- Cryptocurrency -

Last update 09.10.2017 13:51:50

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5 

CipherTrace Unveils Crypto-Currency Anti-Money Laundering Solution
5.7.2018 securityweek  Cryptocurrency

Cryptocurrency theft and its use to launder other illegal activity is booming. This has prompted the evolution of a related industry that sits on the borderline of legality (barely legal in some jurisdictions, illegal in others): cryptocurrency money laundering. The laundering of illegally-obtained money may be illegal, but the process used may not be.

CoinMixer is one such service that is advertised on Google Search. It says of its service, "Generally there is no link between the original transactions and the final address of the coins. This process protects your privacy and prevents other people tracing your payments on the internet." While this process can help with possibly legitimate privacy concerns, it is precisely what is required for money laundering.

Menlo Park, Calif. startup CipherTrace is a firm founded on the need for cryptocurrency anti-money laundering (AML), blockchain forensics and enforcement solutions. It aids law enforcement and financial regulators in their investigations, helps enterprises to deploy real-world cryptocurrency transactional systems within regulations, and offers a bitcoin scam and theft asset recovery service.

The CipherTrace Cryptocurrency Anti-Money Laundering Report for Q2, 2018 (PDF) shows the size of the problem; and highlights some of the regulatory discussions happening at international levels. Stolen cryptocurrency alone reached more than $750 million in the first half of 2018 -- which is already nearly three-times the amount stolen in 2017. The report also adds, "The FBI noted that the value of virtual currencies contained in the Internet Crime Center 2017 reports were $58.3M,4 citing cyber actor demands the of ransom payments, typically in virtual currency such as Bitcoin."

All this currency needs to be laundered before it can be safely accessed by the criminals. This is typically done through sites offering mixers, tumblers and chain hopping services. "The more dirty crypto money that goes into the systems and the more it moves around, the harder it becomes for investigators to see through the web of action and trace a path back to the source."

Governments and law enforcement agencies are not ignoring the use of cryptocurrencies to launder illegal gains. At the 5th Annual Europol Virtual Currency Conference, which was held at the Hague in the Netherlands, Jamal El-Hindi of the U.S. Financial Crimes Enforcement Network (FinCEN) reiterated FinCEN's position. "We will hold accountable foreign-located money transmitters, including virtual currency exchangers, that do business in the United States when they willfully violate U.S. AML laws."

The cryptocurrency theft problem that fosters the cryptocurrency laundering industry shows no sign of slowing down. It ranges from the theft of individual wallets, the use of various cryptocurrencies within ransomware extortion, and major thefts from large cryptocurrency exchanges.

"Cybercriminals follow easy money," comments High-Tech Bridge CEO Ilia Kolochenko, "and many cryptocurrency owners are the perfect victims. They are virtually unable to protect either themselves or their digital assets, being susceptible even to relatively simple phishing attacks. Law enforcement is frequently uninterested in investigating and prosecuting petty offences with digital coins theft, as they are already under water with highly-sophisticated nationwide hacks."

He points out that cryptocurrency startups are often ignorant of the fundamentals of cybersecurity, and devote all their efforts and resources to survival in an extremely volatile and highly-competitive market.

"We can almost certainly expect further proliferation of security incidents related to crypto currencies. Attackers have now established impressive infrastructure purposely tailored for large-scale theft and scams with digital coins. Owners of the crypto assets should remain extremely vigilant, maintain all their devices and installed software up-to-date, install at least a free antivirus from a reputable vendor, use two-factor authentication and unique passwords, and never entrust their wallets to any third-parties unless they have a very good reason to utterly trust them."

F-Secure security advisor Sean Sullivan has advocated for a form of 'Know Your Customer' regulation to be applied to cryptocurrency exchanges. "Bitcoin exchange accounts could be required to be tied to a physical address," Sullivan said. Currently it takes just minutes -- or seconds -- to open a Bitcoin account in a third-party market. This requirement would require an activation code that's mailed to you before an account can be opened. While this wouldn't affect criminals who do business out of Russia and China, it would make their attacks far less profitable; and would make the tracking of illegally acquired cryptocurrency by law enforcement considerably easier.

