Hackers targeting crypto exchanges with spear-phishing have stolen over $200m

CryptoCore, believed to be operating out of Eastern Europe, has managed to infiltrate several crypto exchanges around the world

A report shared with news outlet, ZDnet, has revealed that an organised group of hackers are believed to be operating out of Eastern Europe, and have stolen over $200 million from online cryptocurrency exchanges.

The Research Team Leader of ClearSky, Or Blatt, said that the group has been active since 2018. ClearSky, a cybersecurity firm, has been tracking the activities of the hackers carried out under the pseudonym CryptoCore.

Blatt explained that their team had managed to link CryptoCore to five successful hacks; however, they have also seen the group target an additional 10to 20 cryptocurrency exchanges as well.

The five confirmed victims of the hackers are located in Japan, the US  and the Middle East. Due to non-disclosure agreements, Blatt was unable to disclose the names of these victims.

ClearSky says some of CryptoCore’s operations have previously been documented in isolated reports that have identified the group as “Dangerous Password” and “Leery Turtle [PDF]”. The Israeli security firm says that the group’s operations have been more widespread than documented.

However, despite having been in operation for nearly three years, ClearSky says that the group has stuck to using the same tactics consistently, with minimal variation in their attacks.

According to ClearSky, all their attacks begin with an information-gathering stage, where they collect the necessary details to target an exchange’s IT staff, management and other relevant employees. The first phishing attacks always start against personal email accounts rather than the corporate ones, since these are most likely to be less secure. Some accounts also contain business information.

From here, CryptoCore operators eventually move to also target business accounts. This takes a matter of hours to weeks.

“It’s a matter of hours to weeks until the spear-phishing email is sent to a corporate email account of an exchange’s executive,” ClearSky said.

Spear-phishing is usually carried out by hackers masquerading as a high-ranking employee from the target organisation with connections to the targeted employee.

The end goal of the group is to plant malware on an employee or manager’s computer, which will enable them to gain access to a password manager account. From here, the hackers use these passwords to access accounts and wallets, disable authentication systems and begin the transfer of funds out of the exchange’s hot wallets.

CryptoCore has now become the second known organised group to repeatedly target crypto exchanges in the last three to four years.