Europol – Internet Organized Cyber Crime Threat Assessment 2018: new trends in the obscure sides of FinTech – by Daniele Maria Barone

The latest report of Europol on Internet Organized Cyber Crime (IOCTA 2018)[i] stresses, among other issues, the weak points that modern financial tools and a lack of either an up-to-date legal framework or cooperation among institutions and the private sector, brings to the cybercrime field.

The report highlights many sectors which are likely to become a target for criminal and terrorist purposes and depicts the latest development in the misuse of cryptocurrencies at different levels: Cybercrime in general (petty or organized crime) – Jihadist networks (local or international) – modern cyber-threats cryptocurrency related.

Do Cybercriminals Still Prefer Bitcoin?

According to IOCTA 2018, even though Bitcoin has lost its majority of the overall cryptocurrency market share (Bitcoin enjoyed over 80% of the cryptocurrency market share, but by the start of 2017 this had dropped to less than 35%), it still remains the primary cryptocurrency encountered by law enforcement.

In particular, Bitcoin is still the most widely used cryptocurrency on Darknet illegal markets. According to Europol, even though law enforcement has taken down three major Darknet markets (i.e. AlphaBay, Hansa, and RAMP), it is reported a significant growth in both the number of small vendor shops (shops run by a single vendor) and secondary markets (i.e. non-English language markets) dedicated to a particular nationality or language group.

Nevertheless, nowadays Bitcoin is not anymore able to provide as much anonymity as it did in the past. As demonstrated by Philip and Diana Koshy in 2014, which were able to identify the IP addresses connected to more than 1000 Bitcoin addresses[ii], it is possible to find a breach in the wall of the partially anonymous Bitcoin transactions flow.[iii] Moreover, law enforcement has already proved to be able to track down and reveal Bitcoin mixing services (i.e. protect the anonymity of transactions by mixing many users’ Bitcoin reserves with each other) used by criminals to launder money.

Furthermore, Bitcoin is developed with the Blockchain technology where data flow between computers (called “nodes”) like gossip in a crowd, becoming immutable and unchangeably bound with each other. In this terms, even though Blockchain is structured in order to protect users’ real identity behind encryption codes, it also allows making public information (and public record) of their entire financial history[iv]. Hence, from an investigative and monitoring perspective, get only once a criminal committing a crime by using Bitcoins, allows to uncover his whole criminal history.

This is likely to cause a significant shift of cybercriminals to more privacy-centric types of cryptocurrencies in the very near future[v].

Jihadist networks experiment  

The Europol 2018 report defines Islamic terrorists’ cyber attack expertise as at its infancy level. It describes Islamic terrorist groups as very high-skilled in terms of online propaganda through the masterly use of social media, surface or deep web forums or blogs, and end-to-end encrypted chat services, but still without an elevated overall harmful cybercrime potential. Nevertheless, IOCTA 2018 shows some interesting trends, about terrorist groups’ cutting-edge technical expertise in the use of cryptocurrencies, which are worth explaining.

