Malware and hacks around Bitcoin and cryptocurrencies

We explain the most common malware and hacks through which you could lose your bitcoins and cryptocurrencies and how to guard against them.

A malware or malicious code, also known as a malicious program, is any type of software that performs harmful actions on a computer system intentionally and without the user’s knowledge.  

Key facts:

• In cryptojacking hackers “hijack” your device to mine cryptocurrencies.
• With ransomware hackers aim to demand cryptocurrencies from victims for stolen data.
• With keyloggers hackers can steal keys from cryptocurrency wallets.
• Remote access Trojans (RATs) target backdoors in computers.
• Bitcoin exchanges are often targeted by hackers.

The execution of this type of action is in turn known as a hack, a term used in computer science to denote unauthorized modifications to code. It is usually performed by a hacker, who is the one who discovers vulnerabilities in a computer or system.

Cryptocurrencies are money, and, as such, there will always be someone willing (and able) to steal them. Although being a digital and not a physical asset, the methods to achieve this are very different.  

Around the globe there are numerous people and organizations whose talents lie in computer code: they can create it, modify it and, in many cases, break it. They are known as “hackers” and, while many are benevolent, others work only for their own benefit. 

Among other activities, the latter group, known as the “Black Hats”, create malware (computer viruses) and hack into websites where money is stored, in order to profit remotely and at the expense of various companies and users.

The cryptomining world has been one of their favorite targets, due to the large amount of hard-to-trace funds moving in the hands of unsuspecting users or careless companies. 

According to cybersecurity company CertiK Stats, in the first few months of 2022 alone, more than USD 1.673 billion in cryptocurrencies were stolen by exploiting code vulnerabilities and hacks. Which proves, without a doubt, that the business of black hat hackers is quite lucrative and, therefore, far from stopping. 

Despite that fact, there are ways to protect yourself against hacker attacks. The most important of these is to educate yourself about what they can do.  

That’s why, below, we show you the most common malwares and types of hacks within the cryptocurrency ecosystem.

1 Cryptojacking 

What is cryptojacking and how does it work?

The word comes from “crypto” (for cryptocurrencies) and “hijacking”, so it starts to become clear what it is. This method involves the unauthorized use of your equipment (whether PC or mobile), and therefore your electricity, for cryptocurrency mining.  

Basically, the hacker “hijacks” your device’s capacity without your knowledge and uses it to create new funds – mostly in cryptocurrencies such as monero (XRM) – which he will then send to his digital wallet. So you don’t even need to own cryptocurrencies to be a victim of cryptojacking. 

What are the types of cryptojacking? 

There are two known types of cryptojacking: with local miners and with web miners. Their purpose is the same, but the method changes. 

Local miners are mining programs that arrive and install themselves on devices by various means, without the legitimate user’s knowledge. The most common method of infection is via email: the victim receives a message with an attachment that, when opened, installs the miner in the background.  

However, this is not the only way of distribution, because, in reality, the miner can be hidden in the download of any unofficial program.  

In this sense, web miners have become a real phenomenon, since they do not require any installation and the user only has to visit the page where the code was installed for his computer to start being used for mining, unwittingly in most cases.  

One of the most popular web miners was Coinhive, a simple (script) program that mined Monero and worked with JavaScript language, enabled by default in most browsers. The service shut down operations in March 2019, following a change in the web mining algorithm.

Web miners are not malware

By themselves, web miners are not malware, as they were designed as an alternative method to advertising on websites. However, most administrators who choose to run the script on their pages fail to warn their visitors, so in theory they are profiting without their permission.

It is also possible for some hackers to insert the script into vulnerable routers or web pages that are not under their control, thus causing victims such as government portals.

How to tell if my PC is being mined 

If configured correctly, the miner should not cause any negative consequences on the device it draws its power from. That is the reason why web miners should not be considered malware. 

However, if the miner comes from a malicious party, it is very likely that the determined CPU usage will be over 70%, causing computers to become sluggish, heat up or, in the case of mobile devices, drain their battery in the blink of an eye.  

