News
Dutch police have traced a cryptocurrency theft to one of the world’s worst botnets
After years of hacking servers to swindle millions of dollars, the infamous Ebury malware gang slipped into the shadows in 2021. Suddenly, she reemerged with a bang.
The new evidence emerged during a police investigation in the Netherlands. A cryptocurrency the theft had been reported to the Dutch National High-Tech Crime Unit (NHTCU). On the victim’s server, the cyber cops found a familiar enemy: Ebury.
The discovery revealed a new target for the botnet. Ebury had diversified into stealing Bitcoin wallets and credit card details.
The NHTCU has requested assistance from ESETa Slovakian IT security business. The request reopened a case that Marc-Etienne Léveillé had been investigating for over a decade.
TNW Conference, June 20-21 – 50% Final Flash Sale.
For a limited time only: don’t miss our final 50% discount until Thursday to join our heart of technology.
In 2014, the ESET researcher was a co-author a white sheet on the botnet’s operations. He called Ebury the “most sophisticated Linux backdoor his team has ever seen.”
Cybercriminals use Ebury as a powerful backdoor and credential stealer. After entering a server, the botnet can also distribute additional malware, redirect web visitors to fraudulent ads, and run proxy traffic to send spam. According to US officials, the operation fraudulently generated millions of dollars in revenue.
“It’s very well made and they’ve managed to stay under the radar for so many years,” Léveillé tells TNW.
A year after ESET’s original article was published, an alleged Ebury operator was arrested in Finland. His name was Maxim Senakh. Finnish authorities then extradited the Russian citizen to the United States.
The 41-year-old eventually pleaded guilty to a reduced set of computer fraud charges. In 2017 he was sentenced to almost four years in prison.
In a Press release, the US Department of Justice said Ebury infected “tens of thousands” of servers around the world. Yet that was only a fraction of the total.
Hello ESET honeypots
As Senakh’s trial progressed, ESET researchers used honeypots to track Ebury’s next moves. They found that the botnet was still growing and receiving updates. But their detective work didn’t stay hidden for long.
“It became increasingly difficult to make honeypots undetectable,” explains Léveillé. “They had many techniques to see them.”
A honeypot reacted strangely when Ebury was installed. The botnet operators then abandoned the server. They also sent a message to their opponents: “Hello ESET honeypot!”
Ebury offenders located a honeypot. Credit: ESET
Once the case cooled, another one was developed in the Netherlands.
By the end of 2021, the NHTCU had created another advantage for ESET. Working together, the cybercrime unit and the cybersecurity firm investigated Ebury’s development.
“The botnet had grown,” says Léveillé. “There were new victims and even bigger accidents.”
ESET currently estimates that Ebury has compromised around 400,000 servers since 2009. In a single incident last year, 70,000 of a hosting provider’s servers were infected with the malware. At the end of 2023, over 100,000 servers at one hosting provider were still compromised.
Some of these servers have been used for credit card and cryptocurrency theft.
The botnet comes for Bitcoin
To steal the cryptocurrency, Ebury took sides opponent-in-the-middle attack (AitM), a sophisticated phishing technique used to access login credentials and session information.
Applying AitM, the botnet intercepted network traffic from interesting targets within data centers. The traffic was then redirected to a server that captured the credentials.
The hackers also exploited servers that Ebury had previously infected. When these servers are in the same network segment as the new target, they provide a platform for spoofing.
Among the profitable targets were Bitcoin and Ethereum nodes. Once the victim entered the password, Ebury automatically stole the cryptocurrency wallets hosted on the server.
Dutch police uncovered Ebury’s trail of cryptocurrency wallets. Credit: ESET
AitM attacks provided a powerful new method to quickly monetize the botnet.
“Cryptocurrency theft was not something we had ever seen done before,” says Léveillé.
The Dutch investigation continues
The variety of Ebury victims also grew. They now span universities, small businesses, large enterprises and cryptocurrency traders. They also include Internet Service Providers, Tor exit nodes, shared hosting providers, and dedicated server providers.
To hide their crimes, Ebury operators often use stolen identities to rent server infrastructure and conduct their attacks. These techniques lead investigators in the wrong direction.
“They’re really good at confusing attribution,” Léveillé says.
The NHTCU found further evidence of obfuscation. In a new ESET white paperDutch criminals highlighted several anonymization techniques.
Ebury’s fingerprints often turned out to be false, the NTCU said. The tracks often led to (seemingly) innocent people.