"The exchanges would hate it. But given the hundreds of millions of dollars being extorted every few months, it seems appropriate," Sullivan says. "Barring this or a similar step, exponential growth of malware families delivering these threats seems to be the only other option."

Crooks leverage obfuscated Coinhive shortlink in a large crypto-mining operation
5.7.2018 securityaffairs Cryptocurrency

Crooks leverage an alternative scheme to mine cryptocurrencies, they don’t inject the CoinHive JavaScript miner directly into compromised websites.
Security researchers at MalwareLabs have uncovered a new crypto mining campaign that leverages an alternative scheme to mine cryptocurrencies, differently from other campaigns, crooks don’t inject the CoinHive JavaScript miner directly in compromised websites.

CoinHive also provides an “URL shortener” service that allows users to create a short link for any URL with, the unique difference with similar services is that it introduces a delay so that it can mine Monero cryptocurrency for an interval of time before redirecting the user to the original URL.

The redirection time is adjustable via Coinhive’s settings, this means that the attackers can force visitors’ web browsers to mine cryptocurrency for a longer period.

The experts at Malwarebytes discovered a large number of legitimate websites have been hacked by crooks to load short URLs generated using the CoinHive service through a hidden HTML iFrame. With this trick, attackers aim at forcing visitors’ browsers into mining cryptocurrencies.

“We detected hundreds of new domains, all legitimate websites that were injected with a blurb of hexadecimal code. Once decoded, it shows as an invisible iframe (1×1 pixel) to cnhv[.]co/3h2b2. We believe it is part of the same campaign that was exposed by the folks over at Sucuri at the end of May.” reads the analysis published by Malwarebytes.

"<i frame src="https://cnhv[.]co/3h2b2" width="1" height="1" align="left"></i frame>"
CoinHive JavaScript miner

“The cnhv[.]co domain name is used for what Coinhive calls shortlinks, essentially a way of monetizing on hyperlinks by making visitors’ browsers solve a certain number of hashes before they reach their destination site. When clicking on such a link, you will see a progress bar and within a few seconds, you will be redirected. Crooks are abusing this feature by loading those shortlinks as hidden iframes with an unreasonably high hash count.”

This mining scheme is a novelty in the threat landscape because it doesn’t leverage on the injection of CoinHive’s JavaScript in the compromised websites.

Malwarebytes experts linked this last campaign to the one monitored by Sucuri researchers in May.

The attackers add an obfuscated javascript code into the compromised websites, this code is used to dynamically injects an invisible iframe (1×1 pixel) into the webpage as soon as it is loaded on the web browser.

The webpage then automatically starts mining until the Coinhive short-link service redirects the user to the original URL.

coinhive script 2.png

“In Figure 3 where we made the iframe visible by changing its dimensions, to show that rather than wait for a few seconds before being redirected, users will unknowingly be mining for as long as they stay on the page.” continues the analysis from Malwarebytes.
“Indeed, while Coinhive’s default setting is set to 1024 hashes, this one requires 3,712,000 before loading the destination URL.”
Experts also discovered that cybercriminals are injecting hyperlinks to other compromised websites to trick victims into downloading cryptocurrency miners for desktops that are disguised as legitimate software.

“In this campaign, we see infrastructure used to push an XMRig miner onto users by tricking them into downloading files they were searching for online,” continues the researchers.

“In the meantime, hacked servers are instructed to download and run a Linux miner, generating profits for the perpetrators but incurring costs for their owners.”

Further technical details about the campaign, including the IoCs, are reported in the blog post.

A sample of CryptoCurrency Clipboard Hijackers monitors 2.3 Million Bitcoin addresses
2.7.2018 securityaffairs Cryptocurrency

A sample of CryptoCurrency Clipboard Hijackers discovered this week by BleepingComputer monitors for more than 2.3 million addresses.
Almost any people that have to send cryptocurrency coins use to copy the recipient wallet address into memory from one application and use it to make the transaction.

Crooks’ interest in cryptocurrency continues to grow and new malware was specifically designed to recognize wallet addresses in the memory of infected computers and use it for fraudulent activities, such as the hijacking of transactions.

This family of malware is called CryptoCurrency Clipboard Hijackers, the malware monitors the Windows clipboard for cryptocurrency addresses, and if one is detected, it then replaces the address in the clipboard with the attacker’s one.

