Be wary! Bitcoin is picking up, and three new tricks are emerging…

There is an old saying that people are afraid of famous pigs. With the recent recovery of the cryptocurrency market, the criminals who have stopped for a while have come out as demon.

This time the offensives of the criminals came even more fiercely. They not only analyzed the psychology of investors, but also enhanced the technical content of fraud activities. A new wave of scams has come, have you escaped?

Recently, Bitcoin has ushered in its own spring, bitcoin prices have rebounded strongly, and all the way to 8,000 dollars, this is not all, according to Canadian investment bank, wealth management company Canaccord Genuity forecast, this bit of bitcoin bull market Not temporary, bitcoin prices will usher in a new wave of climax in the next two years.

In the bull market, the hearts of the music are not only those investors who tighten their belts and smash the cryptocurrency. The criminals who have stopped for a while in the cold winter are also eager to try and hope to regain the old business of bitcoin crime . In the not-too-distant past, the Ponzi scheme of the currency coin ICO, the false cryptocurrency exchange, and the cryptocurrency industry has been the usual trick for the banker to cut the investor's leeks.

Now, there are many new tricks in these scams. Criminals have introduced malware to improve the technical content of fraud. Below we use examples to analyze the three new scams of criminals .

Bitcoin fraud by pushing ransomware

In late May 2019, security personnel noticed that a ransomware was being spread on a large scale. The ransomware was under the guise of a "bitcoin collector" normal application, and it was actually stealing personal information.

Criminals promise that users simply need to run the software and easily earn $15-30 worth of bitcoin without any additional conditions .

In addition, criminals have promised that users only need to share a personal invitation link to divert 1,000 new users to the site, and they will receive 3 Ethereum (valued at $735).

Fraud website

It is almost impossible to get cryptocurrency rewards with little effort, and it is difficult for users to resist the temptation of this kind of heavenly pie, so they are hooked. The user clicks the Continue button to forward the download link for the Bitcoin Collector app.

In order to enhance the credibility of the scam and dispel the user's doubts, a link to the malware analysis service VirusTotal is given on the download page to prove that the Bitcoin collector is safe and non-toxic . Of course, this fictitious security test is just for flickering.

After clicking the download link, the user will automatically download a ZIP archive. This ZIP file will extract a lot of files, there is a binary called BotCollector.exe , users need to run it to get Bitcoin rewards.

In fact, this file is a Pandora's Box, which launches an application called "Freebitco.in – Bot" and triggers the final malware .

In most cases, triggered by a ransomware called Marozka Tear, the ransomware searches for private files on the victim's host and encrypts them into a .Crypted format, which then leaves the victim with a blackmail letter. , tell the victim to pay a ransom to get further instructions on how to recover the data.

This is completely a routine with the ransomware WannaCry, which ravaged the world in 2017, but unfortunately, the bottom line of this ransomware is the notorious open source ransomware Hidden Tear, and the foreign god Michael Gillespie has already given the decryption of ransomware. By the way, this means that the victim does not need to pay a ransom to get the data back.

Foreign gods gave a tool set to support Hidden Tear

The other victims are not so lucky, and the Bitcoin collector may also trigger Baldr, a malware that steals victim information. Once Baldr starts running, it connects to the criminal's C2 server and waits for instructions on which information to steal on the victim's host .

Baldr is very powerful in stealing information. It can steal website login records and browser history on the victim's host. In addition, it can steal files in any format and even capture current screenshots.

This kind of Trojan horse is a powerful attack, so that the ransomware Marozka Tear is a small witch in front of Baldr.

Use the YouTube video to spread bitcoin scams

Another group of criminals active on YouTube are eyeing users who want to get fast and easy access to cryptocurrency.

Criminals will advertise a video called Bitcoin Generator in a YouTube video that claims to make it easy for users to earn Bitcoin. Unlike the above-mentioned MLM-style communication scheme, this scam relies mainly on YouTube's video transmission. In the video, criminals refer to the Bitcoin generator as the best investment opportunity ever, and give the Software download link.

