Gartner Blog Network

Banking Trojan Gangs Set Sights on Bitcoin Exchanges

by Avivah Litan  |  February 21, 2018  |  Submit a Comment

Crypto currency theft is becoming the ‘saveur du jour’ or ‘flavor of the day’ attack.  In 2017, at least four advanced criminal groups shifted resources away from their bank hacking activities and directed them towards hacking bitcoin and cryptocurrency exchanges instead.  It’s already working. In January 2018, hackers pulled off the largest crypto heist ever (around $530 million worth) at Japan’s Coincheck exchange. See  Coincheck: $530M Cryptocurrency Heist may be Biggest Ever.  Last week we learned of the detailed activities of the TrickBot Trojan and its crypto-stealing techniques, as documented by IBM’s X-Force research group.  See  TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets .

These successful crypto hacks use tried and true old techniques like man in the browser which were first popularized by the Zeus banking Trojan back in 2007. Zeus and its later variants enabled led the theft of billions of dollars from unsuspecting bank customers, many of whom were surprised to learn their small business bank accounts were not protected under banking laws.

Zeus and similar malware techniques typically hijack and inject code into a customer’s browser, so that once the user is authenticated to the bank, the user ends up unwittingly transferring money to a criminal account rather than their own. We wrote about this technique back in 2009, (see Where Strong Authentication Fails and What You Can Do About It ), and recommended in 2011 that banks implement a layered fraud prevention approach to protect their customers. See The Five Layers of Fraud Prevention and Using Them to Beat Malware .

The same recommendations work for the crypto exchanges and processors, but since they aren’t regulated, they have less incentive to protect customer accounts, though most certainly will want to preserve their good reputations so that they can maintain customer trust and retention.  In the meantime, crypto hackers are active and ready to attack mainly US, Japanese and UK cryptocurrency exchange customers, according to Diskin Advanced Technlogies (DAT) which did a quick scan of the landscape in January 2018.  See figure 1.


Figure 1


DAT is following various criminal groups as shown in Figure 2, and has identified the groups’ stage of readiness and threat level as it relates to attacks against cryptocurrency exchanges across the globe. DAT says that in 2017 these advanced hacker groups shifted considerable resources away from bank hacking into attacking customers using bitcoin and crypto exchanges. In 2018, the groups are continuing these cryptocurrency hack efforts using the same old techniques they have successfully used for over a decade, albeit modified for the specifics of the cryptocurrency exchange websites and servers, and the customer authentication processes they employ.

Figure 2


Retail investors take on lots of risk when they invest in unregulated cryptocurrencies. The best way to minimize security risk is to use a hardware based ‘cold storage’ wallet like Trezor (which can be purchased on Amazon) and take many precautions not to lose it or the secret passwords and codes used to authenticate or reset wallet passwords if need be.   Crypto investors can carefully manage their security risk but investment risk is a totally different story… why make it worse by slipping on security?  In the world of cryptocurrency trading, I certainly wouldn’t count on unregulated exchanges to protect customer assets.


Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.