The operators also used nicknames and credentials of known cybercriminals to throw investigators off the trail. On a seized backup server, the NHTCU found a complete copy of an illicit website with logins collected by other scammers.
“So the Ebury group not only benefits from the theft of already stolen login credentials, but is also able to use the credentials of the cybercriminals who steal them,” Dutch police said.
“As a result, they can create a ‘cybercriminal cover’ that points in different directions from them.”
Despite these red herrings, the NHTCU says “several promising digital identities” are being actively pursued. Léveille, meanwhile, takes another break from his 10-year investigation.
“It’s not closed, but I’m not sure there are people behind it,” he says. “This is still an unknown, at least for me.”
ShareShare article via FacebookShare article via TwitterShare article via LinkedInShare article via email
CNBC Crypto World features the latest news and daily trading updates from the digital currency markets and gives viewers a glimpse of what’s to come with high-profile interviews, explainers and unique stories from the ever-changing cryptocurrency industry. On today’s show, Ledn Chief Investment Officer John Glover weighs in on what’s driving cryptocurrency prices right now and how the potential approval of spot ether ETFs could impact markets.
According to CryptoQuant, blockchain data shows signs that the Bitcoin mining industry is “capitulating,” a likely precursor to Bitcoin hitting a local price bottom before reaching new highs.
CryptoQuant analyzed metrics for miners, who are responsible for securing the Bitcoin network in exchange for newly minted BTC. As outlined in the market intelligence platform’s Wednesday report, multiple signs of capitulation have emerged over the past month, during which Bitcoin’s price has fallen 13% from $68,791 to $59,603.
One such sign includes a significant drop in Bitcoin’s hash rate, the total computing power that backs Bitcoin. After hitting a record high of 623 exashashes per second (EH/s) on April 27, the hash rate has fallen 7.7% to 576 EH/s, its lowest level in four months.
“Historically, extreme hash rate drawdowns have been associated with price bottoms,” CryptoQuant wrote. In particular, the 7.7% drawdown is reminiscent of an equivalent hash rate drawdown in December 2022, when Bitcoin’s price bottomed at $16,000 before rallying over 300% over the next 15 months.
This latest hash rate drop follows Bitcoin’s fourth cyclical “halving” event in April, which cut the number of coins paid out to miners in half. According to CryptoQuant’s Miner Profit/Loss Sustainability Indicator, this has left miners “mostly extremely underpaid” since April 20, forcing many to shut down mining machines that have now become unprofitable.
CrypotoQuant said that miners faced a 63% drop in daily revenue after the halving, when both Bitcoin block rewards and transaction fee revenues were much higher.
During this time, Bitcoin miners were seen moving coins from their on-chain wallets at a faster rate than usual, indicating that they may be selling their BTC reserves“Daily miner outflows reached their highest volume since May 21,” the company wrote.
Among the sales of Bitcoin miners, whales and national governmentsBitcoin’s price drop in June also hurt Bitcoin’s “hash price,” a metric of Bitcoin Miner Profitability per unit of computing power.
“Average mining revenue per hash (hash price) continues to hover near all-time lows,” CryptoQuant wrote. “Hashprice stands at $0.049 per EH/s, just above the all-time low hashprice of $0.045 reached on May 1st.”
By Ryan-Ozawa.
US lawmaker French Hill has noted that Donald Trump will take a more pro-crypto approach than the current administration. The run-up to the presidential election has seen cryptocurrencies become an issue with lawmakers making huge statements ahead of the polls. Donald Trump has also been reaching out to the industry, making a pro-crypto case.
French Hill Backs Trump’s Pro-Crypto Stance
Republican Congressman French Hill has explained the type of cryptocurrency regulatory framework he believes Donald Trump could adopt in the country. In a recent interview with CNBC, French Hill said that the recently passed FIT21 bill is the type of regulatory framework the Trump administration will adopt in the sector.
#FIT21 passed the House with 71 Democratic votes, it’s exactly the kind of digital asset regulatory framework former President Trump would support if re-elected.
See more on @SquawkCNBC🔽 photo.twitter.com/ceTmU4LApU
— French Hill (@RepFrenchHill) July 3, 2024
THE FIT21 Bill It is intended to protect investors and consumers in the market by establishing clear rules and powers for the various regulators in the sector. According to Hill, Trump will adopt it because it directs the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) on the specific regulatory framework needed in the market.
“… for people who are innovating and starting a crypto token, a related business, custody of those assets, how to ensure consumer protection, so I think that framework is the right approach and that’s what I’m going to recommend to the President to pass, which is that we have not passed it between now and the end of this Congress.”
