Researchers from CSIRO’s Data61 and the Monash Blockchain Technology Centre have developed the world’s most efficient blockchain protocol that is both secure against quantum computers and protects the privacy of its users and their transactions.
The technology can be applied beyond cryptocurrencies, such as digital health, banking, finance and government services, as well as services which may require accountability to prevent illegal use.
The protocol — a set of rules governing how a blockchain network operates — is called MatRiCT.
Cryptocurrencies vulnerable to attacks by quantum computers
The cryptocurrency market is currently valued at more than $325 billion, with an average of approximately $50 billion traded daily over the past year.
However, blockchain-based cryptocurrencies like Bitcoin and Ethereum are vulnerable to attacks by quantum computers, which are capable of performing complex calculations and processing substantial amounts of data to break blockchains, in significantly faster times than current computers.
“Quantum computing can compromise the signatures or keys used to authenticate transactions, as well as the integrity of blockchains themselves,” said Dr Muhammed Esgin, lead researcher at Monash University and Data61’s Distributed Systems Security Group. “Once this occurs, the underlying cryptocurrency could be altered, leading to theft, double spend or forgery, and users’ privacy may be jeopardised.
“Existing cryptocurrencies tend to either be quantum-safe or privacy-preserving, but for the first time our new protocol achieves both in a practical and deployable way.”
The MatRiCT protocol is based on hard lattice problems, which are quantum secure, and introduces three new key features: the shortest quantum-secure ring signature scheme to date, which authenticates activity and transactions using only the signature; a zero-knowledge proof method, which hides sensitive transaction information; and an auditability function, which could help prevent illegal cryptocurrency use.
Blockchain challenged by speed and energy consumption
Speed and energy consumption are significant challenges presented by blockchain technologies which can lead to inefficiencies and increased costs.
“The protocol is designed to address the inefficiencies in previous blockchain protocols such as complex authentication procedures, thereby speeding up calculation efficiencies and using less energy to resolve, leading to significant cost savings,” said Dr Ron Steinfeld, associate professor, co-author of the research and a quantum-safe cryptography expert at Monash University.
“Our new protocol is significantly faster and more efficient, as the identity signatures and proof required when conducting transactions are the shortest to date, thereby requiring less data communication, speeding up the transaction processing time, and reducing the amount of energy required to complete transactions.”
“Hcash will be incorporating the protocol into its own systems, transforming its existing cryptocurrency, HyperCash, into one that is both quantum safe and privacy protecting,” said Dr Joseph Liu, associate professor, Director of Monash Blockchain Technology Centre and HCash Chief Scientist.
Computer scientists have developed a new artificial intelligence (AI) system that may be able to identify malicious codes that hijack supercomputers to mine for cryptocurrency such as Bitcoin and Monero.
“Based on recent computer break-ins in Europe and elsewhere, this type of software watchdog will soon be crucial to prevent cryptocurrency miners from hacking into high-performance computing facilities and stealing precious computing resources,” said Gopinath Chennupati, a researcher at Los Alamos National Laboratory and co-author of a new paper in the journal IEEE Access.
“Our deep learning artificial intelligence model is designed to detect the abusive use of supercomputers specifically for the purpose of cryptocurrency mining.”
Detect cryptocurrency miners
Legitimate cryptocurrency miners often assemble enormous computer arrays dedicated to digging up the digital cash. Less savory miners have found they can strike it rich by hijacking supercomputers, provided they can keep their efforts hidden.
The new AI system is designed to catch them in the act by comparing programs based on graphs, which are like fingerprints for software.
All programs can be represented by graphs that consist of nodes linked by lines, loops, or jumps. Much as human criminals can be caught by comparing the whorls and arcs on their fingertips to records in a fingerprint database, the new AI system compares the contours in a program’s flow-control graph to a catalog of graphs for programs that are allowed to run on a given computer.