However, these statements are nothing more than a smoke bomb. The user clicks on the link to download the Trojan, which is called Qulab. The core part of the Trojan is hosted on the encrypted cloud storage platform pCloud.

The Trojan is buried in the description of the video:

Once the user clicks on these videos, they will jump to the Setup.exe file:

When the Qulab Trojan is activated, it will thoroughly scan the host. The Qulab Trojan loves to steal login credentials (login credential, which can be understood as an account number and password) on websites and game platforms (such as Steam and game language software Discord) on the victim's host. It also searches the FileZilla FTP application for victim-saved authentication data, stealing browser cookies (which can be interpreted as browser data), and encrypting currency wallet information.

One of the most frightening features of the Qulab Trojan is that it can tamper with the clipboard of the Windows operating system, which means it monitors the information that the victim has copied to the clipboard and may tamper with it silently .

You may feel that there is nothing to worry about, but for the cryptocurrency user, the clipboard can be described as a dead hole.

Imagine that when you need to initiate a cryptocurrency transaction, you have a high probability that you will not manually enter the twenty or thirty and unreasonable payee addresses. You will usually save the address directly by copying it. The Qulab Trojan finds that you are copying a cryptographic currency address, and it will silently replace it with a criminal-controlled account. If you don't check it carefully, your transaction is equivalent to paying the criminals a tuition fee .

The closure of the main grocery service website has made the situation of criminals more difficult

The criminals are so arrogant. Do governments have nothing to do? This is not the case. The government started with the money laundering after the criminals succeeded and launched a precise attack on them.

In May 2019, the Dutch Financial Intelligence and Investigation Service (FIOD) worked closely with Europol and the Luxembourg authorities to ban BestMixer.io, one of the world's largest Bitcoin hybrid service platforms. The success of this operation is inseparable from the nearly one-year investigation conducted by Dutch law enforcement agencies in cooperation with McAfee Security.

We all know that cryptocurrencies like Bitcoin don't have true anonymity. To be precise, they are only pseudonymous , so law enforcement can find criminals by tracking the flow of cryptocurrency.

As the Western saying goes: The best place to hide leaves is the forest. The best place to hide the water droplets is the sea. In this case, criminals often use the coin service to mix the transfer of ill-fated wealth in a lot of cryptocurrency transactions. To hide the source of these money, thus confusing the regulatory line of sight .

According to reports, the premium service platform BestMixer.io has a turnover of 200 million US dollars since its launch in May 2018. According to the findings of law enforcement agencies, a large part of this amount is unclear money.

In this anti-money laundering operation, the law enforcement agencies seized a total of six servers used to provide mixed-coin services, thus cutting off the channels for criminals to wash their money. It is conceivable that criminals must be burnt and unjust. The wealth has become a hot potato, and they are eager to need a new coin service platform to transfer money.

How to protect yourself from bitcoin fraud

The current form of bitcoin fraud is very serious. Here I strongly recommend that investment institutions and ordinary users must strictly review the reputation of the investment object before deciding on the trading strategy and participating in any high-return blockchain investment , and carefully read the investment contract. To identify potential risks, if possible, seek advice from professionals in the industry.

For the average user, the various bitcoin "generators" and "collectors" that promise instant benefits often have no mature business models, so they are most likely to be spoofed ransomware and spyware .

For companies, companies should avoid investing in Bitcoin projects that promise high profits and quick returns, as these are typical features of ICO exit scams and cryptocurrency.

All in all, in the face of temptation, remember that the sky will not fall, the high-yield behind it must mean high risk. If the investment of a certain cryptocurrency looks unbelievably good, the best investment strategy is to stay away from it.

Author | David Balaban

Compilation | Guoxi

Produced | Blockchain Base Camp (blockchain_camp)