Skip to main content

A closer look at how criminals steal your Bitcoins, and how to stop them

Even though Bitcoin exchange MtGox and Canadian bank Flexcoin had to shut down after recent cyber-attacks, cryptocurrencies continue to grow in popularity. The soaring value of virtual currencies such as Bitcoin makes them attractive to thieves, however, and users need to take steps to secure their wallets.

There are more than 100 different malware families currently targeting user wallets and exchanges to steal Bitcoin and 40 other crypto-currencies such as Litecoin, Flexcoin, and others, researchers from Dell SecureWorks told us during the RSA Conference last week. About 80 of them popped up in this year alone, right after the value of a single Bitcoin soared to nearly $1,000 (£600) in value.

While there are some types of malware custom designed solely to steal digital currency, most of them are generic currency stealing types modified to have cryptocurrency stealing capabilities, said Joe Stewart, director of malware research for Dell SecureWorks. When malware already steals login credentials for online banking sites, modifying it to grab credentials for online wallets and exchanges isn't technically challenging. Most of the thieves involved are "script kiddies," he said.

In fact, the malware and toolkits that can be used to build them are not overly sophisticated and are widely available. For example, the most popular malware PredatorPain accounts for one-third of all attempts to steal Bitcoins and costs a mere $35 (£21) on the underground forums. "A beginner programmer could create something that would steal Bitcoins," said Pat Litke, security analyst advisor at Dell SecureWorks Counter Threat Unit.

Why target Bitcoin?

Bitcoin is an open source form of cryptocurrency introduced in 2009 by a shadowy figure named "Satoshi Nakamoto." Often the preferred method of paying for drugs and other illegal services, Bitcoin is now currently accepted by over 3,000 legitimate merchants. Each transaction is recorded in a "blockchain," a publicly viewable global ledger, but names of the participants are not saved. People send and receive virtual currencies via online marketplaces, or "exchanges." Up until recently, MtGox was the largest Bitcoin exchange.

Thieves are stealing Bitcoins and other forms of cryptocurrency via wallet-plundering malware and credential-hoovering malware, as well as man-in-the-browser attacks, Stewart and Litke said.

"There's definitely big overhead in trying to launder money from credit cards and bank accounts, but there's [no overhead] in Bitcoins," Stewart said. It's much easier to cash out money from stolen wallets than it is to employ money mules to move money out of compromised bank accounts.

When malware attacks

Since Bitcoins are stored in a digital wallet, which can exist either in the cloud or on a user's computer, the most common and effective types of malware are the wallet-stealers. This type of malware looks for the "wallet.dat" file or other commonly used filenames and directories on the user's computer and then transfers the relevant files to a remote server. Thieves then extract the user's key from the wallet and transfer the funds to a different wallet under their control.

Exchanges are also notoriously easy to break into. Credential-stealing malware intercepts login credentials as the user tries to log in to the exchange. Even if the exchange has enabled two-factor authentication, Stewart and Litke said more advanced types can intercept the one-time-password as it is used.

There is also a man-in-the-browser malware type which watches the computer's clipboard. When the user copies a Bitcoin address to paste it, the malware replaces the string with the thief's Bitcoin address, Litke said. Since wallet IDs aren't easy to remember in the first place, most users won't even notice the address has changed and wind up sending the currency to the wrong recipient. Unfortunately, there's no way to reverse that transaction.

"If a Bitcoin is stolen, you don't get it back. There's no bank to back you, no insurance," Stewart said. And law enforcement is not getting involved at the moment.

Keeping coins safe

When MtGox, the oldest and perhaps the most well-known Bitcoin exchange, filed for bankruptcy on 26 February, it revealed that thieves had stolen about 744,000 Bitcoins, estimated to be valued approximately $475 million (£285 million). Canada's Flexcoin said 896 Bitcoins valued at about $600,000 (£360,000) were stolen from its online vault. And attackers have allegedly stolen $2.6 million (£1.55 million) worth of Bitcoins from Silk Road 2 in February.

In case you thought you would just rely on your antivirus to keep the malware at bay, Dell SecureWorks claimed the average rate of detection for these malware families across all antivirus tools was just 48 per cent. Users should just assume the system is not free of malware and take steps to secure their wallets and accounts.

SecureWorks recommended users use hardware wallets, where the keys are stored in a keychain fob, or a "split" wallet, where the keys and majority of the funds are kept on a separate computer not connected to the Internet. To move coins from the split wallet, the user would initiate a transaction on the normal machine, copy the transaction onto a USB key and take it to the secure machine to cryptographically sign the transaction, and then take it back to the first machine to complete the transaction.

"Ultimately, I'd rather spend a little more time making a transaction, than have all my Bitcoins stolen," said Stewart.