With this simple trick when the user pastes the address he will send the coins to the attacker.

In March, researchers at Palo Alto Networks discovered a malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address and alter clipboards to steal cryptocurrencies and payments. In June experts from Qihoo 360 Total Security spotted a new malware campaign spreading a clipboard hijacker, tracked as ClipboardWalletHijacker, that infected over 300,000 computers, most of the victims are located in Asia, mainly China.
What is the peculiarity of a sample of cryptocurrency clipboard hijackers recently discovered by researchers at Bleeping Computer?

While most of the previous samples monitored for 400-600 thousand cryptocurrency addresses, the sample discovered this week by BleepingComputer monitors for more than 2.3 million cryptocurrency addresses.

CryptoCurrency Clipboard Hijackers

The following video shows how CryptoCurrency Clipboard Hijackers replace cryptocurrency addresses found within the Windows clipboard.

The only way to prevent such kind of attacks is double-checking the pasted address.

The infection was associated with the recent campaign that targeted Windows computers with so-called All-Radio 4.27 Portable malware package.

CryptoCurrency Clipboard Hijackers infection

“If your computer is suddenly displaying the above program, then your computer is infected with malware that installs rootkits, miners, information-stealing Trojans, and a program that is using your computer to send out spam.” reads a post published by BleepingComputer.

Once the malicious code is installed, a DLL named d3dx11_31.dll will be downloaded to the Windows Temp folder and an autorun called “DirectX 11” will be created to run the library everytime a user logs into the computer.

“This DLL will be executed using rundll32.exe with the “rundll32 C:\Users\[user-name]\AppData\Local\Temp\d3dx11_31.dll,includes_func_runnded” command.”

As usual, let me suggest using an up to date antivirus solution to detect and neutralize these threats.

Hackers Steal $30 Million From Top Seoul Bitcoin Exchange
21.6.2018 securityweek  Cryptocurrency

Hackers stole more than $30 million worth of cryptocurrencies from South Korea's top bitcoin exchange, sending the unit's price falling around the world on Wednesday.

The virtual currency was priced at $6,442 dollars late afternoon in Seoul, down about 4.4 percent from 24 hours earlier, after the latest attack on Bithumb raised concerns over cryptocurrency security.

Hyper-wired South Korea has emerged as a hotbed of trading in virtual units, at one point accounting for some 20 percent of global bitcoin transactions -- about 10 times the country's share of the global economy.

Bithumb, which has more than 1 million customers, is the largest virtual currency exchange in the South.

"It has been confirmed that virtual currencies worth 35 billion won ($32 million) was stolen through late night yesterday (Tuesday) to early morning today," the exchange said in a statement.

All deposits and withdrawals were suspended indefinitely to "ensure security", it said, adding the losses would be covered from the firm's own reserves.

It was the second major attack on South Korean virtual currency exchanges in just 10 days, after hackers stole 40 billion won from Seoul-based Coinrail, which suspended withdrawal and deposits services since then.

Hackers Steal $31 Million from South Korean cryptocurrency exchange Bithumb
21.6.2018 securityaffairs  Cryptocurrency

Just weeks after Korean exchange Coinrail was hacked, the Bithumb crypto exchange was hacked, crooks stole over $30 million in cryptocurrency.
It has happened again, for the second time in a year, the cryptocurrency exchange Bithumb has been hacked.

The South Korean cryptocurrency exchange confirmed that hackers stole 35 billion won ($31.6 million) worth of cryptocurrency between June 19 and June 20.

In response to the incident, the exchange moved all funds to cold wallets and temporarily suspended the deposits and blocked user withdrawals.


[Notice for the temporary suspension of the deposits]
Due to the increasing safety issues, we are changing our wallet system.
Please do not deposit until we notify.
*All deposits are not deposited into your wallet until all changes are completed.

2:49 AM - Jun 20, 2018
56 people are talking about this
Twitter Ads info and privacy


Replying to @BithumbOfficial
*All deposit and withdrawal service will be stopped to make sure the security. We will keep notice you of the restart of the service. We apologize for your inconvenience and thanks for your understanding.

3:04 AM - Jun 20, 2018
179 people are talking about this
Twitter Ads info and privacy
At the time of writing, Bithumb did not reveal any details about the security breach, but it announced that it will cover losses.