  • A few actors with high-degree technical know-how : as already analyzed by ITSTIME[vi], since 2012 there have been a few cases related to terrorist groups’ use of cryptocurrencies, mostly under the form of either more or less explicit online crowdfunding campaigns. The Europol report rightly defines this initial phase as the “Jihadist networks experiment with cryptocurrencies”. During this experimental stage, a common denominator can be identified in the difficulty to track terrorists’ transaction movements. For instance, the pro-Daesh website Akhbar alMuslimin started calling for Bitcoin donations in November 2017. Initially, the link pointed to an external Bitcoin payment site, which then changed to a page within the website that generated Bitcoin addresses, allowing sympathizers to copy the addresses and donate away from that page. Furthermore, the system allowed donors to use Bitcoin credit/debit cards instead of their Bitcoin addresses. Indeed, Bitcoin credit/debit cards providers, usually require full identification in order to issue the card but they usually don’t require the submission of any identifying document. This example shows a certain technical sophistication on the part of the administrators.
  • Privacy-centric cryptocurrencies: as previously explained, Bitcoin is not the most anonymous choice in the cryptocurrency landscape. There already exist other types of cryptocurrency created with the primary purpose of protecting users’ privacy. The most popular are Monero (launched in 2013) and Zcash (launched in 2016). Monero and Zcash respectively use CryptoNote protocol, which allows seeing only an approximate amount of money that was sent in the transaction,[vii] and Zk-Snark , “Zero-knowledge”, which allows one party to prove to another that a statement is true, without revealing any other information beyond the validity of the statement itself[viii]. The competition among these privacy-centric cryptocurrencies is causing a fast-paced development entirely aimed at increasing their users’ privacy[ix] while becoming more and more user-friendly and widespread[x]. As in the Akhbar alMuslimin case, Islamic Terrorist groups have already proved to have a high degree of sophistication in exploiting modern methods to obscure their illicit funding. In fact, Europol has noticed that Daesh requested donations in Zcash and also used such cryptocurrency to purchase website domains. Even though Europol underlines that there is no proof of Zcash, or any other type of cryptocurrency, being used to finance any attacks on European soil, the development in this field deserves to be carefully monitored.
  • Jihadists’ Online Propaganda and the Increasing Jhadists’ use of Cryptocurrencies: the need for terrorist groups to spread their narrative and propaganda through the web is giving them more and more access to cutting-edge technological expertise. The two areas are linked by an ongoing innovation process of their ability to evade detection, develop their technical capabilities and raise funds via cryptocurrencies through legitimate services like social media, which gives them the possibility to freely interact with many actors more or less involved in cybercrime or hacking. Thus, it is crucial to hinder their access to human expertise, funding, and cyber tools which too often happen as a consequence of their need to spread their propaganda.

Every internet user is unwittingly becoming a victim: Cryptojacking, a hallmark of modern cybercrime

Cryptojacking is the unauthorized use of a computer, tablet, mobile phone, or connected home devices by cybercriminals to mine for cryptocurrency.

There are only a finite number of Bitcoins that have not been completely mined and they can be mined only by solving a complex and ever-growing math task “proof of work”, which requires elevated electricity bills and expensive computer equipment. Thus, the more devices are working, the faster is possible to mine coins, and cryptojacking allows cybercriminals to use other people’s devices to pursue this task. Cryptojacking can occur in two ways:

  • Phishing tactics, running a code that downloads the cryptomining script on the victims’ computer, the most common method is to send the malware by email.
  • In-browser miner, injecting a cryptomining script on a website or on an online advertisement that is placed on multiple websites. The script runs on the visited website, so the code doesn’t need to be installed or the user doesn’t even have to opt-in[xi].

In both cases, the code solves complex mathematical problems and sends the results to the hacker’s server while the victim is completely unaware.[xii]

In-browser based cryptojacking is not illegal, thus it is more appealing to cybercriminals wishing to keep a low profile, requiring little or no victim engagement and, at least currently, minimal law enforcement attention.

Hence, for all these reasons, cryptojacking is expected to become a regular, low-risk revenue resource for cybercriminals.

Cyber-attacks targeting users and facilitators

Quoting Europol IOCTA 2018 “in a trend mirroring attacks on banks and their customers, cryptocurrency users and facilitators have become victims of cybercrimes themselves… Money launderers have evolved to use cryptocurrencies in their operations and are increasingly facilitated by new developments such as decentralized exchanges which allow exchanges without any Know Your Customer requirements.”.

Indeed, a consequence of the decentralized and unregulated system of cryptocurrencies and the fact that they are becoming more mainstream (almost 1600 listed cryptocurrencies), is that cryptocurrency users, exchange platforms and mining services are now subjected to the same attacks aimed at traditional financial instruments.

