Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Latest WannaCry Theory: Currency Manipulation

The recent WannaCry outbreak is still a mystery. We know what (ransomware), and how (a Windows vulnerability on unsupported or unpatched systems); but we don’t know who or why. We’re not short of theories: Lazarus, North Korea, some other nation-state actor, Chinese or Russian actors — but none of these has gained general acceptance.

The recent WannaCry outbreak is still a mystery. We know what (ransomware), and how (a Windows vulnerability on unsupported or unpatched systems); but we don’t know who or why. We’re not short of theories: Lazarus, North Korea, some other nation-state actor, Chinese or Russian actors — but none of these has gained general acceptance.

The basic problem is that elements of Wannacry just don’t make sense. The scale and rapidity of its spread, although not unprecedented, points to expertise and resources. This together with some code similarities has led to suggestions that it was a nation-state attack emanating from North Korea.

But inefficiencies in collecting the ransom is not likely from a group as experienced as Lazarus; and the absence of any visible political motive throws doubt on the idea that any nation-state actor was involved. 

Thycotic’s cyber security and digital forensics expert, Joseph Carson, has an alternative theory: the motive behind Wannacry was effectively insider trading following currency manipulation. Bitcoin was the real target.

If he is right, it explains the efficiency of the attack (the primary motive) and the inefficiency of the ransom collection (which was neither part of nor important to the plan).

Talking to SecurityWeek, Carson explained that one common theory on the value of Bitcoin is an application of Metcalfe’s Law. Metcalfe’s law states that the value of a telecommunications network is proportional to the square of the number of connected users of the system (n2) (Wikipedia). Giovanni Santostasi, chief scientific officer at DeepWave and Fountain Health Technologies, has applied this to Bitcoin: “The exponential growth is driven by one factor only, not millions. The rate of adoption. Period. In fact there is a strong correlation (R2 = 0.82) between number of users and price.”

This is Carson’s starting point. If you want to manipulate Bitcoin value, he told SecurityWeek, you cause a sudden increase in the number of users. This is most easily measured by the number of Bitcoin wallets in existence. A global ransomware outbreak, demanding payment by Bitcoin, would certainly have such an effect: both direct victims and judicious organizations are likely to obtain wallets.

“WannaCry,” he suggested, “was a sleight of hand, a deception. The ransomware was merely a mechanism to get a large number of people to open a Bitcoin wallet — and that by itself would drive up the value of Bitcoin.” It could almost be described as a version of insider trading based on a sophisticated form of ‘pump and dump’: the criminals could invest in Bitcoin, pump its value through encouraging the growth of wallets, and then dump the Bitcoin to take their profits.

Advertisement. Scroll to continue reading.

This theory is supported by Bitcoin currency movement during May. The following details come from CryptoCompare.com. On May 1, Bitcoin was reported reaching an all-time high of $1,379.28. The price grew steadily and consistently until May 11 when it reached $1,817 on the eve of Wannacry. On May 12, WannaCry Day, it fell back by 3.93% to $1,776.95. Did criminals slowly drive up the price by their own investment in Bitcoin, ceasing further activity as soon as Wannacry was released?

Om May 13, Bitcoin fell another 3.28% to $1,735.03; and again on May 14 by 2.99% to $1,684.44. But it’s what happened next that is interesting. On May 17, CryptoCompare reported, “Bitcoin is up 5.82% at $1,785.22.” On May 18 it was $1,821.24. On May 19 it was $1913. On May 20 it was $2,158, and it just kept going — until, on May 26, CryptoCompare reported, “Bitcoin has dropped 5.33% in the last 24 hours. Volumes are quite high, with over $580M dollars exchanged in the USD market, more than half a billion. The Bitcoin pull back is associated with profit taking following several days of rally.”

Three days later, it reported, “Bitcoin has dropped 5.33% in the last 24 hours. Volumes are quite high, with over $580M dollars exchanged in the USD market, more than half a billion. The Bitcoin pull back is associated with profit taking following several days of rally.” During this period, Bitcoin peaked at $2720 — almost exactly twice the price it started the month.

The simple reality is that these figures would support Carson’s theory: the primary purpose of WannaCry was a deceptive means of currency manipulation. This was currency manipulation on a massive scale.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.