“We have noticed that between the last night and today morning, about 35,000,000,000 KRW worth cryptocurrencies have been stolen. However, this loss will be compensated by Bithumb’s own reservoir, and all of our assets are securedly saved in Bithumb’s cold wallet.” reads the security advisory published by Bithumb.

“However, due to implementation enhancement as well as security check on deposit / withdrawal services, cryptocurrency deposit / withdrawal and KRW withdrawal service will be halted for time being and services are thoroughly reviewed.”

Bithumb is one of the top 10 most popular cryptocurrency exchanges, experts noticed that Bitcoin price fell 3 percent following the announcement of the incident.

Bithumb hacked bitcoin price.jpg

This is the second time in a year that Bithumb suffers a security breach, in July 2017 hackers have stolen more than $1 Million in Bitcoin and Ether cryptocurrencies from the accounts of several users of the exchange.

Experts argued that the overall funds stolen at the time were greater than initially thought.

A few weeks ago, another South Korean exchange, Coinrail, announced a cyberheist. Attackers stole over $40M worth of ICO tokens that were maintained in the servers of the exchange.

In December, the South Korea cryptocurrency exchange Youbit shut down after a being hacked two times in a few months.

Does Cryptocurrency Encourage Crime?
20.6.2018 securityaffairs Cryptocurrency

Is cryptocurrency making some wrongdoings harder to commit while making others more rampant in society? Does Cryptocurrency Encourage Crime?
People hear a lot about how cryptocurrency — and particularly the blockchain technology associated with it — could decrease some kinds of crime because it’s so transparent and all transactions become part of an unchangeable record.

However, is cryptocurrency making some wrongdoings harder to commit while making others more rampant in society?

Cybersecurity Firm Says Cryptocurrency Causes Raised Ransom Demands
A cybersecurity firm in the United Kingdom called MWR InfoSecurity believes the increasing demand in the cryptocurrency market contributes to more depth and liquidity. So, people who buy and sell cryptocurrency assets can more easily move enormous amounts of the virtual currency without causing dramatic price fluctuations in those assets.

Representatives of MWR InfoSecurity argue that those conditions make cybercriminals feel emboldened when making larger than usual ransom requests from their victims. They often request cryptocurrency instead of traditional money, and it’s becoming easier for them to up the amounts they demand.

Although cryptocurrency doesn’t necessarily facilitate crimes in these cases, it could urge the criminals to be more devastating to their targets.

Cryptocurrency Connected to Crime Increase in India
The Indian government does not recognize cryptocurrency as legal tender, and it banned banks from providing services to companies that buy and sell virtual currency. That latter decision caused some cryptocurrency exchanges to shut down.

India is not a welcoming country for cryptocurrency users, and that’s likely because when cryptocurrency began taking off in the country, related crimes rose too.

Some of them focused on duping hopeful investors who wanted to get rich with cryptocurrency. Others include crimes connected to malware on cryptocurrency mining machines. Fake cryptocurrency apps and unscrupulous companies appeared as well.

In the majority of cases, criminals likely noticed opportunities because people got excited about a technology about which they knew little.

The perpetrators cashed in on ignorance and often succeeded because their victims were so eager to get involved in cryptocurrency that they took leaps without first getting sufficiently educated.

Criminals commonly prey on people who are desperate, and that’s why the cryptocurrency market is ripe for their misdeeds.

Many individuals view the cryptocurrency market as one filled with promise. Moreover, they read the stories of people who are now millionaires after becoming early cryptocurrency investors. So, some people are more likely than not to get ahead of themselves and become involved in cryptocurrency scams due to not performing adequate research.

Most Online Crimes Involve Cryptocurrency — but Not Always Anonymity
According to some estimates, as much as 99 percent of unlawful online activities have an element of cryptocurrency. Plus, although people on the blockchain can see cryptocurrencies going into various wallets, criminals know it’s not likely law enforcement agencies will link their identities to the wallets.

That lack of identifying information allows them to sell content snatched during data breaches and feel less afraid that they’ll get found out compared to if they were trying to profit from their crimes without the cloak of cryptocurrency.

