CryptoCore Group Steals Over $200 Million from Cryptocurrency Exchanges

Researchers from the Israeli company ClearSky have reported on the hacker group CryptoCore, which has been active since 2018 and specializes in hacking cryptocurrency exchanges. According to experts, the group is based somewhere in Eastern Europe and has managed to “earn” over $200 million by compromising exchanges in various countries around the world.

CryptoCore has been linked to at least five successful breaches, as well as attempted attacks on another 10 to 20 cryptocurrency platforms. The five confirmed victims of the hackers are located in the United States, Japan, and the Middle East. Unfortunately, the names of the affected companies have not been disclosed due to non-disclosure agreements binding the researchers.

Timeline of Attacks

Analysts note that they are not the first to discover the group. Some CryptoCore operations had previously been mentioned in reports by other cybersecurity companies, such as Dangerous Password and Leery Turtle. However, it has now become clear that the group’s operations were more extensive and widespread than these isolated documented cases suggested.

Although ClearSky has been monitoring CryptoCore for two and a half years, the hackers have used the same tactics throughout, with only minor adjustments. All attacks began with information gathering: the attackers collected necessary data about the exchange’s management, IT staff, and other employees.

The group then moved on to phishing attacks, which initially always targeted personal rather than corporate email addresses. Personal email accounts are generally less protected, but there is still a good chance they contain some work-related information. Only after some time (ranging from a few hours to several weeks) would CryptoCore operators switch to attacking the victims’ work accounts.

“Targeted phishing is usually carried out by impersonating a high-ranking employee of the target company or another organization (such as a member of the advisory board) who has a connection to the victim,” the researchers explain.

The ultimate goal of the criminals is to install malware on the exchange employee’s computer and gain access to their password manager account (or steal passwords). If the compromise is successful, CryptoCore members use these passwords to access accounts and wallets, disable two-factor authentication, and transfer funds from the exchange’s “hot wallets” to their own accounts.

Attack Scheme

This makes CryptoCore the second hacker group to regularly attack cryptocurrency exchanges over the past 3–4 years. However, the main threat to exchanges remains “government” hackers from North Korea. According to the United Nations, North Korean hackers stole approximately $571 million from five Asian cryptocurrency exchanges between January 2017 and September 2018.