In the most extreme circumstances, mining can even damage a device that, in itself, has few resources, since using too much energy generates heat, which can deform certain parts due to thermal expansion. 

Not to mention that the electricity bill may increase, although this is also only in the case of malicious miners, as a legitimate one consumes only a fraction of a cent in energy. 

Still, even if your computer is not experiencing any symptoms, consider that it is being used without your permission for profit, which is illegal. Administrators who use miners legitimately must request permission from their visitors or users in advance.

2 Ransomware

This malware predates even the Internet, but its big boom came when, starting in 2013, its hacker developers began using bitcoin and other cryptocurrencies as a method of payment.

What is ransomware?

“Ransomware” is a combination of “ransom” (ransom) and malware (computer virus), something that defines it very well: it consists of a program that, after being installed without permission on the computer or mobile device, encrypts most of the files or the entire hard drive, making it inaccessible to the user. In exchange for decrypting the hijacked data again, hackers demand a ransom (payment), usually in cryptocurrencies, the amount of which depends on the victim affected.

Ordinary users are usually asked for low dollar amounts, while when the attack is aimed at companies or organizations, the amount rises to thousands or even millions of dollars. 

In both cases the method of infection is different: the infection usually arrives automatically to the computers of ordinary users by means of spam or unofficial programs, while attacks on companies are expressly planned in advance.

File ransom note with macabre game theme from the SAW movie. Source: ESET.

Types of ransomware  

Each ransomware is a malicious program aimed at (mostly) data hijacking for monetary ransom. However, they can vary in their functions, capabilities and distribution methods. Here are a few types: 

Scareware: could also be called pseudo-ransomware, since it does not actually encrypt files, but locks the device’s screen to occupy it with warnings. 

The warnings may start with an alarming message about a supposed antivirus program detecting serious problems on the computer, or one from a supposed security force (such as the FBI) warning the user that he has carried out illegal activities online. In both cases, money is requested to resolve such non-existent problems, but a reboot is usually all it takes to get rid of the ad. 

Partially encrypted: these are the most common. This type infects only files with the most popular extensions (mp3, doc, pdf, jpg, etc.) and encrypts them, replacing them with the ransomware extension and making them inaccessible to the victim until he/she pays the ransom in cryptocurrencies.  

The warnings that appear after encryption usually include a countdown or deadline, whereby the ransom price increases or the files are deleted as the days pass. Examples of this type of ransomware are CryptoLocker, Jigsaw and Spora, while different versions are often sold at very low costs on the Darknet. 

Full encryption: these are programs that, after infiltrating the device, encrypt the entire hard disk, including the files needed to start the operating system. In this case, not only personal data is compromised, but also the entire computer software. Only the email address is left behind in a notice to contact from another computer in order to pay the ransom and get the decryption key. The great example of this ransomware is Mamba. 

Wiper in disguise: the ultimate feature of ransomware is that there is (at least supposed to be) a decryption key to recover the files or disk once it is paid for.  

But this is not the case with wipers masquerading as ransomwares, as these are programs designed to delete files or encrypt them without any possibility of recovery, which is equivalent. Despite this, hackers include ransomware warnings in certain wipers, with the intention of receiving the funds, even if they cannot actually recover those files.  

Ransomware-of-Things (RoT): while not very common, it may be the most dangerous type of ransomware, as it has the ability to not only hijack data, but anything connected to the Internet. This includes thermostats, lights, electronic locks and, in theory, even cars. A recognized RoT attack happened in an Austrian hotel in 2017, where residents were trapped or locked out of their rooms when the locks were hijacked, until the administrators decided to pay the ransom in bitcoin. 

Pandemic: as of December 2018, we can only say that there have been two pandemic ransomware. That is, they have spread like a pandemic around the world due to their particular origin: both emerged thanks to the cyber weapons of the US National Security Agency (NSA), leaked by another group of hackers. With them, vulnerabilities in the Windows system were exploited, so it was not even necessary for the victims to download it in order to infiltrate their computers. 