Further statistics from a recent research paper found that approximately 25 percent of all Bitcoin users have ties to illegal activities and that 44 percent of Bitcoin transactions were connected to crimes.

Regardless of that data, it is foolish for criminals to assume they need not be worried about getting found out if they deal in cryptocurrency crimes. Instances exist of investigators being able to track the IP addresses of cryptocurrency criminals due to those individuals’ carelessness.

Also, a research team discovered there were cases where it was possible to link cryptocurrency transactions with single IP addresses. Through their work, they connected more than 1,000 IP addresses and Bitcoin accounts.

Law Enforcement Agencies Meet the Challenge
The increase in cryptocurrency crime has made police forces around the world realize they cannot afford to let the criminals within the industry remain unchecked. In Europe, an annual conference brings law enforcement personnel and cryptocurrency experts together for a meeting of the minds.

The 2017 gathering attracted over 150 people from around the world. The topics covered included the illegal uses of cryptocurrency, plus legitimate ways to rely on cryptocurrency to reduce crime.

Crime investigators are also using special software that screens cryptocurrency transactions for potential links to things like the black market, theft or drugs. Organizations ranging from the Internal Revenue Service (IRS) to the Drug Enforcement Administration (DEA) are reportedly among the software manufacturers’ clients


Spurring the Evolution of Crime-Solving Techniques
There’s no doubt about the connection between increases in crime and cryptocurrency. The virtual currency makes criminals attempt new offenses facilitated by aspects of the industry at large, such as cryptocurrency mining. The lack of understanding some consumers have about cryptocurrencies only makes them easier targets.

At the same time, law enforcement agencies are stepping up and developing new methods to get to the bottom of crimes and those who commit them.

So, means of fighting crime get updated, and criminals find out their deeds may not stay hidden forever.

Syscoin Github has been breached, hacker replaced Syscoin Windows client with tainted version
16.6.2018 securityaffairs Cryptocurrency

The GitHub account of the Syscoin cryptocurrency was compromised by hackers that replaced the official Syscoin Windows client with a tainted version.
The Syscoin clients allow users to mine Syscoin cryptocurrency or manage Syscoin funds.

Syscoin Windows client

The other versions in the v3.0.4.1 release were not replaced, this means that Mac and Linux clients were not replaced by the hackers.

The tainted version of the Syscoin Windows client contained the Arkei data stealer (aka Trojan:Win32/Feury.B!cl), a malicious code used to steal passwords and wallet private keys.

The Syscoin development team is warning users downloaded the Syscoin Windows client version between June 09, 2018 10:14 PM UTC and June 13, 2018 10:23 PM UTC that their machines might be infected.

“The Syscoin developers found that a malicious, unsigned copy of the Windows Syscoin installer was made available via the Syscoin Github release page on June 9th, 2018 due to a compromised GitHub account. This installer contained malicious code. (Trojan:Win32/Feury.B!cl)” reads the security notice published by the development team.

“The virustotal scan of the malicious file named “re.exe” that is saved to the local temp folder (C:\Users\user\AppData\Local\Temp) upon running the fake installer: https://www.virustotal.com/#/file/b105d2db66865200d1b235c931026bf44428eb7327393bf76fdd4e96f1c622a1/detection“

The Syscoin team discovered the security breach after receiving a warning from users that Windows Defender SmartScreen, AVG and Kaspersky was marking downloads of the Syscoin Windows client as a virus.

The affected executables are:

Syscoin team removed the malicious files and issued a security notice that includes the instructions to determine the installation date:

Right-click on syscoin-qt.exe in C:\Users[USERNAME]\AppData\Roaming\SyscoinCore or view in detailed list mode and make a note of the modified date.
OR go to Settings->Apps and make a note of the installation date.
If the modified/installation date is between June 9th, 2018, and June 13th, 2018, the team suggests users taking the following actions:

Backup any important data including wallets onto another storage medium outside of the affected computer. Treat this data cautiously as it may contain infectious code.
Run an up-to-date virus scanner on your system to remove the threat.
Passwords entered since the time of the infection should be changed from a separate device after ensuring the threat has been removed.
Funds in unencrypted wallets or wallets that had been unlocked during the infection period, should be moved to a newly generated wallet on a secure computer.
The Syscoin team announced additional measures to protect its users and their assets such the usage of two-factor authentication (2FA) for its developers and routine (file signature) checks of the files available for download to detect any modification of the repository.

