Cryptocurrency fraud, social media hacking, malware, and AI

Social media hacking, crypto drainers and malicious use of generative AIs are enabling criminals to commit more sophisticated cryptocurrency frauds

2024 has started with turbulence; if not, just tell that to Bitcoin, the world’s leading cryptocurrency. On January 9, in just 15 minutes, the price of the famous cryptocurrency skyrocketed to $48,000 before finally falling to $45,000. Why? Malicious actors hacked into the X account of the US Securities and Exchange Commission (SEC) and posted a message attributed to its chairman, Gary Gensler, announcing that the SEC approved a Bitcoin spot exchange-traded fund. Gensler himself was forced to use his account to deny news long awaited by the global financial sector.

Just two days later, the regulatory body announced, this time for real, that it was giving the green light to the launch of Bitcoin-linked exchange-traded funds. This means facilitating investment in Bitcoin, without the need to acquire the cryptocurrency, as is the case with gold or oil. Interestingly, unlike what happened with the false announcement, the crypto’s price was hardly affected and remained stable at around $46,000.

This is not the first time a message from a hacked account has altered the market. In 2013, a tweet posted from the Associated Press news agency account reported two explosions at the White House that had injured the country’s president. Immediately, panic set in on Wall Street, and its share price suddenly plummeted.

1. SIM Swapping: How the SEC’s account was hacked

On Monday, January 22, almost two weeks after hacking the Wall Street regulator’s account, the SEC made public that the attack was orchestrated using a technique well-known to banks: SIM swapping.

This fraudulent technique has an effortless operation:

• The criminal impersonates the identity of a telephone operator’s customer in an attempt to obtain a duplicate SIM card, claiming that the current SIM card has been lost or damaged.
• The request is made through a phone call that does not arouse the suspicions of the professional who handles it because the malicious actor had previously collected his victim’s personal information that could be requested during the call: phone number, full name, identification document…
• Once the SIM card is obtained, SMS messages can be received on any phone. This is important because these messages are an authentication factor in accessing multiple applications, including social networks such as X or banking applications.

So, once the malicious actors duplicated the SIM of the phone number associated with the financial regulator’s X account, they could access it by requesting a password reset.

The SEC account hacking operation was made even easier because, since June 2023, the regulator had requested X to turn off multifactor authentication.

If this security measure had been enabled and, in addition, the use of an authentication app had been set as the second factor to validate access, the malicious actors could not have hacked the account and posted a fake message about the approval of the Bitcoin ETF.

2. Altering the markets to fish in troubled waters

Why is the hacking of the SEC account so important? This incident is evidence of a dangerous trend that has been consolidating in recent months: the hacking of official accounts of institutions and companies to deceive thousands of people. For what purpose? To commit cryptocurrency fraud or, as in the case of hacking the SEC profile, to spread fake news, manipulate market developments and profit from it by selling cryptos at artificially constructed high points.

Since rumors began to spread in October that the SEC would authorize the Bitcoin spot exchange-traded fund, its value has multiplied. One Bitcoin is worth twice as much today as six months ago. The malicious actors behind the attack on the SEC account were very clear about their goal.

Events like this are hazardous considering that in recent years, algorithmic trading platforms that automate investments and respond immediately to announcements of the caliber of the fake SEC message have increased, even more so today, thanks to the development of AI systems.

Hacking into the accounts of bodies such as the Federal Reserve, the European Central Bank, or a Ministry of Finance can trigger movements in the field of cryptocurrencies and in terms of stock markets or country risk premiums.

From this case, we will unravel how criminals commit cryptocurrency fraud by hacking social networks and impersonating companies and administrations. In addition, we will dwell on a growing threat: the use of generative AIs to make fake ads and commit cryptocurrency fraud.

3. X, in the eye of the hurricane

Hacking social media accounts is not a new threat. For years, malicious actors have carried out this activity to extort micro-influencers, use accounts for phishing campaigns, or even impersonate executives.

Concerning cryptocurrency fraud, in recent months, hacks of X accounts of multinational companies have been made public as a starting point for attacks that combine social engineering and malware.

Why are cryptocurrency scams mainly carried out on X?

• The former Twitter is the quintessential informational social network, and its characteristics and audience are best suited to the targets of cryptocurrency fraud.
• The account verification system. Any user can buy the blue badge, which is used to differentiate verified users (companies, administrations, public figures). At the same time, gray badges have been created for institutions and gold badges for companies.

In addition, some affected actors, such as the CEO of the cryptocurrency transaction platform Ripple, have denounced X’s inaction in the face of cryptocurrency fraud, as well as the fact that the layoffs undertaken by Elon Musk when he landed at the company have deteriorated its security program.

Perhaps because of this, X’s Security account posted within hours of the SEC incident that, after conducting a preliminary investigation, they had concluded that the attackers did not breach X’s systems but that access was gained through the use of a phone number associated with the account and that the account had double authentication disabled.