These ransomware were WannaCry and NotPetya, which managed to affect thousands of victims around the globe, including companies and organizations such as FedEx, Disney, Telefónica, the British National Health Service (NHS), Merck and Maersk. Both malware caused millions in losses and, in addition, NotPetya was identified as a full encryption wiper.

The growth of ransomware

Over time, the sophistication of ransomware has increased. Moreover, according to the firm Chainalysis more than $600 million (USD) in ransomware payments were recorded in 2021. In the coming years, many more attacks are expected to target especially businesses and organizations, asking for ransoms exceeding $10,000 in cryptocurrencies.

Tips to avoid ransomware attacks 

In any case, ransomware is still far from disappearing. To combat it, you can take into account these measures: 

• Always keep backups of all your information offline, on external hard drives or memory sticks not connected in any way with the source device. 
• Keep the firmware of all smart devices up to date so as not to leave vulnerabilities open. 
• Make sure your Firewall blocks the default Remote Desktop Protocol (RDP) port, as it can be used to allow ransomware installation. 
• It is not recommended to pay the ransom in any case, as it is not at all certain that the files will be returned after paying the ransom. The security force in charge of cybercrime in the region or a white hat hacker should be contacted. 
• Many types of ransomware can already be decrypted without contacting the hacker. Tools to get rid of several variants of this malware can be found on the No More Ransom page, which is available in several languages. 

3 Keyloggers 

What is a keylogger? 

Keyloggers (short for “keystroke logging”) are a type of technology that allows monitoring and recording every keystroke on a specific keyboard, which can be either mobile or desktop.  

Sometimes a keylogger can also record clicks, audio and video. In this way, it is possible to find out from private conversations to credentials and passwords, if its use is not ethical.  

Types of keyloggers 

There are two types of keylogger, and only one of them can be used completely remotely.  

The latter is a program that usually consists of two files (a storer and an executable) that are installed in the same directory on the affected computer, record every keystroke and send the results to the software administrator from time to time.  

The administrator, of course, can be a hacker who has spread the malware through phishing, unofficial programs, cryptocurrency trading extensions in the browser and even legitimate websites that have been infected. 

The other type of keylogger is a hardware device that connects to the computer or directly to the keyboard. It can be a connector cable between the CPU and the keyboard, a USB adapter or a small module with its own miniature hard drive that is installed inside the keyboard itself. 

To find out its contents, it is necessary to recover the device, so, at least in the ecosystem, no malicious uses of this method have been recorded. However, it is perfectly possible to find out private keys in this way.

Beware of keylogger misuse

In essence, keyloggers were not designed to be malware, as they have numerous legitimate uses, from work monitoring to studying human-machine interaction. But, like mining, hackers can use them as a tool for their own gain and, with them, it is very easy to steal users and keys from cryptocurrency wallets.

Tips to avoid keyloggers 

To guard against this method you can apply the following: 

• Antivirus and antispyware programs can bypass malicious keyloggers, taking them for legitimate applications. For this reason, there are specific programs for the detection and elimination of this malware: anti-keyloggers. It is advisable to get one and run it on your computer. 
• If you use your credentials from a trusted device, you can save them in the browser (instead of typing them every time) or in a password management program. 
• Functions such as User Account Control (User Account Control or UAC), present since Windows 7-8-10, should be kept enabled. This way, no program can be installed without explicit permission from the administrator. 
• Another option is one-time passwords (OTP), valid for one authentication only. Several OTP generators are available online, and even some sites, such as Facebook, offer this alternative for logging in. 
• In the case of hardware keyloggers, visual inspection is necessary. 

4 Malware RAT (Remote Access Trojan) 

Remote Access Trojans (RATs) are programs that install themselves on the computer, usually disguised as other programs, and create a ‘backdoor’ to bypass system security and control it remotely.  

