Last week, ESET, a cybersecurity company based in Slovakia, in collaboration with the Dutch police, revealed a significant cryptocurrency theft associated with the infamous Ebury botnet. Over the course of the past 15 years, this botnet has infiltrated more than 400,000 servers, posing a substantial threat to the cybersecurity sector.
According to a report released by ESET on May 14, the incident involving the Ebury botnet was initially discovered during an investigation conducted by the Dutch National High Tech Crime Unit (NHTCU) in 2021.
Ebury Botnet Operators Used AitM Attack to Steal Funds
Investigators discovered that the cybercriminals were engaged in a string of cryptocurrency thefts, with a focus on Ethereum and Bitcoin nodes. The Dutch police revealed that operators of the botnet pilfer assets from the wallets of unaware users when they input their credentials on compromised servers.
Dating back to at least 2009, the Ebury botnet serves various purposes, including deploying additional malware, profiting from the botnet through modules like web traffic redirection, acting as a proxy for spam traffic, executing adversary-in-the-middle (AitM) attacks, and providing a platform for supporting malicious infrastructure.
AitM attacks involve intercepting and potentially altering communication between two parties without their knowledge.
From February 2022 to May 2023, the Ebury botnet compromised over 200 AitM attack targets across 75 networks in 34 countries. It illicitly obtained cryptocurrencies, credentials, and credit card details, amassing significant sums of money over the period.
This access allows the cybercriminals to pilfer funds directly from these wallets or utilize compromised systems to mine cryptocurrencies, diverting resources from unsuspecting victims. The botnet’s ability to evade detection for extended periods enables it to sustain its operations, gradually accumulating substantial amounts of cryptocurrency over time.
Crypto Theft on the Rise
The widespread infiltration capabilities of the Ebury botnet have positioned it as the prime malware for orchestrating large-scale cryptocurrency theft, a trend that is rapidly escalating.
PeckShield’s data underscores this trend, revealing that $336.8 million worth of cryptocurrency funds were pilfered in the first quarter (Q1) of 2024. Additionally, the Certik Hac3d Report unveiled even more alarming statistics for Q1 2024, with losses exceeding $500 million due to cryptocurrency theft. This represents a significant 54% surge compared to the corresponding period in 2023, which witnessed losses totaling approximately $326 million.
Of particular concern, Certik’s report emphasized the severity of January 2024, during which $193 million was siphoned off in 78 separate incidents. Notably, compromises of private keys were a major contributor, resulting in the loss of $239 million across just 26 incidents.
These breaches, targeting the unique keys that grant access to individuals’ cryptocurrency holdings, accounted for nearly half of all financial losses, despite comprising only 11.7% of all reported security breaches.