‘Crypto’ crime declines? Hackers, North Korea disagree

Overall, ‘crypto’ crime may be on the decline, but certain criminals are making out like bandits, particularly those from North Korea.

Last month, blockchain data analysts Chainalysis released two summaries of its most recent crypto crime mid-year update, showing a mixed bag on how criminals continue to utilize blockchain technology to further their illicit aims. The first summary showed that while overall crime activity dropped by nearly 20%, ransomware and hacking significantly increased.

Chainalysis said aggregate illicit activity over the first half of 2024 had fallen by 19.6% year-on-year to $16.7 billion. However, the figures are “lower bound estimates based on inflows to illicit addresses we’ve identified today” and “will almost certainly be higher” as Chainalysis identifies more addresses definitively associated with criminality.

While the (temporary) decline is encouraging, the sum of funds stolen in crypto heists in H1-2024 rose to $1.58 billion from $857 million last year, despite the total number of hacking incidents increasing only 2.76% year-on-year. The dollar-value surge was blamed on the fiat value of tokens rising from H1-2023, a period in which the entire digital asset sector was still recovering from the onset of ‘crypto winter’ in mid-2022.

The single largest hack so far this year—the $305 million stolen from Japan’s DMM exchange in May—shows hackers are increasingly targeting centralized exchanges, a switch from recent years in which decentralized finance (DeFi) protocols were the primary targets. Chainalysis claims this shift is likely due to the year-on-year increase in value of the BTC token, which doesn’t trade on DeFi exchanges.

Ransomware payments totaled $459.8 million through the end of June, slightly ahead of the $449.1 million paid at the same point last year. This is partly due to individual ransomware payments setting new records, led by the $75 million paid by an unidentified victim to the Dark Angels group. That sum was nearly twice the largest payment in 2023 and 335% higher than 2022’s largest payment.

Ransomware attacks are also increasing in frequency, rising 10% year-on-year. However, victims are increasingly refusing to pay up, with ‘payment events’ falling 27.3%, suggesting that entities/individuals are getting better at mitigating the fallout from such incidents.

The second summary dealt with other types of crypto crimes, including child sex abuse material (CSAM) networks, ‘pig butchering,’ and other scams, as well as an update on Cambodia’s sketchy Huione Guarantee digital marketplace.

There’s been an increase in the number of China-based CSAM vendors accepting digital assets as payment, with inflows to these sites hitting nearly 39% of the global total this spring. ‘Customers’ of these vendors can choose subscription rates ranging from a single day to 20,000 days (over 54 years, basically a lifetime subscription).

In terms of scam operators, shorter-duration scams are all the rage, with the average number of days a scam is active falling from 271 in 2020 to just 42 in 2024. So far this year, 43% of scam inflows have gone to wallets that were only activated this year, significantly greater than the previous high of 30% of newly activated wallets in 2022.

As for Huione, Chainalysis claims the peer-to-peer marketplace has processed over $49 billion in digital asset transactions since 2021, although not all of that volume is necessarily the result of illicit activity. The overwhelming majority of these transactions ($47 billion) were conducted via the Tron network run by  Justin Sun. Previous reporting from Elliptic showed the Tether (USDT) stablecoin was the preferred currency on Huione.

Fun with numbers

Other reports paint an equally dire picture of the state of crypto crime in 2024. Immunefi says crooks pulled off 154 individual hacks and rug pulls this year, netting over $1.2 billion in the process. That represents a 15.5% increase over the same period last year, driven by the DMM hack and a similar attack on India’s WazirX exchange, the latter resulting in the loss of $230 million in customer funds.

Immunefi said nearly $15.1 million of that YTD total occurred in August, $12 million of which was stolen from the troubled Ronin Network. But much depends on how one classifies a ‘hack.’ Blockchain security firm PeckShield said hackers made off nearly $313.4 million in August, $293.4 million of that coming from two separate phishing attacks.

Yet another blockchain sleuth, Scam Sniffer, claimed that $63 million was lost to phishing attacks in August, including one truly unfortunate individual who lost $55.4 million in DAI, an Ethereum-based stablecoin, after mistakenly signing a transaction changing the ownership in the Maker DeFi protocol.

Kim from IT wants a word

Even more elaborate scams are being perpetrated by North Korean agents, who have been stealing billions’ worth of digital assets to help keep the country’s stagnant economy alive. The Lazarus Group, APT38, and others have employed a variety of techniques, including hacking, phishing, and malware, but not everybody in the digital asset space seems sufficiently aware of the threat.

On September 3, the U.S. Federal Bureau of Investigation (FBI) issued an alert titled North Korea Aggressively Targeting Crypto Industry with Well-Disguised Social Engineering Attacks. The alert warned of “highly tailored, difficult-to-detect social engineering campaigns against employees of decentralized finance (DeFi), cryptocurrency, and similar businesses to deploy malware and steal company cryptocurrency.”

The FBI illustrated some of the social engineering tactics employed by North Korea, including specifically tailored “offers of new employment or corporate investment,” often utilizing “details a victim may believe are known to few others.”

The bad actors “routinely impersonate a range of individuals, including contacts a victim may know personally or indirectly.” The perpetrator may also use “fake images of time sensitive events to induce immediate action from intended victims.”

The FBI offered several tips that potential marks can use to reduce the likelihood of falling for one of these attacks, but it doesn’t help when Americans are helping North Koreans disguise their tracks.

Last month, the Department of Justice (DoJ) arrested a Nashville man who’d been taking money to run a ‘laptop farm’ that made it appear that North Korean IT workers’ IP addresses were based stateside.

There’s no indication that the North Koreans were doing anything other than working illegally and generating hard currency for the regime, but the companies who’d fallen for this ruse were required to conduct expensive forensic audits to ensure their systems hadn’t been compromised.

That case followed an incident in July in which U.S.-based security vendor KnowBe4 unwittingly hired a North Korean hacker using a laptop farm setup. The hacker attempted to infect the company’s systems with malware but the company claimed to have caught on to the subterfuge before any damage was done.

No-armed bandits

Finally, crypto scams don’t just happen online. On September 3, the Federal Trade Commission (FTC) issued a report calling BTC-based ATMs (BTMs) “a payment portal for scammers.” Data compiled from the FTC’s Consumer Sentinel Network shows fraud losses at BTM increased nearly tenfold from 2020 to 2023 and topped $65 million in the first half of 2024, with a median loss of around $10,000.

The FTC notes that these figures are likely fractions of the real total due to most unreported frauds. Seniors are the most vulnerable targets of BTM-related scams, accounting for two-thirds of all the cash lost through reported BTM fraud losses. The scams often don’t involve ‘crypto’ at all, merely using the BTMs to transfer the cash quickly and irreversibly.

The scammers trick their victims into going to their bank to withdraw cash, which is then deposited into the BTM. The victim is told to scan a QR code at the machine, after which the deposited funds are transferred to the scammers’ digital wallet.

While the vast majority (82%) of all BTMs are based in the U.S., BTM shenanigans aren’t a purely American phenomenon. Last week, German authorities announced the seizure of 13 BTMs operating without the necessary permits. Financial authorities in the U.K. have effectively banished BTMs from their shores due to their role in facilitating scam operations.

Watch: Teranode and the Web3 world with edge-to-edge electronic value system