Instead of finding a match to a known criminal program, however, the system checks to determine whether a graph is among those that identify programs that are supposed to be running on the system.
How reliable is it?
The researchers tested their system by comparing a known, benign code to an abusive, Bitcoin mining code. They found that their system identified the illicit mining operation much quicker and more reliably than conventional, non-AI analyses.
Because the approach relies on graph comparisons, it cannot be fooled by common techniques that illicit cryptocurrency miners use to disguise their codes, such as including obfuscating variables and comments intended to make the codes look like legitimate programming.
While this graph-based approach may not offer a completely foolproof solution for all scenarios, it significantly expands the set of effective approaches for cyberdetectives to use in their ongoing efforts to stifle cybercriminals.
Based on recent computer break-ins, such software watchdogs will soon be crucial to prevent cryptocurrency miners from hacking into high-performance computing facilities and stealing precious computing resources.
The Twittersphere went into overdrive on Wednesday as a bunch of prominent, verified Twitter accounts were hijacked and started promoting a COVID-19 cryptocurrency giveaway scam.
The attackers simultaneously compromised Twitter accounts of Bill Gates, Elon Musk, Barack Obama, Jeff Bezos, Joe Biden, Mike Bloomberg, Apple, Uber, as well as those of cryptocurrency exchanges Binance, Coinbase, KuCoin and Gemini, the CoinDesk news site and other top crypto accounts.
Twitter reacted by locking down the affected accounts, removing Tweets posted by the attackers, and limiting functionality for all verified accounts, but not quickly enough to prevent many gullible users falling for the scam and sending money to the attackers.
“The accounts tweeted that they ‘partnered with’ a company called CryptoForHealth. The domain for this website was registered on July 15. The website itself claims that, to help with the hard times endured by COVID-19, they’re partnering with several exchanges to provide a ‘5000 Bitcoin (BTC) giveaway’ which is a ruse for advanced free fraud,” Satnam Narang, Staff Research Engineer at Tenable, explained.
This type of scam is common, but what makes this incident notable is that the scammers have managed to legitimate Twitter accounts to launch it, he notes. Because of this, users were more likely to place their trust in the CryptoForHealth website or the provided Bitcoin address.
Before Twitter locked the hijacked accounts and deleted the scammy tweets, the attackers apparently received nearly $118,000 in Bitcoin.
How have the Twitter accounts been hijacked?
As the compromised accounts began tweeting the scam in a coordinated manner, many speculated on how they attackers pulled off the massive compromise.
It soon became quite obvious that the attackers must have compromised them all from one central place.
Some users noticed that some of the hijacked accounts had been associated with one specific email address:
Yep! Crazy – looks like a full takeover/hijack pic.twitter.com/toug6PYnYr
— harrydenley.eth ◊ (@sniko_) July 15, 2020
Motherboard’s sources said that a Twitter insider (admin) was bribed or coerced to use an internal user management tool to reset the email address and password on the affected accounts. Others speculated that the attackers managed to compromise the corporate account of a Twitter employee.
Earlier today, Twitter confirmed that last speculation.
“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it,” the company explained.
“We have locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely. Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing. More updates to come as our investigation continues.”
The attack points to a greater poblem
According to the BBC, the same email address that was used to register the CryptoForHealth domain was used to register an Instagram account with the same name. On it, the attackers posted a message that said: “It was a charity attack. Your money will find its way to the right place.”
Many have pointed out that, given how much US politicians depend on Twitter to keep the citizenry informed about their thoughts and actions, the attackers could have used the access to those accounts to do much more damage.
Others have posited that the Bitcoin scam was perhaps just a smokescreen:
Stage 1: Throw up simple bitcoin scam for some nice walkin-around money.
Stage 2: Exfiltrate DMs for later use in blackmail, etc. If you’re already sitting on data like OPM, etc., you have a nice amount of kompromat for leverage/profit.
