$1.1 billion has been stolen in cryptocurrency thefts over the last six months. This is the visible effect of an illicit dark web market economy which is reportedly worth $6.7 million. That market fuels cryptocurrency thefts from exchanges, businesses, and individuals; and the growing incidence of cryptojacking.
The basic problem is that cryptocurrencies are increasingly popular, which drives up their value. This makes investment popular for both individuals and businesses; and this in turn attracts the criminals. The three most common attacks involve currency-stealing malware (designed to quietly steal the users’ wallet content and send it to the attacker); illicit mining (designed to use business infrastructures to mine cryptocurrency for the attacker); and cryptojacking (which is illicit mining targeted at individuals).
A six-month study (PDF) by Carbon Black into how cryptocurrency malware is bought and sold in the dark web has shown an estimated 12,000 dark web marketplaces selling approximately 34,000 offerings related to cryptocurrency theft. Malware offerings range from as little as $1.04 to as much as $1,000, with an average price of $224.
Bitcoin remains the primary cryptocurrency used for legitimate cyber transactions — but cybercriminals are moving to alternative and more profitable currencies, such as Monero — which is now used in 44% of all attacks. Cybercriminals are increasingly moving away from Bitcoin (for example, as ransomware payment) because the associated fees are high, and the transactions take too long to process. “These cybercriminals appear to prefer Monero due to privacy, non-traceability and comparatively low transaction fees,” says the report.
This applies to both illicit mining and wallet theft. Ethereum is the second most popular criminal currency at 11%, with Bitcoin third at 10%. There is no direct correlation between the popularity of the currency among criminals, and the market capitalization of the currency. At the time the report was compiled, the top three currencies by capitalization were Bitcoin (around $180 billion), Ethereum (around $90 billion), and Ripple (around $40 billion).
Cryptocurrency exchanges are the most vulnerable targets. Carbon Black’s research shows that during the period of analysis, 27% of all incidents involved exchanges. Exchanges combine the attraction of potentially large amounts of coin to steal, with user information for follow-on targeting by the same criminals (representing 14% of all crypto-currency related thefts).
In February 2018, Italy’s BitGrail lost 17 million units of Nano (XRB) to hackers, valued at around $170 million. Coincheck in Japan had $530 million stolen in NEM (one of the lesser known currencies) in January 2018. In December 2017 South Korean Youbit filed for bankruptcy following two separate hacks — one in April and one in December.
Just over one-in-five of all attacks are against businesses — but most of these focus on the deployment of illicit crypto-mining malware where the victim infrastructure is used to quietly mine cryptocurrency. The same approach is also used against government websites, with Carbon Black finding that “nearly 7% of cryptocurrency attacks targeted various governments using the same tactics, techniques and procedures (TTPs) found in private industry attacks.” In both cases, all proceeds are directed to the attackers’ own wallets.
Closely related to this attack is ‘cryptojacking’ aimed at individual users. “Our research found that a growing number of websites are either intentionally deploying cryptocurrency scripts or are being used to deliver illicit mining malware to unsuspecting users. This is most commonly referred to as ‘cryptojacking’, and, even if you aren’t being targeted for your own cryptocurrency, there’s a chance your endpoint may be abused for someone else’s gain.”
Carbon Black expects cryptocurrency theft and illicit mining to continue to grow. “These cryptocurrencies represent an alternative and lucrative funding stream, which is especially true for criminals, as well as nation-states desperately seeking to subvert sanctions.”
To deter such attacks, Carbon Black urges the use of endpoint protection software. For individuals, it also advises that users should avoid installing untrusted applications or following unfamiliar links; and that an ad-blocker should be used to “reduce the risk of having your device used to harvest cryptocurrency without your consent.”
Businesses, urges Carbon Black, should store cryptocurrency in an off-line wallet. “Never,” it stresses, “store your cryptocurrency in an online or warm wallet (a dedicated device that must be connected to the internet to make transactions). Cold storage is best.”
To demonstrate the size of the problem, the company compares the cryptocurrency losses it found in six months ($1.1 billion) to the total cost of all cybercrime in the whole of 2016 ($1.3 billion — according to the FBI).
Carbon Black filed for an IPO in April 2018 with plans to sell 8 million shares at $15 to $17. It raised this price to $19 and started trading on the NASDAQ on May 4, raising $152 million. At the time of writing, shares have risen to $26.10.
Related: Is Cryptojacking Replacing Ransomware as the Next Big Threat?
Related: Crypto Mining Malware Infects Thousands of Websites

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
More from Kevin Townsend
- Sysdig Launches Realtime Attack Graph for Cloud Environments
- The CISO Carousel and Its Effect on Enterprise Cybersecurity
- Venafi Leverages Generative AI to Manage Machine Identities
- Hacker Conversations: Casey Ellis, Hacker and Ringmaster at Bugcrowd
- OT/IoT and OpenTitan, an Open Source Silicon Root of Trust
- CISOs and Board Reporting – an Ongoing Problem
- Vector Embeddings – Antidote to Psychotic LLMs and a Cure for Alert Fatigue?
- The Team8 Foundry Method for Selecting Investable Startups
Latest News
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- A Key US Government Surveillance Tool Should Face New Limits, a Divided Privacy Oversight Board Says
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Johnson Controls Hit by Ransomware
- US State Department Says 60,000 Emails Taken in Alleged Chinese Hack
- Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product