“We are working with Github to improve the release page experience to provide information regarding the modifying account as well as the last modification date of a release. This would allow users to detect if certain binaries were updated for potentially malicious purposes.” concludes the notice.

“All individuals responsible for Github releases should enable 2FA and ensure they have deterministic signature hashes for files on a regular basis.”

$175 Million in Monero Mined via Malicious Programs: Report
12.6.2018 securityweek  Cryptocurrency

The popularity of crypto-currency malware has been skyrocketing over the past year, and the segment appears to have been highly lucrative for cybercriminals, a new Palo Alto Networks report reveals.

With the number of malware samples ultimately delivering crypto-miners well over the half a million mark, it’s no wonder that miscreants are able to profit from this type of nefarious activity. To these, one can add the JavaScript, or web-based, malicious mining operations, which are highly lucrative as well.

Looking into the proliferation of crypto-mining malware, Palo Alto’s Josh Grunzweig discovered information on around 630,000 malicious samples, 3,773 emails used to connect with mining pools, and 2,995 mining pool URLs.

Over 530,000 malware samples target Monero, roughly 53,000 target Bitcoin, and 16,000 target Cryptonite (XCN), with the rest spread across the remaining currencies. The researcher also identified 2,341 Monero (XMR) wallets, 981 Bitcoin (BTC) wallets, 131 Electroneum (ETN) wallets, 44 Ethereum (ETH) wallets, and 28 Litecoin (LTC) wallets.

Given the clear interest cybercriminals have in Monero, the researcher focused on this virtual coin as well. In addition to the 2,341 Monero wallets extracted from the analyzed sample set, he also managed to determine the mining pools used, and discovered that, of the top ten mining pools used by this malware, all but one allows for anonymous viewing of statistics based off of the wallet as an identifier.

“By querying the top eight mining pools for all 2,341 Monero addresses, I was able to determine exactly how much Monero has been mined historically with a high degree of accuracy. By querying the mining pools themselves, instead of the blockchain, we’re able to say exactly how much has been mined without the fear of the data being polluted by payments to those wallets via other sources,” he notes.

Thus, Grunzweig determined that a total of 798613.33 XMR has been mined to date, representing around 5% of all Monero in circulation. Web-based Monero miners and miners the researcher doesn’t have visibility into aren’t included here.

While half of the 2,341 wallets identified have been unable to generate a meaningful amount of Monero, the remaining batch obtained over $140 million, the researcher estimates. According to Grunzweig, “a total of $175m has been found to be mined historically via the Monero currency.”

1,278 (55%) of the identified wallets earned 0.01 XMR (~$2.20) or more and only a small subset earned a significant (100 XMR or greater) amount of coins. Only 99 wallets (less than 2% of all wallets identified) have received over 1,000 XMR, and 16 wallets (0.68% of all wallets) have obtained over 10,000 XMR.

Looking at the total hashing power, the research revealed the attackers only used 2% of the global hashing power mining the Monero network. At around 19MH/s, the hashrate would result in approximately $30,443 per day being mined.

“To date, the popularity of malicious cryptocurrency mining activity continues to skyrocket. The large growth of malware mining cryptocurrencies is a direct result of a previous spike in value, which has since corrected to a value that is more in line with expectations. As this correction has taken place, only time will tell if cryptocurrency miners will continue in popularity. It is clear that such activities have been incredibly profitable for individuals or groups who have mined cryptocurrency using malicious techniques for a long period of time,” Palo Alto concludes.

Bitcoin Declines After Coinrail Cryptocurrency Exchange Hack
11.6.2018 securityweek Cryptocurrency

Another Bitcoin exchange has been hacked, strengthening concerns over the security of exchanges, and causing a further fall in the value of bitcoins.

Coinrail, a relatively small cryptocurrency exchange in South Korea (but still within the world's top 100 exchanges), confirmed an 'intrusion' over the weekend. On Sunday it tweeted, "There has been a cyber intrusion in our system. We're confirming it and some coins (Pundi X, NPXS) are confirmed."

