It can seem like cybercriminals are running rampant across the world’s digital infrastructure, launching ransomware attacks, scams, and outright thefts with impunity. Over the last year, however, US and global authorities seized $112 million from cryptocurrency investment scams, disrupted the Hive ransomware group, broke up online illegal drug marketplaces, and sanctioned crypto money launderers, among other operations to crack down on internet-enabled crimes.
These developments highlight how quickly investigative tools have evolved to track and expose online illicit and criminal activities. At this year’s inaugural Sleuthcon: The Cybercrime Congress, security researchers delved into new techniques and efforts that tighten the net around cybercriminals, making it harder for them to hide their operations even as challenges in tackling digital crime remain.
Cryptocurrencies were never anonymous
The single most significant factor fueling the rise of ransomware and other digital crimes is cryptocurrency, which threat actors and petty criminals have viewed as a kind of invisibility cloak to hide their misdeeds. Blockchain transactions provide pseudonymous addresses, but investigators can still trace transactions from origin to destination because they are all permanently recorded on public ledgers.
“The fact is that this antidote to financial surveillance turned out to be kind of the worst trap in modern financial surveillance,” Wired reporter and author of a recent book on tracing criminal activity on cryptocurrency Andy Greenberg said in kicking off the event. Like the internet itself, which was mistakenly thought to be anonymous in its earliest era, there is nothing truly anonymous about cryptocurrency. “I would say now that Bitcoin, in fact, serves as a kind of decade-long trap seducing all sorts of people seeking financial privacy and all kinds of cybercriminals and then allowing law enforcement in many cases to follow the blockchain directly to their doorsteps,” he said.
Threat actors pivot amid increased pressure
Jackie Burns Koven, head of cyber threat intelligence at Chainalysis, said that the spate of recent law enforcement crackdowns, the war in Ukraine, pressure from insurance companies, increased availability of detectors, and an overall increased unwillingness of victims to pay caused ransomware revenue to drop from $756.6 million in 2021 to $456.8 million in 2022.
With pressure on them, financially motivated threat actors are “pivoting to crimes with more certainty of success,” she said. “So, selling data or access instead of extorting. Everest ransomware [group] has tried selling access or data extortion only without encryption.”
One growing cybercrime activity is cryptojacking, or secretly using a victim’s computing power to generate currency, which “is a great foothold for sustained access,” Burns Koven said. “It’s also a great passive income. We’ve taken a cryptomining kit vendor’s wallet, and you can see sustained income coming in overtime despite the bear market in crypto. So, it’s a great market. It’s actually an increasing market for those types of services.”
Romance scams and pig butchering, building rapport and trust with victims over time only to steal from them, are replacing the old get-rich schemes and have increased inversely to the drop in cryptocurrency prices, Burns Koven said.
Stuffing money under the mattresses
Because of stepped-up law enforcement efforts, cybercriminals are also facing a crisis in cashing out their cryptocurrencies, with only a handful of laundering vehicles in place due to actions against crypto-mixers who help obfuscate the money trail. “Eventually, they’ll have to cash out to pay for their office space in St. Petersburg to pay for their Lambos. So, they’re going to need to find an exchange,” Burns Coven said.
Cybercriminals are just sitting on their money, like stuffing money under the mattress. “It’s been a tumultuous two years for the threat actors,” she said. “A lot of law enforcement takedowns, challenging operational environments, and harder to get funds. And we’re seeing this sophisticated laundering technique called absolutely nothing doing, just sitting on it.”
Despite the rising number of challenges, “I don’t think there’s a mass exodus of threat actors from ransomware,” Burns Coven tells CSO, saying they are shifting tactics rather than exiting the business altogether. Another factor keeping cybercriminals afloat is the reluctance of victims to report their incidents to law enforcement in the first place.
“We need victims to report that they’ve been scammed or ransomed,” she says. “And I think pig butchering, to an extent, might suffer the same reporting issue as ransomware because it’s embarrassing. It’s heartbreaking that these people have been manipulated by somebody, perhaps romantically. So, a lot is not being reported to law enforcement.”
Aggregate cybercrime patterns matter
Lizzie Cookson, senior director of incident response at Coveware, said that tracking and identifying cybercriminals goes beyond just simply tracing the money. “How we visualize the optimal attribution analysis combines forensics, analysis of negotiation dialogue, threat after-behaviors, and patterns in the money trail because of how fluid the environment is,” she said. “We can’t just rely on one of these buckets. We have to collect what we can from all of them and try to compare the aggregate patterns.”
Cookson used the example of the Doppel Paymer ransomware group, which Coveware found overlapped with the international cybercrime network Evil Corp. “We observed this intersection in consolidation, wallets, mixing services, and common money accounts in the same exchange, which is where the money trail ended,” she said. “So, while the use of mixing services and consolidation accounts is not unusual, the combination of these specific services used repeatedly is unique. This discovery was a major outlier in behavior and ultimately led us to restrict payments to Doppel Paymer internally in December 2020.”
Cutting through the haze of cybercrime
One challenge that security researchers face in tracking cybercriminals is cutting through the haze of criminal groups, who have amorphous boundaries, overlapping tactics, techniques, and procedures (TTPs), and frequently appear with unknown attribution. Jake Nicastro, principal threat analyst on Mandiant Intelligence’s Advanced Practices team, shared his group’s frustration with trying to parse through the activities of five or six groups known as uncategorized threat actors known or UNCs, who are possibly aligned with a threat actor known as Oktapus, so named because it targeted identity and access management firm Okta.
The differing names that security firms apply to threat groups are confusing the situation further. For example, CrowdStrike calls Oktapus “Scattered Spider.” Fuzzing the situation further, the overlapping groups Nicastro’s group was tracking may or may not have been aligned with the Lapsus group, which was disbanded in 2022 but was later revived to some degree. Paraphrasing singer-songwriter Olivia Rodrigo, Nicastro said, “It’s brutal out here with all these UNCs,” so Mandiant called the clustered groups Olivia.
Nicastro said that the inability of cybersecurity professionals to straighten out these kinds of confusing situations is a serious problem. “It becomes really hard to tell what exactly defines a group, especially when we have other clusters where it’s like, ‘Hey, this feels like this other group, but we really don’t have data to back it up, but we’re pretty sure it’s this group.’ It just becomes a mess.”
Selena Larson, senior threat intelligence analyst at Proofpoint on the Threat Research team, told the attendees that this kind of instability is the hallmark of the cybercrime landscape. Paraphrasing author Michael Crichton, Larson said,” Living systems are never in equilibrium. They’re inherently unstable. They may seem stable, but they’re not. Everything is moving and changing, and in a sense, everything is on the verge of collapse. I really feel like this encapsulates what we’re seeing across the board with the crime threat landscape.”
Copyright © 2023 IDG Communications, Inc.