He also called Trump an innovative and pro-growth president in financial matters.
Cryptocurrency is going mainstream
This election cycle saw the cryptocurrency industry taking a place in mainstream issues following broader adoption across demographics. From candidates moving toward enthusiasts to recent pro-Congress legislation, cryptocurrencies have become a rallying point for officials. The U.S. regulatory landscape has been criticized for stifling growth due to frequent SEC LawsuitsThis has led executives to push for pro-cryptocurrency laws and raise money for pro-industry candidates.
Read also: Federal Reserve Predicts “AI Will Be Deflationary” to Stimulate Economy
David is a financial news contributor with 4 years of experience in Blockchain and cryptocurrency. He is interested in learning about emerging technologies and has an eye for breaking news. Keeping up to date with trends, David has written in several niches including regulation, partnerships, cryptocurrency, stocks, NFTs, etc. Away from the financial markets, David enjoys cycling and horseback riding.
A federal court has ordered Jafia LLC and its owner, Sam Ikkurty, to pay nearly $84 million to cryptocurrency investors after ruling that the company was operating a Ponzi scheme.
The ruling, issued by Judge Mary Rowland in the U.S. District Court for the Northern District of Illinois, follows a lawsuit filed by the Commodity Futures Trading Commission (CFTC) in 2022 after the fund collapsed.
Judge Rowland found that Ikkurty, based in Portland, Oregon, did numerous false claims on his company’s hedge funds.
These included misleading statements about his trading experience and the promise of high and stable profits. Instead, Ikkurty used funds from new investors to pay off previous investors, a hallmark of a Ponzi scheme.
The Ponzi Scheme
The court found that Ikkurty misappropriated investment funds for personal use without the knowledge of the investors. These funds were used for personal use and were reported as Fraudulent Investmentscausing significant financial losses to customers.
This non-transparent operation violated Transparency Commission regulations, which led to the imposition of a hefty fine to compensate defrauded investors and restore some public confidence in the financial system.
Judge Rowland emphasized that fraudulent activity such as this violates the law and undermines the integrity of modern financial markets. The $84 million award seeks to address the financial harm inflicted on investors and reinforce the importance of legal compliance in cryptocurrency trading.
Powell: Crypto is about to explode! (Trump Back Back!)
Catie Wood: Don’t panic your cryptocurrency: was this the beating of final bitcoin?
2025 The collapse of the market has already started! Bitcoin Black Swan Deepseek is not what you think!
BOMB: I just found out what is REALLY happening to cryptocurrencies
“Because hello, boss.” #cripto
Bitcoin Price AFTER Halving REVEALED! What’s next?
Bitcoin Could Test Record Highs Next Week in ETF Flows, Says Analyst; Coinbase appears in the update
Are cryptocurrencies in trouble? Bitcoin Insider Reveals “What’s Next?”
Cryptocurrency Crash Caused by THIS…
The REAL reason why cryptocurrency is going up!
Powell: Crypto is about to explode! (Trump Back Back!)
Catie Wood: Don’t panic your cryptocurrency: was this the beating of final bitcoin?
2025 The collapse of the market has already started! Bitcoin Black Swan Deepseek is not what you think!
BOMB: I just found out what is REALLY happening to cryptocurrencies
“Because hello, boss.” #cripto
-
Videos9 months agoBitcoin Price AFTER Halving REVEALED! What’s next?
-
Bitcoin9 months agoBitcoin Could Test Record Highs Next Week in ETF Flows, Says Analyst; Coinbase appears in the update
-
Videos9 months agoAre cryptocurrencies in trouble? Bitcoin Insider Reveals “What’s Next?”
-
Videos9 months agoCryptocurrency Crash Caused by THIS…
-
Videos8 months agoThe REAL reason why cryptocurrency is going up!
-
Videos9 months agoBlackRock Will Send Bitcoin to $116,000 in the Next 51 Days (XRP News)
-
Altcoin8 months agoThe best Altcoins to buy before they rise
-
News9 months agoCryptocurrency exchanges Binance and KuCoin register with India’s financial intelligence unit as cryptocurrency credibility improves
-
Videos9 months agoDonald Trump: I like Bitcoin now! Joe Biden HATES cryptocurrencies.
-
News9 months agoTON, AKT, AR expect increases of 15%+ as the market stabilizes
-
Videos8 months agoSolana Cryptocurrencies: the future WILL SHOCK you | What comes next?
-
Videos8 months agoBitcoin Whale REVEALS: The 5 Best Coins to Make You a Millionaire!