— Jim Wagner (@jimwagmn) July 15, 2020
US Senator Josh Hawley demanded from Twitter more information about the hack, including and answer to the question of whether the attack threatened the security of US President Donald Trump’s account (which has not be made to tweet out the scammy message).
“The Twitter hack highlights how bad actors are using highly trafficked social media channels to wreak havoc,” noted Richard Bird, Chief Customer Information Officer, Ping Identity.
“The news of this exploit is extremely concerning as it really focuses attention on the inherent weaknesses in Big Tech security, which has been a point of focus across the country as we head into a presidential election and as we navigate the challenges driven by the pandemic. Disinformation and exploitation of supposedly trusted social media channels only amplifies the anxieties and concerns that consumers and citizens are already dealing with in this country and others.”
“Given the accounts’ relatively high profile, including that of a former US President, it’s likely that federal law enforcement and intelligence assets from both the public and private sector will be brought to bear on this very problem,” noted Kevin O’Brien, Co-Founder and CEO, GreatHorn.
“It’s highly likely that this will result in attribution, although I suspect we’ll find that this occurred from a non-US location, increasing the difficulty of apprehending the responsible parties.”
Twitter accounts of the rich and famous—including Elon Musk, Bill Gates, Jeff Bezos, and Joe Biden—were simultaneously hijacked on Wednesday and used to push cryptocurrency scams.
As of 3:58pm California time, one wallet address used to receive victim’s digital coin had received more than $118,000, though it wasn’t clear all of it came from people who fell for the scam. The bitcoin came from 356 transactions that all occurred over about a four-hour span on Tuesday. The wallet address appeared in tweets from at least 15 accounts—some with tens of millions of followers—that promoted fraudulent incentives to transfer money. At least one other Bitcoin wallet was used in the mass scam.
“I’m giving back to all my followers,” one now-deleted tweet from Musk’s account said. “I am doubling all payments sent to the Bitcoin address below. You send 0.1 BTC, I send 0.2 BTC back!” A tweet from the Bezos account said the same thing. “Everyone is asking me to give back, and now is the time,” a Gates tweet said. “I am doubling all payments sent to my BTC address for the next 30 minutes. You send $1,000, I send you back $2,000.”
Another variation of the scam promoted a partnered initiative that pledged to donate 5,000 BTC to the community and included a domain link to send money. The domain was quickly suspended. This variation came early in the hijacking spree and appeared to affect only cryptocurrency-related businesses, including Binance and Gemini.
Other hijacked accounts belonged to Barack Obama, Mike Bloomberg, Apple, Kanye West, Kim Kardashian West, Wiz Khalifa, Warren Buffett, YouTube personality MrBeast, Wendy’s, Uber, CashApp, and a raft of cryptocurrency entrepreneurs. Here’s a sampling of some of the scammy tweets:
At 2:58 PM California time, Musk’s account continued to pump out fraudulent tweets, despite the mass account hijackings being two hours old. What’s more, a screenshot tweeted by a security researcher showed that attackers have changed associated email addresses of some of the hijacked accounts.
That so many social media accounts were taken over in such a short time and remained hijacked for so long is extraordinary if not unprecedented. Previous hijackings that happened to one or two high-profile accounts to promote scams were the result of phishing attacks or the accounts being protected by weak passwords. And in almost all cases, the rightful account holders quickly regained control.
The ability of the attackers to regain control of accounts was also highly unusual. The compromise of so many accounts—many belonging to people who are seasoned in the importance of having good security hygiene—raised serious questions that the compromises were the result of a breach of Twitter’s infrastructure.
A Twitter spokeswoman said company personnel are looking into the cause and would respond soon.
A statement Binance issued said its personnel “confirmed that this Twitter breach was not caused by a vulnerability of Binance’s platform or team members.” The statement didn’t provide any other details about the cause of the hijacking. Binance went on to say: “Our security team has verified that there are zero Binance accounts/users who have sent funds to the hacker’s wallet addresses. The hacker’s wallets are not associated with Binance, and we have prevented all Binance wallet addresses from depositing assets into the hacker’s addresses.”