 

4. Hacking accounts to commit cryptocurrency fraud

How do malicious actors hack accounts to commit cryptocurrency fraud?

4.1. Access and control

The first step is to gain access to the account of a company with a gold badge (reserved for verified companies) or an institution with a gray badge (the identifier for government accounts). Why? These badges build trust with users.

How is this achieved? Generally, by employing social engineering techniques to deceive members of the organizations. For example, in one of the most recent cases of cryptocurrency fraud on January 5, criminals used a disused and compromised journalist account to trick a worker at CertiK, a blockchain security company. The bait was a fake interview and a scheduling link that opened the door to malware. Whereas, as we already saw, in the SEC case, the malicious actors resorted to SIM swapping.

4.2. Transformation and impersonation

Transforming the account to pretend it belongs to another company. Although in the attack against the SEC, the account’s credibility was used to give integrity to the fake news, it is common for malicious actors to completely transform the accounts they hack, including name and appearance.

In the case of the attack against CertiK, the identity of Revoke, a company that manages cryptocurrencies, was simulated. In the Hyundai incident, the criminals spoofed the identity of Overworld, a web game, while in the attack against the Netgear account, they chose to make it look like an account of BRC, a cryptocurrency trading platform.

4.3. Phishing and redirection

Another cryptocurrency fraud that has occurred so far this year affected Mandiant, a cybersecurity firm subsidiary of Google. The attackers transformed the account and impersonated Phantom, another cryptocurrency management company. Once this was done, they proceeded to post a message announcing a fake distribution of $PHNTM tokens. A link had to be clicked to qualify for one of these tokens.

Upon clicking, if the users did not have the Phantom wallet installed, they were redirected to a legitimate site to install it. Once the wallet was installed, users were automatically drained of their cryptocurrency wallets.

4.4. Crypto drainer: Malware to steal the investor’s (crypto)wallet

This is where a type of malware that has recently become sadly popular comes into play: crypto drainers. As the name suggests, this type of malware allows criminals to steal their victims’ cryptocurrencies. The crypto drainer tricks users into approving a transaction and empties their crypto wallets.

The emergence of this kind of malware has revolutionized cryptocurrency fraud and poses an added risk to investors who risk losing all their cryptos after falling into a phishing trap. The financial losses can be in the millions. The situation may become more worrisome if:

• The crypto market revitalizes, if the US regulator gives the green light to the Bitcoin exchange-traded fund and, therefore, the number of investors grows.
• Attacks multiply, as this eventful start to the year indicates.

5. Fake ads, generative AIs and cryptocurrency scams

In addition to hacking the accounts of companies and administrations, another of the most popular ways of committing cryptocurrency fraud is the publication of advertisements on X, but also on Google or YouTube, to attract the attention of investors by offering them free tokens or attractive offers.

At the beginning of this article, we referred to Ripple, a cryptocurrency transaction platform similar to the famous blockchain. This company fell victim to one of the recent most eye-catching and exciting cryptocurrency scams. Why? Malicious actors employed generative AIs to craft video ads impersonating its CEO, Brad Garlinghouse.

Thus, cryptocurrency investors could encounter ads where Garlinghouse explained how they could get free tokens of XRP, the company’s cryptocurrency. To do so, they had to send XRP to a specific wallet and, in return, they would receive free XRP. This was a rather convincing video deepfake. It was necessary to look closely to detect that the lip movement did not match Garlinghouse’s statements. Thanks to this, the criminals were able to scam thousands of users and damage the reputation of Ripple and its CEO.

6. Combat cryptocurrency fraud, account hacking and impersonation

What can companies and public administrations do to prevent cryptocurrency fraud and combat social network hacking and corporate identity theft? Rely on the knowledge and expertise of professionals providing cyber intelligence services. These experts are trained to curb the proliferation of social network account hacking, as well as to:

• Protect corporate accounts.
• Recover accounts in case they are hijacked.
• Investigate the methodologies used by attackers.
• Combat the most sophisticated social engineering techniques.
• Design effective countermeasures against the TTPs of the leading criminal groups.
• Prevent fraud and protect brands.
• Discover attack scenarios and risks thanks to a Threat Intelligence methodology.

In addition, Threat Hunting services can significantly help combat and anticipate malicious actors’ techniques, tactics, and procedures. Threat Hunting professionals employ an offensive mindset to uncover emerging threats and tackle novel malware such as crypto drainers.

Ultimately, hacks of social networks to commit cryptocurrency fraud or attempt to manipulate the market are evidence that we are facing one of the critical threats of 2024.

Add to this the proliferation of fake ads on search engines and social networks and the malicious use of cutting-edge technologies such as generative AIs, and it is clear that companies need to take the risks associated with cryptocurrency fraud seriously. These attacks generate millions in losses among investors and undermine the reputation of the companies and institutions whose accounts are hacked or whose identities are impersonated.

If not, tell the SEC, that is having a tough January.