The most commons kinds of cyber-attacks and targets are the following:

  • Phishing tactics aimed at taking over users’ login credentials for their online exchanger accounts, electronic wallets, and private keys.
  • Exchange services, which hold their own number of cryptocurrencies for trading and the fund of their customers who purchased cryptocurrencies, are key targets for cybercriminals given the huge amount of money that they administrate ore store for their customers. As the hacking attack to the Italian exchanger BitGrail that resulted in the correspondent loss of USD 195.000.000
  • Attack to cryptocurrency exchange services to steal customers’ data to further fraud as, for instance, “phishing customers for their account login credentials and subsequent currency theft”.

An accurate analysis of Europol IOCTA 2018 helps to take into account new aspects and weak points related to the illegal use of cryptocurrencies along with scope for improvement.

  • Improve Public Awareness: Cryptocurrencies are becoming widespread, user-friendly and, in many cases, developing through a privacy-centric protocol, while institutions have not yet enough tools to properly investigate or prevent their illegal use. Help investors to avoid becoming unknowing victims of criminals or terrorists network is fundamental. Institutions should put more efforts in giving clear instructions to these modern customers aimed at avoiding credential or private keys theft and guide them through a conscious way to invest in cryptocurrencies.
  • Introduce mandatory KYC procedures: even though in many cases governments can’t impose strict rules on cryptocurrency development companies or cooperate with them, it is still possible to cooperate with exchange services. Obligatory Know Your Customer procedures for exchange services or crypto debit/credit cards providers, would definitely help to prevent jihadists’ donation campaigns or criminal frauds.
  • An updated legal framework: as previously analyzed, many frauds or theft committed in the cryptocurrency field can’t even be prosecuted. A flexible legal framework updated to modern financial threats is crucial to isolate the dangers present in this field and let either investors or prosecutors freedom of movement inside a clearly legal environment. Furthermore, this would be a strong deterrence for many individuals planning to commit financial cybercrimes.

[i] Europol (2018) Internet Organised Crime Threat Assessment (IOCTA) 2018. European Union Agency for Law Enforcement Cooperation. Available at https://www.europol.europa.eu/internet-organised-crime-threat-assessment-2018

[ii] P. Koshy D. Koshy P. McDaniel (2014) An Analysis of Anonymity in Bitcoin Using P2P Network Traffic. Pennsylvania State University, University Park, PA 16802, USA. Available at https://pdfs.semanticscholar.org/c277/62257f068fdbb2ad34e8f787d8af13fac7d1.pdf

[iii] J. Bohannon (March 9, 2016) Why criminals can’t hide behind Bitcoin. ScienceMag. Available at http://www.sciencemag.org/news/2016/03/why-criminals-cant-hide-behind-bitcoin

[iv] K. Marinos (March 23, 2016) Are Bitcoin Transactions Traceable?. CoinTelegraph. Available at https://cointelegraph.com/news/are-bitcoin-transactions-traceable

[v] O. Kharif (January 2, 2018) The Criminal Underworld Is Dropping Bitcoin for Another Currency. Bloomberg. Available at https://www.bloomberg.com/news/articles/2018-01-02/criminal-underworld-is-dropping-bitcoin-for-another-currency

[vi] https://www.itstime.it/w/bitcoin-and-other-types-of-cryptocurrency-modern-and-undetectable-ways-to-finance-terrorism-by-daniele-maria-barone/

[vii] https://www.worldcryptoindex.com/what-is-cryptonote-technology/

[viii] https://z.cash/technology/zksnarks/

[ix] E. Spagnuolo (April 26, 2017) Addio Bitcoin, nel deep web ora si paga con Monero e Zcash. Wired – Italia. https://www.wired.it/economia/finanza/2017/04/26/bitcoin-monero-zcash/

[x]  D. Manheim, P.B. Johnston, J. Baron, C. Dion-Schwarz (April 21, 2017) Are Terrorists Using Cryptocurrencies? RAND Corporation. Available at https://www.rand.org/blog/2017/04/are-terrorists-using-cryptocurrencies.html

[xi] https://hackerbits.com/programming/what-is-cryptojacking/

[xii] https://us.norton.com/internetsecurity-malware-what-is-cryptojacking.html