Since it allows the use as administrator of the computer, it is possible for a hacker to install new programs (such as keyloggers), access all stored information (including credentials and passwords), activate the camera, take screenshots, modify files and even format the memory. In other words, it is as if he had the PC in front of him. 

However, a RAT always seeks to cause as few symptoms as possible, using the minimum available resources so as not to give away the malicious activity. In the same way it reaches the computer: the user may be downloading any application, such as some game, without knowing that it is accompanied by malware that will be installed in the background, without his consent. Even certain Telegram bots may be infected. 

As for the ecosystem, the “baits” are usually unofficial trading apps or somehow related to cryptocurrencies.

Tips to avoid a RAT 

While RATs are not as popular as cryptojacking and ransomware, they are arguably more dangerous, as they have the ability to remotely hijack almost every function of the infected device. To guard against them, we recommend: 

• Block any ports you are not using and disable services that require Internet connection while you are not using them. 
• Monitor your network traffic. Several online tools are available for this purpose, which can show you a trace of the connections made, including time, duration, port and program. In this way, it is possible to detect intruders. 
• Before downloading any application related to cryptocurrencies, be sure to look for reviews and reviews about it; as well as find out which is its official website or the safest way to get it. 

5 Clipboard hijackers 

This is a type of malicious software that is designed to steal or modify the information we have copied.  

This class of malware has demonstrated incidences since the turn of the century, although its adaptation to the cryptomining world is somewhat different from its predecessors. They usually spread via exploits (commands) included, above all, in advertisements for updates.  

Once the victim falls into the trap, the malware installs itself and takes possession of their clipboard (where data is archived for copying and pasting), allowing no further copying until the computer is restarted. And there it replaces the content with the link to some malicious website. 

The most well-known clipboard hijacker within the cryptocurrency ecosystem is the CryptoShuffler Trojan, described by Kaspersky Lab at the end of 2017. This disguises itself as a seemingly harmless program that the victim ends up downloading without knowing its true nature.  

Once on the computer, it also hijacks the clipboard but with very specific replacement instructions: instead of leaving any links or not allowing new data, CryptoShuffler detects when the address of a cryptocurrency wallet is copied (a rather characteristic alphanumeric line) and replaces it with another one, belonging to the hacker, so that the unsuspecting user sends funds there instead of to the legitimate recipient. 

The addresses it can eventually detect include those for Bitcoin, Ethereum, Zcash, Monero and Dash. On average, these malware can monitor about 600,000 addresses to carry out the replacement, but Bleeping Computer detected one in mid-2018 that has been monitoring more than 2.3 million addresses.

Thousands of dollars in bitcoins stolen

Because the vast majority of crypto-users do, in fact, copy and paste wallet addresses when making any transaction, hackers have been able to steal thousands of dollars with this method. By 2017 the figures amounted to more than 23 bitcoins. Therefore, it is necessary to take precautions.

Tips to avoid clipboard hijacking   

Check that your antivirus includes detection of CryptoShuffler and other Clipboard Hijackers. 

Before sending any amount of funds, make sure the destination address is correct. If you can use the QR code on the wallet, all the better. 

This malware doesn’t produce any symptoms on your computer, so it’s hard to notice it’s there. So even if you have an active antivirus, pay attention when handling your digital wallets.

Alleged portable All Aadio 4.27 program, container of a malware package that included the massive clipboard hijacker. Source: Bleeping Computer.

6 Hacking of cryptocurrency exchanges 

Cryptocurrency exchanges around the globe are one of the favorite targets of malicious hackers: they have a large amount of funds centered in the same place, in many cases, weak at the computer level.  

Once you send your funds there, they cease to be entirely yours and start to be managed by the company behind the platform, along with those of all other customers. The security of those funds depends on the company (and not on you), and it has been shown on numerous occasions that there are very skilled hackers. 

