Every time a new technology appears on the scene, it is usually accompanied by a new breed of criminal who seeks to exploit it. The most obvious examples would be the rise of hackers after the invention of the internet, or the birth of phone-scams following the invention of home telephones.
One would think that cryptocurrency might display a similar pattern, but the truth is that as the old ways still seem to work the best for the crypto criminals.
Besides the small handful of high-profile crypto hacks we hear about every so often, cryptocurrency is generally secure against the actions of hackers – assuming the end user follows a smart routine.
But a recent spate of kidnappings has shown us that if someone has their mind set on stealing some cryptocurrency, they can still use the tried and tested method of brute force to achieve their aim.
13 Year Old Boy Kidnapped for Bitcoin
On May 20th of this year, thirteen year old Katlego Marite was kidnapped while playing near his home in a village called Witbank, in South Africa.
Three men pulled up in a car, grabbed the boy in front of his friends, then sped off – but not without leaving a ransom note behind, along with a wallet address.
The note demanded that the family pay a ransom of 15 BTC or else they’d never see their son again. There was to be 1 BTC delivered the very next day, with the rest expected within the week.
The boy’s family were distraught, not least because they had no idea what a Bitcoin was, and wondered if they’d ever manage to retrieve their son.
Luckily, the boy was returned home safely a few days later, having not experienced any serious harm. Whether the ransom was paid or not is known only by the South African authorities, who won’t release any further details to the press.
#sapsMP #SAPS PC Lt Gen Zuma elated that Katlego Marite (13) from Tasbet Park in Witbank, who was kidnapped by unknown men on 20/05 has been found. Gen Zuma commended SAPS members, community members & family in their effort in ensuring Katlego is found.SWhttps://t.co/5btr0nOFTF pic.twitter.com/hR4g8trIjG
— SA Police Service (@SAPoliceService) May 24, 2018
If the BTC was delivered to the wallet, it could already have jumped between multiple pre-made addresses; undergone hundreds of currency swaps using untraceable privacy coins, and ended up on an exchange somewhere, before being bought by the average crypto user looking to add to their portfolio.
EXMO Exchange Analyst Held for $1 Million
On December 26th of 2017, an analyst in Ukraine who worked for the EXMO cryptocurrency exchange was bungled into a car and whisked away by armed men wearing balaclavas. A ransom demand of $1 million worth of bitcoin was made, and then they waited.
By May 29th the ransom was paid and the analyst, Pavel Lerner, was returned safely. However, it is still unknown who coughed up the bitcoin to pay for Lerner’s release. Presumably Lerner was targeted because the thieves thought his role as an exchange analyst would grant him access to untold amounts of money, however, Lerner had no such access.
Pavel Lerner, Image from DW.com
The man’s employers, EXMO, released a statement saying no action had been taken by them, and made sure to point out that their exchange remained unaffected by the event.
Keep Your Friends Close…
The line between friend and enemy can be easily blurred, especially when there’s money involved. One man found this out the hard way in December of last year, when a friend of his lured him into a minivan which he claimed was an Uber taxi, pulled out a gun, and demanded his Ledger Nano S, along with the 24-word wallet phrase.
The victim, who remains unnamed, had over a million dollars worth of Ether in his wallet at the time.
The gunman, 35 year old Louis Meza, got the hardware wallet and the key-phrase, but couldn’t help but make two fatal errors.
First, he passed under the view of local surveillance cameras when he led his victim back to his apartment to get the wallet, thus revealing his identity to police.
And perhaps most unforgivably of all, he transferred the funds from the wallet directly to an exchange and converted to bitcoin, where authorities could easily trace it. Meza was caught, and rightfully so, but one can’t help but wonder why he didn’t just transfer the Ether to a hardware wallet of his own.
Louis Meza appears in court, Image from Bitcoin.com
Take note of how Meza found out about the Ethereum holdings – the victim had bragged about it in a bar. The next thing he knew, he was in a fake taxi with a gun pointed to his head.
Interestingly, when Meza converted the Ether to Bitcoin, the value of Bitcoin rose faster than Ethereum, meaning the victim ended up receiving more money back than was stolen in the first place.
Some methods of extracting cryptocurrency from unsuspecting victims are more subtle, but still use techniques founded a long time ago.
Ransomware has been used to extort money out of people since the late 80’s. It takes the form of malicious software which encrypts your personal data and then demands that you pay to get it back.
In recent years cryptocurrency users have received nasty introductions to ransomware attacks; where the scammer, or usually a bot, targets the user’s private keys.
In 2013, the infamous CryptoLocker botnet did exactly that. The CryptoLocker program gave its victims three days to pay via Bitcoin, Ukash or a pre-paid voucher, or else it would delete their private key completely.
Estimates vary as to how many people gave money to the scammers, with some research polls saying 40%, while others say less than 1% of those affected actually handed money over. Either way, when the multiple addresses associated with the scammer were laid bare on line, they showed a collective movement of around $27 million.
By the time some users got their money back, through the help of the authorities, the scammer had made off with a total of $3 million, which was never seen again.
For all the advantages that cryptocurrency has over the fiat banking system – and there are many – it suffers from the one, single weakness that the banks don’t have – security.
If a robber puts a gun to your head and demands your bank card, you simply give it to them and then cancel your card when you get home. Even if they used it before then, the chances that their purchases would go untraced are extremely slim. Finally, even in the event that the thief did manage to spend your money, most banks are fully insured against such events, and would in all likelihood return your funds immediately upon realizing they’d been stolen.
With cryptocurrency, the individual user is responsible for his or her own financial security, and must contend with all the problems that brings. Ultimately, the human being is the main weak point as far as crypto security is concerned, and regardless of how much two factor authentication you have set up, a gun to the head, or a kidnapped child tends to bypass those measures quite easily.
It may be worth noting that this sudden flurry of crypto kidnappings only started happening around late 2017 – at a time when the crypto market was rising rapidly towards its highest peak to date.
It seems that investors and criminals respond to the same market cues.