Emails to some of the other affected account holders weren’t immediately returned.
A spokeswoman for security firm RiskIQ said company researchers were able to track the infrastructure belonging to the party behind Wednesday’s large-scale hack. So far, they have compiled a list of more than 400 associated domains that included cryptoforhealth.com. the site included in the fraudulent tweet from Binance and other cryptocurrency businesses. Many of the domains didn’t respond, while others led to browser warnings like the one below.
As the hijackings continued, Twitter said that while it investigated, it was suspending the ability of many but not all Twitter users to tweet or respond to tweets. Accounts belonging to verified users were unable to tweet or reply to other tweets. Instead they got a message that said: “This request looks like it might be automated. To protect our users from spam and other malicious activity, we can’t complete this action right now. Please try again later.” The suspension didn’t apply to retweets or direct messages. Unverified accounts worked normally.
This is a developing story. This post will be updated as more details become available.
Cryptocurrency users, exchanges and investors suffered $4.5 billion in crypto-related losses resulting from thefts, hacks, and fraud, a CipherTrace report reveals.
Cryptocurrency crime losses
The lion’s share of those losses stem from the staggering growth of Ponzi schemes, exit scams, and misappropriation of funds crimes, the value of which rose 533 percent year over year.
Also, traditional financial services have become increasingly infused with crypto assets. For instance, results of an extensive analysis of the blockchain found almost all U.S. banks harbor illicit virtual asset related money service businesses (MSBs), including cryptocurrency exchanges.
Of additional concern for banks, 66 percent of dark market vendors sell stolen financial products and compromised accounts for cryptocurrency. And virtually all (97 percent) of ransomware attacks use bitcoin as the payment rail.
“Our research revealed some surprising trends in 2019,” said David Jevans, CEO of CipherTrace. “First, there was a dramatic shift away from outright thefts and exchange hacks and toward Ponzi schemes, exit scams, and other con games.
“Second, like them or not, banks have a lot more virtual assets lurking in their accounts and payment networks than most in the industry had previously thought. Banks need new capabilities to ferret out illicit MSBs, terrorist financing, and other major sources of risk.”
The report also provides an overview of regulatory moves throughout the world. This includes a comprehensive chart of anti-money laundering (AML) regulations by country, an update on the respective blockchain-related enforcement authority of the SEC, FinCEN, and the CFTC, and detailed reports on major regulatory and eCrime developments in various countries.
Trends in theft, fraud, hacks and misappropriation of funds
Cryptocriminals had a banner year in 2019. Total cryptocurrency crime increased 160 percent from 2018. However, as the report suggests, if 2019 had a Person of the Year, it would have been The Malicious Insider.
The culprits behind most of the losses were fraudsters operating inside everything from seemingly legitimate blockchain projects that were actually exit scams to crypto Ponzi and pyramid schemes. Ultimately, all that $4.5B worth of illicit cryptocurrency needs to be laundered.
Crypto-asset blind spots expose banks to risk
The typical top 10 U.S. bank unknowingly facilitates approximately $2 billion in illicit cryptocurrency transactions each year. Stealth MSBs using accounts and payment networks expose financial institutions to significant AML and counter terrorism financing (CTF) compliance risk.
Further research revealed banks paid record AML fines globally in 2019—more than $6.2 billion. This number could increase in 2020 as crypto-related money laundering and sanction evasion enforcement ramps up.
“As crypto-assets become increasingly entangled in traditional financial services, AML and CTF compliance risks are on the rise,” said Stephen Ryan, COO of CipherTrace.
“Virtual assets are now pervasive in bank accounts and payment networks, and banks must find ways to deal with the risks. Effectively mitigating cryptocurrency risks requires equipping compliance officers with the best tools and intelligence to gain visibility into this new asset class.”
