Dutch cybersecurity experts have linked a significant cryptocurrency theft operation to the notorious Ebury botnet, which has compromised over 400,000 servers over the past 15 years.
According to Slovakian cybersecurity firm ESET, the discovery was made during a 2021 investigation by the Dutch National High Tech Crime Unit (NHTCU). During this investigation, operatives found the Ebury botnet on a server connected to crypto theft activities.
Following this discovery, the Dutch crime unit collaborated with ESET, led by researcher Marc-Etienne Léveillé, who has been studying Ebury for over a decade.
The Ebury operators allegedly used a sophisticated attack method known as adversary-in-the-middle (AitM) to steal cryptocurrency. This method involves the botnet intercepting network traffic to capture login credentials and session information.
“Cryptocurrency theft was not something that we’d ever seen them do before,” Léveillé noted.
The botnet redirects this traffic to servers controlled by the cybercriminals, allowing them to access and steal cryptocurrency from the victims’ wallets. ESET’s report revealed that over 100,000 servers remained infected as of 2023.
Ebury specifically targets Bitcoin and Ethereum nodes, stealing wallets and other valuable credentials. The botnet would take funds once victims entered their credentials on the infected server.
Once a victim’s system was compromised, Ebury would exfiltrate credentials and use them to infiltrate related systems. The report identified a wide range of victims, including universities, enterprises, internet service providers, and cryptocurrency traders.
The attackers also used stolen identities to rent servers and deploy their attacks, making it very difficult for law enforcement agencies to track down those behind this cybercrime operation.
“They’re really good at blurring the attribution,” Léveillé added.
One Ebury operator, Maxim Senakh, was arrested at the Finland-Russia border in 2015 and extradited to the United States. The U.S. Department of Justice charged Senakh with computer fraud, to which he pleaded guilty in 2017. He was sentenced to four years in prison.
While the masterminds behind Ebury remain at large, the NHTCU has indicated that several leads are being pursued.
Cryptocurrency thefts have become increasingly complex over the years. Earlier this month, North Korean hackers used a new malware variant called “Durian” to target at least two cryptocurrency firms. Additionally, a January report from cybersecurity firm Kaspersky revealed malware targeting cryptocurrency wallets on MacOS.
Summary Review: The collaboration between ESET and the Dutch police has shed light on the extensive cryptocurrency theft operations conducted by the Ebury botnet. This botnet, which has compromised over 400,000 servers, employs sophisticated methods to steal Bitcoin and Ethereum from unsuspecting victims. Despite some successes in apprehending individuals involved, like Maxim Senakh, the masterminds behind Ebury remain elusive. As cryptocurrency theft becomes increasingly complex, with new malware variants like “Durian” emerging, the importance of robust cybersecurity measures and international cooperation in combating these threats is more critical than ever. The ongoing efforts of law enforcement and cybersecurity experts will be essential in tracking down the perpetrators and protecting the digital assets of individuals and organizations worldwide.
Disclaimer: Remember that nothing in this article and everything under the responsibility of Web30 News should be interpreted as financial advice. The information provided is for entertainment and educational purposes only. Investing in cryptocurrency involves inherent risks and potential investors should be aware that capital is at risk and returns are never guaranteed. It is imperative that you conduct thorough research and consult with a qualified financial advisor before making any investment decision.
