Crypto crime: how it happens and how it's defeated
With crypto crime rising, what safeguards are there against hackers after your coins?
- Crypto fraud hacking methods
- Fighting cryptocurrency crime
- Protection from crypto crime
- Wider crypto fraud
Cryptocurrency exchanges are increasingly being targeted by cybercriminals. This is because the criminals traditional victims – such as banking, retail and payment services – have ramped up their security measures to counter their activity, a report by analysts at the European-based company KuppingerCole says.
KuppingerCole’s research found that while the thieves’ former targets have become wise to attempted fraud, other sectors – including cryptocurrency, gaming, insurance, telecommunication, hospitality and travel firms, along with estate agents and healthcare and government welfare agencies – have become their preferred prey. The con men have learned that these institutions deal in monetary equivalents that can be hijacked.
Crypto fraud hacking methods
The report’s author, John Tolbert, said that there were two main types of fraud being carried out.
The first type is account takeover fraud, where fraudsters use hacked passwords, malware, trojan horses and credential stuffing – a process where stolen login details are put through an automated program to open up account details – to carry out unauthorised transactions.
The second type of fraud is new account fraud, also known as account opening fraud. This involves using either stolen identities or a collection of personal data to create a fake account based on a real person’s identity. These fake accounts are then used to take advantage of promotions and instant loans and potentially to move money around. While these schemes are not used exclusively for crypto crime, they are among the tools used by people who want to carry out cryptocurrency criminal activity.
In addition, cryptocurrency exchanges have to deal with other types of fraud, such as swapping mobile phone SIM card details; screen scraping, which captures data entered into web forms; and keyloggers, which record keystrokes made on a keyboard. But it is account takeover fraud and new account fraud that leave companies, exchanges and, crucially, customers at risk. Thankfully, there are ways of curtailing the activities of crypto crime perpetrators.
Fighting cryptocurrency crime
For instance, a cryptocurrency investigation that uncovers evidence of wrongdoing can use behavioural analysis to prevent it happening again. This looks at the type of accounts being compromised and who is doing the compromising.
The study also found that there were six things any potential anti-fraud service, or fraud reduction intelligence platform (FRIP), should do. These are:
- ID proofing. This means checking that the person using the account is who they say they are. This particular service tends to be localised, because more often than not it involves checking a government-approved form of ID. Most crypto exchanges today carry out various kinds of Know Your Customer checks to prevent not only fraud but also money laundering.
- Credential intelligence. This means that organisations should be aware of whether particular identities have been used fraudulently before. The paper suggests firms seeking to cut down on criminal activity should always ask themselves “is this credential known to have been recently compromised?” or “has this credential been used for fraud at other sites?”
- User behavioural analysis. This involves looking at how accounts behave and flagging up things that seem out of character, such as the time a transaction takes place or the location and IP address of the account making the request. For best results, behaviour needs to be monitored over a long period of time, however. The paper suggests that firms ask the following questions “is the requested amount and recipient typical of what this user has successfully transacted before?” and “does the request originate with similar environmental attributes as prior transaction requests?”
- Device intelligence. Being able to check whether something is being done on a different computer or smartphone to the one the account holder usually uses can be very helpful in stopping online cryptocurrency fraud.
- Behavioural biometrics. If companies can analyse things like how often a device is used, it can help stop crypto fraud. If crime is being carried out using a mobile phone app, anti-fraud algorithms can detect how the screen is being touched, including how much pressure is used, to flag up potential wrongdoing.
- Bot detection. Some systems are capable of differentiating between human users and bots, which helps them stop cryptocurrency criminal activity. “Solutions which can adequately identify bot-generated activities and present customer administrators with appropriate management options for proactively handling these kinds of activities” are considered as key FRIP criteria by Tolbert. This is particularly true where “Sessions suspected of being manipulated by bots can be handled differently than those believed to be initiated by real users.”
Protection from crypto crime
The report goes on to rank the world leaders in FRIPs. It argues that the two best companies for battling fraud are Transmit Security and ID Dataweb. Tolbert said the two businesses covered the six FRIP points in depth. Behind them were Biocatch, OneSpan and Experian. Experian was said to have “good features in all functional areas of FRIP minus credential intelligence”. Behind those companies were IBM, Broadcom, Arkose Labs, HID Global, Kaspersky and Outseer (RSA), which were all seen as handling certain aspects well, while Group-IB, Neustar, ThreatMark and Cleafy were identified as up-and-coming challenger brands that could potentially become the top names in the sector in the future.
The report also ranked the top innovators in the sector for combating the likes of cryptocurrency fraud. Tolbert said that the most innovative firms were ID Dataweb, BioCatch, and IBM. It praised IBM for its Trusteer program, which helps understand the relationship between devices and fraud. Tolbert ranked Arkose Labs just behind the top three, but praised its “easy-to-use bot deterrent CAPTCHAs”, which he said was “setting trends.” The paper also ranked Broadcom, Experian, Outseer (RSA), Neustar and IBM as market leaders.
Companies were rated according to five other criteria: security, functionality, interoperability, usability and deployment. The top-ranking service was ID Dataweb AXN, which earned “strong positive” badges in the first four categories and a “positive” badge for deployment. There was also a table for market position, ecosystem, financial strength and innovativeness, which was topped by IBM and Experian, who earned “strong positive” awards across all four categories.
Wider crypto fraud
It’s worth noting, however, that crypto exchange hackers are just some of the fraudsters who are targeting the world of cryptocurrency. For instance, the United States Federal Trade Commission recently reported that investors were lured into making bogus cryptocurrency investments worth more than $80m (£58.8m) between 1 October 2020 and 31 March 2021.
The report said almost 7,000 people had fallen victim to cryptocurrency fraud, with the average loss being $1,900. That represents a 12-fold increase in the number of people duped by cryptocurrency scams compared to the same period in 2020, with the amount of money stolen up more than tenfold.
Crypto is safe, but you need to remember to take the usual precautions, such as making sure no one has access to where you store your crypto. For more information, you can read about crypto scams and crypto crime, as well as tips for keeping your investment safe, here.
There’s no real answer to that from a security viewpoint. With any coin it’s a case of ensuring you do not fall for crypto scams and do all you can to protect yourself against cryptocurrency crime. Again, read here for more information.
As a general rule, offline wallets are safest. They are less likely to be targeted by hackers and should, in theory, have a password known only to yourself.