The case of Mt. Gox, which in 2014 was the cryptocurrency exchange with the highest exchange volume worldwide, laid the groundwork for subsequent major thefts. In February of that year, 850,000 BTC were stolen from its platform. The company filed for bankruptcy and, even as of August 2022, the affected users have not recovered their funds.

More than USD 2 billion stolen in exchanges by 2022

Cases identical and worse to Mt. Gox have occurred in the following years, even at the largest exchanges. The firm Atlas VPN estimated that hackers stole about USD 2 billion worth of cryptocurrencies from exchanges in the first half of 2022 alone. The Ethereum ecosystem suffered the most attacks so far in 2022, generating losses exceeding USD 1 billion in 32 events Therefore, when using exchange houses, great caution should be exercised.

Tips to avoid losing your cryptocurrencies on exchanges 

Exchanges are not wallets. Do not leave your funds stored there for a long time: they are not safe. 

Prefer officially regulated exchanges. Thus, in case of theft, the company will be obliged to respond for your funds. 

7 WiFi access

As of December 2018, several security flaws were detected in the first two versions of the Wi-Fi Protected Access (WPA) protocol, used by the vast majority of Internet users to connect via routers. The one that is perhaps the most pressing flaw is the one that gives rise to the KRACK attack, targeting WPA2 and published in 2017.  

This attack allows the hacker to take over all the victim’s network traffic, which involves possessing all the information they handle while connected, including emails, bank card numbers, credentials, passwords, etc. Depending on the network configuration, it would even be possible for the hacker to install malware, such as ransomware.

This is primarily a proximity attack, where it is necessary for the victim to first connect through a vulnerable network close to the hacker. This is why public WiFi in places such as restaurants, hotels and airports is highly risky.

Towards the WiFi of the Internet of Things (IoT)

WiFi, as you might guess, is almost literally used by everyone. The increase in the daily use of WiFi devices and people’s dependence on them has made them a necessity. New advanced connectivity scenarios now also include the Internet of Things (IoT). According to IoT Analytics, the total number of IoT devices in operation (all standards) is expected to reach more than 17 billion by the end of 2022 and around 27 billion by 2025.

Tips to prevent unauthorized WiFi access 

WPA3 is the latest security protocol for WiFi connections.  It appeared at the end of 2018 and many devices are still in the process of upgrading. Right now, surely, you are browsing with a WPA or WPA2 connection. It is then necessary to take several precautions when using WiFi, not only public but also at home. 

Never use public networks to make financial transactions of any kind. If possible, do not even connect. 

Update your router’s firmware and periodically check your provider’s official website for the latest news on your model. 

Find out if your hardware can be upgraded to WPA3. If not, it is advisable to replace it. 

Use a VPN (virtual private network) program to establish more secure and private connections. 

If your WiFi connection is not WPA3, prefer connections via data (in case of cell phones) or wired connections. 

The use of hardware wallets, which are disconnected from the network, can save you from this and other problems. 

8 DNS hijacking

The Domain Name System (DNS) is responsible for “translating” the domain names, i.e. the unique names that characterize each website, into the numerical identifiers associated with the computers or servers connected to the network (IP addresses). In this sense, it is like a telephone directory, but on the Internet, where web pages are located because their name is associated with a number. 

DNS server hijacking occurs when a hacker intercepts the query to a specific domain name and uses some malware to change the IP address associated with that name, thus redirecting victims to a different page than the one they intended to go to; usually for malicious purposes. This can be made possible by fraudulently installing the malware on the victim’s computer, by hijacking their network traffic through an unsecured connection or by illegally manipulating the DNS of a specific website. 

Thus, while in simple phishing the URL can never be identical, in this case the URL is correct, but the website is not.

Be careful with replicas

When the attack is premeditatedly targeted at the website, hackers take advantage of this to replicate it in detail and deceive users, who could copy credentials and private keys there, granting them to the malicious party. This is what happened in April 2018, when several MyEtherWallet users reported thousands of dollars in losses. Although not as usual an attack as others, a single piece of DNS hijacking malware, DNSChanger, managed to affect more than 4 million computers in 2011, earning its hackers $14 million from fraudulent advertising.

