Cryptocurrency

Exhume dead cryptocurrency exec who owes us $250 million, creditors demand

Stock photo of a gravedigging machine in front of a headstone.

In late January, the wife of a cryptocurrency-exchange founder testified that her husband inadvertently took at least $137 million of customer assets to the grave when he died without giving anyone the password to his encrypted laptop. Now, outraged investors want to exhume the founder’s body to make sure he’s really dead.

The dubious tale was first reported in February, when the wife of Gerry Cotten, founder the QuadrigaCX cryptocurrency exchange, submitted an affidavit stating he died suddenly while vacationing in India, at the age of 30. The cause: complications of Crohn’s disease, a bowel condition that is rarely fatal. At the time, QuadrigaCX lost control of at least $137 million in customer assets because it was stored on a laptop that—according to the widow’s affidavit—only Cotten knew the password to.

Widow Jennifer Robertson testified that she had neither the password nor the recovery key to the laptop. The laptop, she said, stored the cold wallet—that is, a digital wallet not connected to the Internet—that contained the digital currency belonging to customers of the exchange. In addition to at least $137 million in digital coin belonging to more than 100,000 customers, another $53 was tied up in disputes with third parties, investors reported at the time.

Robertson had testified that she conducted “repeated and diligent searches” for the password but came up empty. She went on to say she hired experts to attempt to decrypt the laptop, but they too failed. One expert profiled Cotten in an attempt to hack the computer, but that attempt also came to nothing.

Questionable Circumstances

On Tuesday, The New York Times reported that the amount exchange clients were unable to access is now calculated to be $250 million. Meanwhile, law enforcement officials in both Canada—where QuadrigaCX is located—and in the United States are investigating potential wrongdoing, and investors are clamoring for proof Cotten is actually dead.

Lawyers representing exchange clients on Friday asked Canadian law enforcement officials to exhume his body and conduct an autopsy “to confirm both its identity and the cause of death,” the NYT said. The letter cited “the questionable circumstances surrounding Mr. Cotten’s death and the significant losses” suffered in the incident. The letter went on to ask that the exhumation and autopsy be completed no later than “spring of 2020, given decomposition concerns.”

Quadriga didn’t disclose Cotten’s death until January 14, in a Facebook post, more than a month after it was said to have occurred. The QuadrigaCX platform went down on January 28, leaving users with no way to withdraw funds they had deposited with the exchange. Clients have taken to social media ever since to claim the death and loss of the password were staged in an attempt to abscond with their digital coin.

Besides an investigation by the Supreme Court of Nova Scotia, the FBI is also conducting an investigation into the company in conjunction with the IRS, the US Attorney for the District of Columbia, and the Justice Department’s Computer Crime and Intellectual Property Section.

One of the investigations have already unearthed circumstances that some may find suspicious. According the NYT, a report from Ernst & Young (an auditing firm hired by the Supreme Court of Nova Scotia), QuadrigaCX didn’t appear to have any “basic corporate records,” including accounting records. More concerning, the report said the exchange had transferred “significant volumes of cryptocurrency” into personal accounts held by Cotten on other exchanges. The report also documented the transfer of “substantial funds” to Cotten personally that had no clear business justification.

How the exhumation and autopsy would lead to the recovery of the missing cryptocurrency is not clear. But they might go a long way to confirming or debunking the claims Cotten died at the time and in the manner disclosed to QuadrigaCX customers.

QuadrigaCX and the case of the missing $250 million is the kind of event that would be unthinkable for most financial institutions. In the frothy and largely unregulated world of cryptocurrencies, such debacles are a regular if not frequent occurrence.

Dexphot malware uses fileless techniques to install cryptominer

Security Awareness - Phishing Responses

Stay on top with IT Security.org

Any organisation comprises of three essential elements: People, Process & Technology. In recent times most of the cyber-attacks materialised because of weakness in people. Humans blamed for the weakest part of information security do not get enough controls to protect them from cyber-crimes. Security awareness training is emphasised to be the only effective control, however it is not implemented with same zeal and vigour as firewalls or antivirus solutions.

Any security control is implemented to achieve its control objectives. However security awareness is limited to annual sessions, posters and some weekly security news emails. The results of security awareness are not collected or analysed to verify whether control objectives are met or not. Like any control which is tested and evaluated, awareness program must be subject to testing by evaluating the awareness levels and comparing it with business objectives.

Tools that verify the security awareness program provide insights and effective performance indicators. Organisations can evaluate the results to identify their weak and strong areas. This allow for risk mitigation in weaker areas by utilising resources in cost effective manner. You can seek our services regarding phishing responses. We can assist you in developing your weakest link into strongest.

computer code on screen

Catching the phish

There are various tools to evaluate the readiness of users regarding phishing attacks. They are tested with phishing emails and phone calls to check their awareness level.

