance (DeFi), as an example.
“The concept of yield farming is the same as lending money, with a contract in place that clearly shows how much interest will need to be paid,” she explains. “The advantage for ransomware groups is that the ‘interest’ will be legitimate proceeds, so there will be no need to launder or hide it.”
Her analysis has shown that threat actors are increasingly turning toward ‘stablecoins,’ which are usually tied to fiat currencies or gold to stem their volatility. She says that in many ways, the downturn in crypto values has increased the risk appetite of cybercriminals and is spurring them into more investment fraud and cryptocurrency scams.
“Threat actors are also playing on people’s desperation to recoup their losses,” she says.
While some consumers who have lost their wallet value may be desperate, others have simply lost their interest and aren’t watching their accounts as closely, which is driving another trend, says Brittany Allen, trust and safety architect and fraud researcher at Sift.
“Plummeting crypto prices have led to consumers paying less attention to their crypto wallets than they were early this year and in 2021, and fraudsters noticed,” Allen says. “This has led to a 79% rise in crypto account takeover attacks.”
By point of example, she explains that her team discovered a new type of crypto cash-out scam this year on Telegram and Dark Web forums, where account takeover fraudsters teamed up to target the crypto market during the crash.
“In this scheme, cybercriminals use stolen wallets, bank accounts, or crypto exchange accounts to move or launder illicitly obtained funds. Fraudster A will advertise their access to stolen funds on Telegram, then find another fraudster who specializes in crypto account takeover and KYC (know your customer identity verification) bypass methods,” she says. “Once Fraudster B offers access to stolen wallets or crypto exchanges, Fraudster A sends the stolen funds to Fraudster B’s accounts, where they funnel the money out and split the profits. Each party takes a risk trusting the other, but if successful, they stand to make tens of thousands of dollars each.”
This is in line with another shift in cybercriminal tactics in 2022 that Short says she’s witnessed. It’s not necessarily a response to cryptocurrency devaluation, but it is a business model shift to maximize revenue.
“We’re seeing threat actors partnering together to facilitate an attack, rather than paying each other for their specialist services. This reduces the overall cost of the attack as the agreement is a set cut of the proceeds,” she says.
Ransomware Is Here to Stay
One point that cybersecurity pundits are almost unanimous on is that even with a ton of cryptocurrency volatility, ransomware isn’t going anywhere. There was a slight downturn in ransomware activity in 2022, but according to Aamil Karimi, threat intelligence analyst at Optiv, that’s more attributable to other variables like the war in Ukraine.
There was some significant regrouping of ransomware cartels that were more likely to result in the decline of activity than anything else, and he says cryptocurrency will still be a favored extortion demand for a long time.
“It’s likely cryptocurrency will still be the payment of choice demanded in extortionary incidents. As of right now, it’s the safest medium for cybercriminals to conduct transactions,” Karimi says. “I don’t estimate any slowdown in cybercriminal or extortionary activity.”
Bob Rudis, vice president of data science for GreyNoise Intelligence, agrees. There are simply too many soft ransomware targets ripe for attack for criminals to ignore, Rudis says. And it’s not as if they lose any money with lower values of the currency since they are the ones setting the ransom, and they’re likely going to convert it into tangible funds before further volatility impacts the total.
“Attackers care not if they receive one or a hundred units of a given cryptocurrency when asking for, say, $100,000 USD,” Rudis says. “They have the means, markets, and processes to convert any ill-gotten crypto gains into something more tangible, and will likely always be one step ahead of law enforcement and market regulators.”
In spite of headline stories about authorities using crypto mechanisms to hurt adversaries financially, Rudis says there are “still real law enforcement hurdles to curb that flow,” which is why he believes cryptocurrency will still be heavily used for cybercriminal money laundering for some time to come.
Not everyone sees it the same way, though. Short of Accenture points out that law enforcement this year has increasingly taken a real bite out of the crooks’ bottom line through claw-back transactions, seizures, and more.
“Law enforcement took aggressive measures in 2022, including fund seizures, sanctions, and high-profile arrests,” she says. “It is becoming harder to launder and cash out illicit funds, resulting in the trend of threat actors exchanging ‘dirty cash’ for other services as they cannot get the illicit funds out.”
Ryan Kovar, distinguished strategist and leader of Splunk’s SURGe research team, also points out that perhaps the cybercrime impact of the crypto crash of 2022 will have less to do with a potential future divestment of cryptocurrency in cybercriminal enterprises than it will with changes in the crypto market’s perceived anonymity.
“Ransomware gangs are going to move away from cryptocurrency not because of financial instability, though that’s a factor, but more due to the traceability,” Kovar says. “Ultimately, crypto is not really anonymous.”
He adds, “If you’re a criminal who lives in a country that supports, sponsors, or doesn’t care about cybercrime, then you’re probably not getting prosecuted easily unless you really tick people off.”
Evolution to Expect in 2023
Experts also believe that increased law enforcement friction will likely influence an evolution in cybercriminal operations around other types of attacks beyond ransomware. Especially proven ones that already don’t depend on cryptocurrency, like business email compromise (BEC).
“The FBI’s annual IC3 report [PDF] shows business email compromise (BEC) to be top of the list when it comes to attackers banking fiat coin. Advanced technology that mimics writing, speech, and even live video of humans is now almost trivial to use and will evolve rapidly in quality,” GreyNoise’s Rudis says. “Ransomware groups are, first and foremost, businesses, and it would seem logical to assume they’d apply their technical skills to conduct more advanced BEC schemes as well.
In the meantime, attackers will also be likely to keep advancing technology to stay a step ahead of the authorities with regard to traceability and laundering.
“Attackers will become more sophisticated, breaking the sequence of blockchain transactions to try and obfuscate their illicit funds,” Short says. “We will likely see a professionalization in cryptocurrency mixers, such as Tornado cash, with threat actors offering fast and high value ‘cash out as-a-service’ offerings.”
She believes that in 2023, this could drive up the value of personally identifiable information (PII), as it will further push the demand for account takeovers to create mule accounts for cashing out on the back end of various scams.
“It is likely that cybercriminals will continue to convert to stable assets to secure value,” she says, “and we will see an increase in threat actors using more privacy focused cryptocurrencies that are harder for law enforcement to trace.”