Commenting on Twitter, @peatrykim claims, "The total hacked coins worth 50mil dollars." A South Korean news outlet, Yonhap, suggests that about 40 billion won ($37.28 million) worth of virtual coins were stolen.

Coinrail said that about 30% of its coins were stolen, but also claims to have blocked most of them before they could be cashed out by the hackers. The remaining 70% are now stored in a 'cold wallet' (that is, off-line) and are thought to be safe.

There is no information yet on how the hack was executed, nor who might have been involved. Coinrail is working with law enforcement.

A statement on its website (Google translation) says, "At present , 70% of your coin rail total coin / token reserves have been confirmed to be safely stored and moved to a cold wallet and are in storage. Two-thirds of the coins confirmed to have been leaked are covered by freezing / recalling through consultation with each coach and related exchanges. The remaining one-third of coins are being investigated with investigators, relevant exchanges and coin developers."

Bitcoin, Ethereum and Ripple, the world's largest cryptocurrencies, all declined approximately 5% or 6% over the weekend. Bitcoin has now declined almost 50% for the year, and approximately 65% from its all-time high in December 2017.

In January 2018, 14 South Korean exchanges adopted measures aimed at better protecting users. "Coinrail is not a member of the group that promotes self-regulation to enhance security," commented Kim Jin-Hwa of the Korea Blockchain Industry Association. "It is a minor player in the market and I can see how such small exchanges with lower standards on security level can be exposed to more risks."

F-Secure security expert Mikko Hypponen echoed this sentiment on Twitter. "We see this regularly. Attackers are moving on from traditional financial targets; from hacking online banks and online stores to hacking crypto exchanges and token wallets. This makes a lot of sense from the attacker's point of view," he tweeted. "Cryptocurrency exchanges are ideal targets for attackers. Small companies with a lot of money. Run by startups, with small security teams and no experience. And if you get in, the loot is already anonymized and untrackable."

Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, also commented on the incident.

"It's one more drop in the ocean of crypto-breaches and it's unlikely to drive any substantially new conclusions or concerns. This Bitcoin drop seems to be a temporary fluctuation, investors are now waiting for some good or bad news," Kolochenko said. "The emerging problem of Bitcoin is its extreme influenceability by third-parties. A well-prepared hacking campaign, targeting top Western media agencies, can virtually ruin Bitcoin after releasing fake news about major breaches and subsequent cryptocurrency ban by major countries. People playing short can make unprecedented profits, however, Bitcoin may ultimately never recover at the end of the day."

South Korean Cryptocurrency Exchange Coinrail hacked, hackers stole over $40M worth of ICO tokens
11.6.2018 securityaffairs  Cryptocurrency

Cryptocurrency Exchange continues to be a privileged target for hackers, news of the day is the hack of the South Korean exchange Coinrail.
The hack has happened during the weekend, on Sunday Coinrail announced the cyberheist. Attackers stole over $40M worth of ICO tokens that were maintained in the servers of the exchange.

The company published a data breach notification on its website that currently appears in maintenance mode.

해킹공격시도로 인한 시스템 점검중입니다. 일부코인(펀디엑스,NPXS)이 확인되었으며 추가적인 코인피해가 있는지 여부를 확인중입니다. 추후 자세한 사항은 재공지하겠습니다 / There has been an cyber intrusion in our system. We're confirming it and some coins(Pundi X, NPXS) are confirmed.

5:19 AM - Jun 10, 2018
63 people are talking about this
Twitter Ads info and privacy
The exchange explained that attackers stole tokens issued during the initial coin offerings (ICOs) of Pundi X (NPXS), NPER (NPER), and Aston (ATX).

“Most notably, the hackers got away with $19.5 million-worth of NPXS tokens that were issued by payment project Pundi X’s ICO. Added to that they scored a further $13.8 million from Aston X, an ICO project building a platform to decentralize documents, $5.8 million in tokens for Dent, a mobile data ICO, and over $1.1 million Tron, a much-hyped project originating from China.” reported TechCrunch.

“That’s according to a wallet address that has been identified as belonging to the alleged attacker, who also got hold of smaller volumes of a further five tokens from Coinrail.”

South Korea is one of the countries with the highest cryptocurrency trading activity, but Coinrail is one of its smaller exchanges operating over there.

