Lessons Learned from a $67 Million Cryptocurrency Hack
Contents
1
Lessons Learned from a $67 Million
Cryptocurrency Hack
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com | (212) 222-7061 | [email protected]
LIFARS
your digital world, secured
2
Executive Summary
$67 million USD worth of bitcoin was stolen from a cryptocurrency-mining marketplace that
connected people in need of computer-processing power to people who have power to spare to
mine for cryptocurrencies. In return, payment was made in bitcoins. Through tactics,
techniques, and procedures, the theft was ultimately linked to Hidden Cobra, a threat actor with
ties to North Korea.
While not too technically advanced, this attack was executed with military precision, taking
advantage of common security weakness found in many startups, resulting in an unprecedent
financial theft.
Attack Methodology
Casing the Joint
The first line of attack was through social engineering. Threat actor pretended to be a
company employee, specifically one of the system engineers. The email mimicked exactly an
invite from the cloud service, Google Docs, and pretended to be a weekly report. Given the
impersonated sender’s actual …
Lessons Learned from a $67 Million
Cryptocurrency Hack
244 Fifth Avenue, Suite 2035, New York, NY 10001
LIFARS.com | (212) 222-7061 | [email protected]
LIFARS
your digital world, secured
2
Executive Summary
$67 million USD worth of bitcoin was stolen from a cryptocurrency-mining marketplace that
connected people in need of computer-processing power to people who have power to spare to
mine for cryptocurrencies. In return, payment was made in bitcoins. Through tactics,
techniques, and procedures, the theft was ultimately linked to Hidden Cobra, a threat actor with
ties to North Korea.
While not too technically advanced, this attack was executed with military precision, taking
advantage of common security weakness found in many startups, resulting in an unprecedent
financial theft.
Attack Methodology
Casing the Joint
The first line of attack was through social engineering. Threat actor pretended to be a
company employee, specifically one of the system engineers. The email mimicked exactly an
invite from the cloud service, Google Docs, and pretended to be a weekly report. Given the
impersonated sender’s actual …
IoC
217.112.130.43
89.34.237.113
96.50.122.135
972AC8E65721EA44AF4612954803A5E803318365
[email protected]
http://anonymousemail.me
http://macintosh.linkpc.net:8080
http://moneymaker.publicvm.com:8080/mainls.cs
http://www.qingpingshan.com/pc/aq/366709.html
89.34.237.113
96.50.122.135
972AC8E65721EA44AF4612954803A5E803318365
[email protected]
http://anonymousemail.me
http://macintosh.linkpc.net:8080
http://moneymaker.publicvm.com:8080/mainls.cs
http://www.qingpingshan.com/pc/aq/366709.html