Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Latest WannaCry Theory: Currency Manipulation

The recent WannaCry outbreak is still a mystery. We know what (ransomware), and how (a Windows vulnerability on unsupported or unpatched systems); but we don’t know who or why. We’re not short of theories: Lazarus, North Korea, some other nation-state actor, Chinese or Russian actors — but none of these has gained general acceptance.

The recent WannaCry outbreak is still a mystery. We know what (ransomware), and how (a Windows vulnerability on unsupported or unpatched systems); but we don’t know who or why. We’re not short of theories: Lazarus, North Korea, some other nation-state actor, Chinese or Russian actors — but none of these has gained general acceptance.

The basic problem is that elements of Wannacry just don’t make sense. The scale and rapidity of its spread, although not unprecedented, points to expertise and resources. This together with some code similarities has led to suggestions that it was a nation-state attack emanating from North Korea.

But inefficiencies in collecting the ransom is not likely from a group as experienced as Lazarus; and the absence of any visible political motive throws doubt on the idea that any nation-state actor was involved. 

Thycotic’s cyber security and digital forensics expert, Joseph Carson, has an alternative theory: the motive behind Wannacry was effectively insider trading following currency manipulation. Bitcoin was the real target.

If he is right, it explains the efficiency of the attack (the primary motive) and the inefficiency of the ransom collection (which was neither part of nor important to the plan).

Talking to SecurityWeek, Carson explained that one common theory on the value of Bitcoin is an application of Metcalfe’s Law. Metcalfe’s law states that the value of a telecommunications network is proportional to the square of the number of connected users of the system (n2) (Wikipedia). Giovanni Santostasi, chief scientific officer at DeepWave and Fountain Health Technologies, has applied this to Bitcoin: “The exponential growth is driven by one factor only, not millions. The rate of adoption. Period. In fact there is a strong correlation (R2 = 0.82) between number of users and price.”

This is Carson’s starting point. If you want to manipulate Bitcoin value, he told SecurityWeek, you cause a sudden increase in the number of users. This is most easily measured by the number of Bitcoin wallets in existence. A global ransomware outbreak, demanding payment by Bitcoin, would certainly have such an effect: both direct victims and judicious organizations are likely to obtain wallets.

“WannaCry,” he suggested, “was a sleight of hand, a deception. The ransomware was merely a mechanism to get a large number of people to open a Bitcoin wallet — and that by itself would drive up the value of Bitcoin.” It could almost be described as a version of insider trading based on a sophisticated form of ‘pump and dump’: the criminals could invest in Bitcoin, pump its value through encouraging the growth of wallets, and then dump the Bitcoin to take their profits.

This theory is supported by Bitcoin currency movement during May. The following details come from CryptoCompare.com. On May 1, Bitcoin was reported reaching an all-time high of $1,379.28. The price grew steadily and consistently until May 11 when it reached $1,817 on the eve of Wannacry. On May 12, WannaCry Day, it fell back by 3.93% to $1,776.95. Did criminals slowly drive up the price by their own investment in Bitcoin, ceasing further activity as soon as Wannacry was released?

Om May 13, Bitcoin fell another 3.28% to $1,735.03; and again on May 14 by 2.99% to $1,684.44. But it’s what happened next that is interesting. On May 17, CryptoCompare reported, “Bitcoin is up 5.82% at $1,785.22.” On May 18 it was $1,821.24. On May 19 it was $1913. On May 20 it was $2,158, and it just kept going — until, on May 26, CryptoCompare reported, “Bitcoin has dropped 5.33% in the last 24 hours. Volumes are quite high, with over $580M dollars exchanged in the USD market, more than half a billion. The Bitcoin pull back is associated with profit taking following several days of rally.”

Three days later, it reported, “Bitcoin has dropped 5.33% in the last 24 hours. Volumes are quite high, with over $580M dollars exchanged in the USD market, more than half a billion. The Bitcoin pull back is associated with profit taking following several days of rally.” During this period, Bitcoin peaked at $2720 — almost exactly twice the price it started the month.

The simple reality is that these figures would support Carson’s theory: the primary purpose of WannaCry was a deceptive means of currency manipulation. This was currency manipulation on a massive scale.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Nation-State

FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.