Tips to avoid DNS hijacking 

In the case of cryptomining, hackers can use DNS hijacking as a somewhat more sophisticated tactic than simple phishing, as it is much harder to detect in the face of the common user. To avoid becoming a victim of this type of hijacking you can keep the following in mind: 

• In addition to the URL, pay attention to the name of the SSL (Secure Socket Layer) certificate. This is a security protocol implemented by many official websites, which ensures their authenticity and that the data will be transmitted in encrypted form. Or, in other words, it is the name in green that appears to the left of the URL next to a small padlock. If you notice that it does not match the usual one or is missing, leave the page immediately and turn to their official networks to look for news about it. 
• Using a VPN program can also help in this case, as it uses its own DNS servers to connect. 
• Avoid using online wallets: always prefer those that you can download to your device, as they are less exposed to this type of attack. 

9 Bugs in smart contracts 

Smart contracts, one of the main offerings in the ecosystem, are a type of software that is written and programmed to perform a given task or series of tasks on a blockchain, according to previously entered instructions.  

In this way, they can be contracts that are fulfilled automatically, useful for all kinds of applications. Although that determined task can be anyone, most smart contracts usually include funds in cryptocurrencies, which makes them attractive to many hackers. 

The most popular platform for smart contract development is Ethereum, which has its own programming language specially designed for creating these virtual tools – Solidity.

Ethereum logo. Source: Ethereum Project

Since this is a very complex and relatively new language, whose origin dates back to 2014, errors (bugs) can occur much more frequently than in other more well-known languages, leaving open doors for black hat hackers. However, contracts written in other languages can also be vulnerable. 

The first major incident of this kind happened in June 2016, with Slock.it’s DAO project, up to that point, holder of the highest-grossing Initial Coin Offering (ICO).  

An already warned vulnerability was finally exploited, extracting 3.6 million ethers from the contract; equivalent to about $60 million as of that date. This unprecedented event caused panic in the community and a major schism that ended in the creation of Ethereum Classic. 

After the DAO event, smart contract hacks have become common news in recent years. These are mostly used in decentralized finance protocols (DeFi); and in DApps, decentralized applications on the blockchain, ranging from betting platforms and wallets to storage media and games.

Growing threats to smart contracts

In early 2022, David Tarditi, vice president of engineering at CertiK, a blockchain security firm, explained the main threats facing Ethereum smart contracts and other blockchains. The proliferation of DeFi has led to these platforms being the target of numerous attacks by hackers over the past two years. More than USD 1.3 billion was lost in 2021 by exploiting vulnerabilities in the contracts.

Tips to avoid smart contract failures 

It is usual that flaws in the programming of a smart contract are not discovered until it is too late. Given this context, it should be taken into account: 

• If you are going to make use of a DApp, be sure to read as much as possible about it. Many offer documentation (such as a White Paper), and specify what their security measures are. 
• Follow the official channels of the blockchain where the smart contract you are using was written to be aware of any incidents. 
• If you are interested in creating a smart contract from scratch, it is best to use a professional developer. 

10 In closing 

Although, as we have seen, hackers have developed numerous tricks, the storage and handling of cryptocurrencies should present no problems for any user aware of the security measures to take and the pitfalls to avoid. 

Cryptocurrency funds are on the blockchain, which means you can reach them from anywhere and at any time. However, access to them is another story: that is your private key and it is only with you, if you have not left it in the hands of an exchange house (whose accounts give you a user, but not the key as such).  

That is why it is essential to protect this access, something that, for the most part, depends only on yourself. In addition to all the measures we have mentioned, the best option for this is probably to keep it as far away from the Internet as possible.  

Hardware wallets and paper wallets offer this possibility, although some exchanges also offer a “vault” service, where they take care of keeping the private keys outside the network and inside vaults.