How Hackers Withdraw Bitcoins to Money From Ransomware Attacks

Digital currencies are a real blessing for hackers and cyber criminals. Transactions of this type are performed almost anonymously, which enables their use in illegal trade on the black market.

They are especially suitable for cyber criminals who deal with ransomware attacks. In attacks of various ransomware variants(WannaCry, Petya, LeakerLocker, Locky, Cerber, etc.) cyber criminals have earned millions of dollars.

Hackers standing behind WannaCry wallet began cashing in cryptocurrencies on Wednesday, August 2nd 2017. According to information from the @actual_ransom Twitter bot account that tracks the WannaCry payout ransom, only 338 victims paid $300 in Bitcoins. On Wednesday night, this money was withdrawn through 7 transactions within 15 minutes, but it wasn’t yet known where the money went.

Also, frequent targets of cybercriminals are cryptocurrency exchange offices and digital wallets whose hacking has so far stolen hundreds of millions of dollars in Bitcoin and Ethereum. Recently, there was a series of thefts of the increasingly popular digital currency Ethereum, in which about half a billion dollars were stolen.

How do hackers do it without being catched?

When cybercriminals steal cryptocurrency from an exchange office and digital wallet, or when ransomware attack victims pay a ransom, the next step is how to exchange that cryptocurrency for real money.

It has been revealed that some cryptocurrency exchange offices are connected with money laundering. They provide cybercriminals with the services of exchanging digital for real money completely anonymously.

According to a Google survey, since 2014, more than 95% of all Bitcoin transactions paid for ransomware have been converted into money through a Russian cryptocurrency exchange called BTC. Interestingly, one of the founders of the BTC exchange office was arrested in Greece two days before the publication of Google’s research on charges of laundering Bitcoins worth over $4 billion.

Researchers from Google discovered the points of payment of money and monitored how the money exits the Bitcoin network, thus enabling the prosecutor’s office to track the traces of money using conventional methods of tracking financial flows.

Key points- monitoring ransomware payments

The researchers tracked the money trail step by step and analyzed the most lucrative ransomware variants. Here are the conclusions they came to:

The biggest damage was caused by 2 ransomware variants – Locky and Cerber. Locky has brought hackers about $8 million so far, and is the first ransomware to bring cyber criminals more than $1 million in one month. Cerberus is in second place with earnings of about $7 million(about $200,000 a month).

Most ransomware victims used LocalBitcoins, Bithumb and CoinBase to buy Bitcoin, and 90% of them paid a ransom through a single transaction.

In more than 95% of cases, cyber criminals used the services of BTC to convert Bitcoin into money.

The cybercriminals behind Dridex, Locky and Cerber have rented a Necurs network of bots(infected IoT devices) for the mass distribution of the aforementioned ransomware variants.

Also, researchers believe that the BTC exchange took part in the Bitcoin theft of the once very popular Japanese exchange Mt.Gox, which was shut down in 2014 due to a series of mysterious robberies.

Leave a Reply

Your email address will not be published. Required fields are marked *