A security aware workforce will:

phishing risk on email

Awareness is key

Phishing is one of the major causes of massive breaches. Using phishing, trust of humans is exploited to gain unauthorised information, install malware, bypass authentication mechanisms and steal sensitive data. Phishing uses emails or phone calls. Emails with malicious attachment, links to fake websites or spoofed to look legitimate, are sent to the recipients. In case users are not properly trained to identify or differentiate phishing emails, they fall prey to hackers. One unaware employee can cause damage to the entire organisation as he provides a door for the attacker.

Any business. Every solution.

If you’d like to work with us to help establish or improve your phishing awareness, please get in touch with us today. Or, whilst you’re here, why not have a look at our other services in this category?

About

IT Security.org are based in the UK, offering a range of IT security solutions ranging from compliance and risk management to testing, training and much more.

Follow Us

Contact Us

© Copyright ITSecurity.Org Ltd 2015-2019 All Rights Reserved. Company Registration Number:11208508. Registered office address: 27 Old Gloucester Street, Holborn, London, United Kingdom, WC1N 3AX. VAT Reg.299747227

Stantinko botnet’s monetization strategy shifts to cryptomining

IT Security Consulting

Lorem ipsum dolor sit amet

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit enim, lacinia at eleifend vitae, mattis vitae arcu. Maecenas faucibus, neque sit amet venenatis malesuada, libero elit consectetur dolor, ut tempus ligula urna vel ligula. Maecenas nulla elit, aliquam quis sollicitudin dignissim, ullamcorper consectetur arcu. Aenean ornare sem urna, vel aliquet lacus hendrerit non. Mauris cursus lectus nec dui fringilla viverra. Phasellus molestie erat non risus blandit, eu tincidunt felis aliquet. Pellentesque enim massa, vulputate eu quam in, interdum pellentesque leo. Aliquam non scelerisque dui, quis semper turpis. Nam eget semper dolor.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum dolor sit amet

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit enim, lacinia at eleifend vitae, mattis vitae arcu. Maecenas faucibus, neque sit amet venenatis malesuada, libero elit consectetur dolor, ut tempus ligula urna vel ligula. Maecenas nulla elit, aliquam quis sollicitudin dignissim, ullamcorper consectetur arcu. Aenean ornare sem urna, vel aliquet lacus hendrerit non. Mauris cursus lectus nec dui fringilla viverra. Phasellus molestie erat non risus blandit, eu tincidunt felis aliquet. Pellentesque enim massa, vulputate eu quam in, interdum pellentesque leo. Aliquam non scelerisque dui, quis semper turpis. Nam eget semper dolor.

it security consulting

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit enim, lacinia at eleifend vitae, mattis vitae arcu. Maecenas faucibus, neque sit amet venenatis malesuada, libero elit consectetur dolor, ut tempus ligula urna vel ligula. Maecenas nulla elit, aliquam quis sollicitudin dignissim, ullamcorper consectetur arcu.

A solution for every business need

We offer a wide range of services within this category. Please contact us today to further explore the areas in which you can improve your IAM systems.

About

IT Security.org are based in the UK, offering a range of IT security solutions ranging from compliance and risk management to testing, training and much more.

Follow Us

Contact Us

© Copyright ITSecurity.Org Ltd 2015-2019 All Rights Reserved. Company Registration Number:11208508. Registered office address: 27 Old Gloucester Street, Holborn, London, United Kingdom, WC1N 3AX. VAT Reg.299747227

Judge allows suit against AT&T after $24 million cryptocurrency theft

An AT&T store in New Jersey.

Enlarge / An AT&T store in New Jersey.
Michael Brochstein/SOPA Images/LightRocket via Getty Images

When Michael Terpin’s smartphone suddenly stopped working in June 2017, he knew it wasn’t a good sign. He called his cellular provider, AT&T, and learned that a hacker had gained control of his phone number.

The stakes were high because Terpin is a wealthy and prominent cryptocurrency investor. Terpin says the hackers gained control of his Skype account and tricked a client into sending a cryptocurrency payment to the hackers instead of to Terpin.

After the attack, Terpin asked AT&T to escalate the security protections on his phone number. According to Terpin, AT&T agreed to set up a six-digit passcode that must be entered before anyone could transfer Terpin’s phone number.

But the new security measures didn’t work. In January 2018, “an AT&T store cooperated with an imposter committing SIM swap fraud,” Terpin alleged in his August 2018 lawsuit against AT&T. The thieves “gained control over Mr. Terpin’s accounts and stole nearly $24 million worth of cryptocurrency from him.”

