Welcome to a world where sophisticated attackers weave their intricate webs, and the boundaries between the digital and physical realms blur. As a cyber security consultant, I’ve seen my fair share of cybercrime investigations, but this one truly stands out.
Our story begins with my client, an international businessman, who finds himself the target of persistent cyberattacks by an international cyber crime syndicate. The mysterious attackers display an unusual level of dedication, even targeting those close to my client to gather more information about him. It is evident that we are confronted with an advanced persistent threat, and I have been providing counsel on this matter to ensure my client’s safety.
As the cyberattacks continue, my client is approached by a group of individuals posing as investors. Their persistence and sophistication are unparalleled – they insist on meeting via Zoom, refusing to use Google Meet or any other platform. After the initial online meeting, they arrange a face-to-face meeting in a popular European city.
During one of these meetings, my client grows increasingly suspicious. The “investors” speak multiple languages fluently, are highly sophisticated, and insist on doing every payment in cash, leaving no trace. They ask my client to prove his account ownership by transferring coins to a new wallet and show the wallet balance, but he prefers to discuss their business and portfolio further. The documents they provide do little to alleviate his suspicions, as they appear fake or unrelated to their purported business.
His instincts prove correct as he manages to escape their clutches and return home. Upon analyzing the situation, he discovers that most of the documents are indeed fake or belong to unrelated persons or organizations, and most importantly, they have no metadata. These “investors” knew how to perform operations without leaving any trace.
My client’s harrowing escape from these attackers leads him to me. We delve deeper into their modus operandi, piecing together the patterns of similar attacks reported by other victims. Their tactics include:
- Earning Trust: They present themselves as successful business people and potential investors, establishing a rapport with their targets.
- Zoom Meeting: In some cases they compromise their victims’ devices during Zoom calls, possibly using zero-day or one-day exploits. Even if they fail at this step, they do not give up.
- Face-to-Face Meetings: During face-to-face meeting, the attackers analyze the victim’s device, force them into transferring funds and displaying their account balance to verify asset ownership. This sets the stage for subsequent exploitation. If the first meeting does not grant them the desired access, they arrange a follow-up within a few days, fostering an environment conducive to exploitation.
It was possible to discover that these cybercriminals have been active since at least the beginning of 2022, and possibly earlier. Between 2020 and 2022, there were other reports of similar attacks, in which the attackers attempted to drug the victims and seize their devices. While it wasn’t possible to confirm whether these attacks are connected, it is conceivable that drugging could be the fourth step in their strategy.
Lastly, the ultimate objective of these attackers is to pilfer funds, and they have been successful in stealing a significant amount in the past, including a case where they stole funds worth 4,000,000 million dollars. However, the exact method employed to do so remains unknown.
With no obvious backdoor in the targeted wallets (Exodus, Trust, and Jaxx) or devices (different iOS models, Android devices, and Mac computers), we are left with only theories on how these attackers successfully stole the funds.
However, it is worth mentioning that the Jaxx wallet had a known vulnerability, which might have been exploited by the attackers. Anyway, it still doesn’t explain the whole case.
One such theory involves sending a malicious document that alters the device’s configuration, allowing the wallet app to display the account seed alongside the coin balance. The attackers then take a photo and exfiltrate the seed, gaining access to the victim’s funds.
However, there is no definitive evidence to confirm this theory, and there are some reports that indicate that devices with malicious document and wallet are not the same.
Initially, I hypothesized that the attack could involve HID exploitation or eavesdropping, as the attackers would need proximity to the target device and knowledge of its model.
This harrowing investigation proves that relying solely on known attack vectors is not enough. Security is a culture that must be ingrained in every aspect of our lives, both digital and physical. It is crucial to remain vigilant and prioritize cyber security to protect ourselves from the ever-evolving threats lurking in the shadows.
Stay safe, and remember, cyber security is not just a tool – it’s a culture.
Some other related sources:
- https://twitter.com/tayvano_/status/1623404410180358144
- https://twitter.com/0xngmi/status/1622614930519212032
- https://twitter.com/jacobriglin/status/1417797276613947393
- https://twitter.com/TrustWallet/status/1623355786557632512
The artwork in this blog post is created by Josan Gonzalez.