Security Experts:

Connect with us

Hi, what are you looking for?



Cryptocurrency Theft Tops $1 Billion in Past Six Months

$1.1 billion has been stolen in cryptocurrency thefts over the last six months. This is the visible effect of an illicit dark web market economy which is reportedly worth $6.7 million. That market fuels cryptocurrency thefts from exchanges, businesses, and individuals; and the growing incidence of cryptojacking.

$1.1 billion has been stolen in cryptocurrency thefts over the last six months. This is the visible effect of an illicit dark web market economy which is reportedly worth $6.7 million. That market fuels cryptocurrency thefts from exchanges, businesses, and individuals; and the growing incidence of cryptojacking.

The basic problem is that cryptocurrencies are increasingly popular, which drives up their value. This makes investment popular for both individuals and businesses; and this in turn attracts the criminals. The three most common attacks involve currency-stealing malware (designed to quietly steal the users’ wallet content and send it to the attacker); illicit mining (designed to use business infrastructures to mine cryptocurrency for the attacker); and cryptojacking (which is illicit mining targeted at individuals).

A six-month study (PDF) by Carbon Black into how cryptocurrency malware is bought and sold in the dark web has shown an estimated 12,000 dark web marketplaces selling approximately 34,000 offerings related to cryptocurrency theft. Malware offerings range from as little as $1.04 to as much as $1,000, with an average price of $224.

Bitcoin remains the primary cryptocurrency used for legitimate cyber transactions — but cybercriminals are moving to alternative and more profitable currencies, such as Monero — which is now used in 44% of all attacks. Cybercriminals are increasingly moving away from Bitcoin (for example, as ransomware payment) because the associated fees are high, and the transactions take too long to process. “These cybercriminals appear to prefer Monero due to privacy, non-traceability and comparatively low transaction fees,” says the report.

This applies to both illicit mining and wallet theft. Ethereum is the second most popular criminal currency at 11%, with Bitcoin third at 10%. There is no direct correlation between the popularity of the currency among criminals, and the market capitalization of the currency. At the time the report was compiled, the top three currencies by capitalization were Bitcoin (around $180 billion), Ethereum (around $90 billion), and Ripple (around $40 billion).

Cryptocurrency exchanges are the most vulnerable targets. Carbon Black’s research shows that during the period of analysis, 27% of all incidents involved exchanges. Exchanges combine the attraction of potentially large amounts of coin to steal, with user information for follow-on targeting by the same criminals (representing 14% of all crypto-currency related thefts).

In February 2018, Italy’s BitGrail lost 17 million units of Nano (XRB) to hackers, valued at around $170 million. Coincheck in Japan had $530 million stolen in NEM (one of the lesser known currencies) in January 2018. In December 2017 South Korean Youbit filed for bankruptcy following two separate hacks — one in April and one in December.

Just over one-in-five of all attacks are against businesses — but most of these focus on the deployment of illicit crypto-mining malware where the victim infrastructure is used to quietly mine cryptocurrency. The same approach is also used against government websites, with Carbon Black finding that “nearly 7% of cryptocurrency attacks targeted various governments using the same tactics, techniques and procedures (TTPs) found in private industry attacks.” In both cases, all proceeds are directed to the attackers’ own wallets.

Closely related to this attack is ‘cryptojacking’ aimed at individual users. “Our research found that a growing number of websites are either intentionally deploying cryptocurrency scripts or are being used to deliver illicit mining malware to unsuspecting users. This is most commonly referred to as ‘cryptojacking’, and, even if you aren’t being targeted for your own cryptocurrency, there’s a chance your endpoint may be abused for someone else’s gain.”

Carbon Black expects cryptocurrency theft and illicit mining to continue to grow. “These cryptocurrencies represent an alternative and lucrative funding stream, which is especially true for criminals, as well as nation-states desperately seeking to subvert sanctions.”

To deter such attacks, Carbon Black urges the use of endpoint protection software. For individuals, it also advises that users should avoid installing untrusted applications or following unfamiliar links; and that an ad-blocker should be used to “reduce the risk of having your device used to harvest cryptocurrency without your consent.”

Businesses, urges Carbon Black, should store cryptocurrency in an off-line wallet. “Never,” it stresses, “store your cryptocurrency in an online or warm wallet (a dedicated device that must be connected to the internet to make transactions). Cold storage is best.”

To demonstrate the size of the problem, the company compares the cryptocurrency losses it found in six months ($1.1 billion) to the total cost of all cybercrime in the whole of 2016 ($1.3 billion — according to the FBI).

Carbon Black filed for an IPO in April 2018 with plans to sell 8 million shares at $15 to $17. It raised this price to $19 and started trading on the NASDAQ on  May 4, raising $152 million. At the time of writing, shares have risen to $26.10.

Related: Is Cryptojacking Replacing Ransomware as the Next Big Threat? 

Related: Crypto Mining Malware Infects Thousands of Websites 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...