Terpin sued AT&T, seeking at least $24 million in actual damage and millions more in punitive damages. Terpin also asked the court to void terms in AT&T’s customer agreement that disclaim liability for security problems—even in cases of negligence by AT&T. Terpin argued that these boilerplate terms are unconscionable because customers never have an opportunity to negotiate them.

But AT&T asked the judge to dismiss the case, arguing that Terpin didn’t adequately explain how the phone hack led to the loss of his cryptocurrency. Terpin’s lawsuit provided no details about how Terpin had stored his cryptocurrency, how the hackers had gained access to it, or if they might have been able to carry out a similar attack without control of Terpin’s phone number. In any event, AT&T argued that it shouldn’t be held responsible for the misconduct of the hackers who actually carried out the theft of cryptocurrency.

A mixed ruling

On Thursday, Judge Otis Wright—a man we once depicted as a hulking green giant preparing to smash the copyright trolls at Prenda Law—issued a ruling that provided some reason for each side to celebrate.

Wright agreed with AT&T that Terpin had not adequately explained how the hack of his account led to the theft of his cryptocurrency or why AT&T should bear responsibility. As a result, he dismissed claims that relied on Terpin’s claimed $24 million loss.

However, Wright dismissed the claims with “leave to amend,” meaning that Terpin has 21 days to file a new version of his lawsuit that more fully explains how the cryptocurrency was stolen and why AT&T should be held responsible.

At the same time, Wright allowed the case to move forward with Terpin’s arguments against AT&T’s one-sided customer agreement. Wright hasn’t yet voided the terms, but he found Terpin’s arguments on the issue plausible enough to let the case continue.

“We are pleased the court dismissed most of the claims,” AT&T said in an emailed statement. “The plaintiff will have the opportunity to re-plead but we will continue to vigorously contest his claims.”

This kind of phone hacking incident is of particular concern in the cryptocurrency world because of the non-reversibility of most virtual currencies. If a hacker steals funds from a conventional bank account, a fast-acting victim can usually get the transaction reversed and the funds restored. By contrast, if a hacker steals someone’s bitcoins, they’re likely to be gone permanently, since no one has the authority to cancel transactions once they’re committed to the blockchain.

As a result, cryptocurrency is much more of a “user beware” world than the conventional banking system. If you own a significant amount of cryptocurrency—and especially if you’re publicly known to have a significant amount of cryptocurrency—then it’s wise to store it in a way that doesn’t depend on the security of your phone number.

This Week in Security News: Consumer Data and Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn what security issues and critical threats will impact consumer data this year. Also, learn about a malicious Adobe app targeting macOS systems.

Read on: 

Keys to Safeguarding Consumer Data in 2019

Trend Micro reports that there are certain security issues which will specifically impact consumer data, including phishing and fraud attacks. 

Linksys Partners with Trend Micro for Network Protection on Velop Wi-Fi Systems

Linksys and Trend Micro have partnered to deliver a security solution for home networks to give families an added layer of digital projection.

Collaborating with Law Enforcement to Tackle the Scourge of ATM Attacks

Trend Micro contributed to a new Europol report detailing guidelines on logical ATM attacks, in support of ongoing efforts by both law enforcement and the financial industry to stop ATM abuse. 

Report: Over 59,000 GDPR Data Breach Notifications, But Only 91 Fines

Since the European Union’s General Data Protection Regulation (GDPR) came into effect in May last year, EU organizations have reported almost 60,000 data breaches, but so far fewer than 100 fines have been issued by regulators.

MacOS Malware Poses as Adobe Zii, Steals Credit Card Info and Mines Monero Cryptocurrency

Trend Micro found a malicious app posing as Adobe Zii (a tool used to crack Adobe products) targeting macOS systems to mine cryptocurrency and steal credit card information. 

Auto Engineers Warn Your Car Might be Easier to Hack Than You Think

As auto makers roll out more sophisticated features, the upgrades are also making cars more vulnerable to cyberattacks, according to a new report from the Ponemon Institute.

Managing Digital Footprints and Data Privacy

A massive data dump involving more than two billion user credentials was reported earlier this year. The ramifications of this dump is just the beginning for many of those whose data are included. 

Just Two Hacker Groups are Behind 60% of Stolen Cryptocurrency

A new report from blockchain investigation company Chainalysis reveals that just two criminal groups are responsible for around 60% of all cryptocurrency stolen from exchanges.

EU Orders Recall of Children’s Smartwatch Over Severe Privacy Concerns

For the first time, EU authorities have announced plans to recall a product from the European market because of a data privacy issue. The product is Safe-KID-One, a children’s smartwatch produced by German electronics vendor ENOX.

Do you agree phishing and fraud attacks will be the main threats impacting consumer data in 2019? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Consumer Data and Malware appeared first on .