The report also outlined a multi-year research project into darknet markets and other illicit vendors, which revealed that of dark market vendors:
- 40 percent hawked compromised bank account or credit card credentials for as little as 1 percent of face value
- 24 percent offered compromised payment services accounts
- 2 percent sold stolen cryptocurrency private keys
These findings further highlighted the issues banks and financial institutions face with regards to payment fraud and virtual asset laundering risks.
The research also showed that bitcoin is the payment of choice for cyber extortionists. During the last year, they demanded BTC as payment in 97 percent of ransomware attacks. All of this extorted bitcoin will need to be laundered before criminals can use the funds.
2020 will be a year of intense regulatory changes
The research team identified varying levels of maturity and sophistication in AML/CTF regimes around the globe. For instance, AMLD5 went into effect across the European Union early January regulating crypto-fiat exchanges for the first time in most EU countries.
Additionally, CipherTrace described urgency among its customers and industry players around pending FATF Travel Rule legislation.
Exchanges and financial institutions in the G20 have less than six months to find a solution for dealing with this major compliance conundrum—how to comply with the requirement to share sender and receiver information before executing cryptocurrency transactions, while protecting confidentiality.
In the US, financial institutions including virtual asset service providers (VASPs) have been reminded by FinCEN that they must meet their funds Travel Rule obligations under the BSA or face enforcement actions.
The world of cryptocurrency has no shortage of imaginary investment products. Fake coins. Fake blockchain services. Fake cryptocurrency exchanges. Now five men behind a company called BitClub Network are accused of a $722 million scam that allegedly preyed on victims who thought they were investing in a pool of bitcoin mining equipment.
Federal prosecutors call the case a “high-tech” plot in the “complex world of cryptocurrency.” But it has all the hallmarks of a classic pyramid scheme, albeit with a crypto-centric conceit. Investors were invited to send BitClub Network cash, which would allow the company to buy mining equipment—machines that produce bitcoin through a process called hashing. When those machines were turned on, all would (in theory) enjoy the spoils. The company also allegedly gave rewards to existing investors in exchange for recruiting others to join. According to the complaint, the scheme began in April 2014 and continued until earlier this month.
Matthew Brent Goettsche, Jobadiah Sinclair Weeks, and Silviu Catalin Balaci are accused of conspiracy to commit wire fraud and conspiracy to offer and sell unregistered securities. A fourth defendant, Joseph Frank Abel, faces only the latter charge. Another unnamed defendant remains at large. Balaci’s name was redacted from one public version of the indictment, but appeared on another.
The scheme appears to have started as a relatively modest scam and spiraled dramatically in ambition. Internal messages between the conspirators give the impression of growing glee at the ease of taking advantage of investors, referring to “building this whole model on the backs of idiots.” The men allegedly described their victims as “dumb” investors and “sheep.”
“They were not wrong,” Emin Gun Sirer, the CEO of blockchain startup Ava Labs, quipped on Twitter.
In October 2014, a few months after BitClub Network was founded, Goettsche allegedly posted about the need to “fak[e] it for the first 30 days while we get going,” instructing a co-conspirator to do some “magic” on the company’s revenue numbers. They allegedly agreed on a method of cooking the numbers that would include inconsistencies to make sure they appeared real. The tricks swiftly became more daring. Later, Goettsche allegedly suggested the company “bump up the daily mining earnings starting today by 60%.”
With only seven months left for nations to pass laws and virtual asset service providers (VASPs) to comply with the guidelines, the majority of cryptocurrency exchanges are not equipped to handle basic KYC, let alone comply with the stringent new funds Travel Rule included in the updated Financial Action Task Force (FATF) guidance, according to CipherTrace. Inadequate KYC The research results revealed that the lion’s share — more than two-thirds — of exchanges do not … More
The post 2019 experienced massive spate of crypto crimes, $4.4 billion to date appeared first on Help Net Security.