According to coinmarketcap.com, the South Korean exchange ranks in world’s top 90 based on trading volume.

After the discovery of the hack, Coinrail immediately put offline its wallets to secure its cryptocurrency assets, it is currently working with the affected ICO companies to freeze the stolen funds.

exchange coinrail hack

Coinrail asked other cryptocurrency exchanges to freeze some of the attacker’s addresses where the coins where transferred.

At the time there is no news about possible compensation for the customers of the exchange, recently Japan’s Coincheck refunded its customers following a cyberheist.

Cryptocurrency Theft Tops $1 Billion in Past Six Months
8.6.2018 securityweek Cryptocurrency

$1.1 billion has been stolen in cryptocurrency thefts over the last six months. This is the visible effect of an illicit dark web market economy which is reportedly worth $6.7 million. That market fuels cryptocurrency thefts from exchanges, businesses, and individuals; and the growing incidence of cryptojacking.

The basic problem is that cryptocurrencies are increasingly popular, which drives up their value. This makes investment popular for both individuals and businesses; and this in turn attracts the criminals. The three most common attacks involve currency-stealing malware (designed to quietly steal the users' wallet content and send it to the attacker); illicit mining (designed to use business infrastructures to mine cryptocurrency for the attacker); and cryptojacking (which is illicit mining targeted at individuals).

A six-month study (PDF) by Carbon Black into how cryptocurrency malware is bought and sold in the dark web has shown an estimated 12,000 dark web marketplaces selling approximately 34,000 offerings related to cryptocurrency theft. Malware offerings range from as little as $1.04 to as much as $1,000, with an average price of $224.

Bitcoin remains the primary cryptocurrency used for legitimate cyber transactions -- but cybercriminals are moving to alternative and more profitable currencies, such as Monero -- which is now used in 44% of all attacks. Cybercriminals are increasingly moving away from Bitcoin (for example, as ransomware payment) because the associated fees are high, and the transactions take too long to process. "These cybercriminals appear to prefer Monero due to privacy, non-traceability and comparatively low transaction fees," says the report.

This applies to both illicit mining and wallet theft. Ethereum is the second most popular criminal currency at 11%, with Bitcoin third at 10%. There is no direct correlation between the popularity of the currency among criminals, and the market capitalization of the currency. At the time the report was compiled, the top three currencies by capitalization were Bitcoin (around $180 billion), Ethereum (around $90 billion), and Ripple (around $40 billion).

Cryptocurrency exchanges are the most vulnerable targets. Carbon Black's research shows that during the period of analysis, 27% of all incidents involved exchanges. Exchanges combine the attraction of potentially large amounts of coin to steal, with user information for follow-on targeting by the same criminals (representing 14% of all crypto-currency related thefts).

In February 2018, Italy's BitGrail lost 17 million units of Nano (XRB) to hackers, valued at around $170 million. Coincheck in Japan had $530 million stolen in NEM (one of the lesser known currencies) in January 2018. In December 2017 South Korean Youbit filed for bankruptcy following two separate hacks -- one in April and one in December.

Just over one-in-five of all attacks are against businesses -- but most of these focus on the deployment of illicit crypto-mining malware where the victim infrastructure is used to quietly mine cryptocurrency. The same approach is also used against government websites, with Carbon Black finding that "nearly 7% of cryptocurrency attacks targeted various governments using the same tactics, techniques and procedures (TTPs) found in private industry attacks." In both cases, all proceeds are directed to the attackers' own wallets.

Closely related to this attack is 'cryptojacking' aimed at individual users. "Our research found that a growing number of websites are either intentionally deploying cryptocurrency scripts or are being used to deliver illicit mining malware to unsuspecting users. This is most commonly referred to as 'cryptojacking', and, even if you aren't being targeted for your own cryptocurrency, there's a chance your endpoint may be abused for someone else's gain."

Carbon Black expects cryptocurrency theft and illicit mining to continue to grow. "These cryptocurrencies represent an alternative and lucrative funding stream, which is especially true for criminals, as well as nation-states desperately seeking to subvert sanctions."

To deter such attacks, Carbon Black urges the use of endpoint protection software. For individuals, it also advises that users should avoid installing untrusted applications or following unfamiliar links; and that an ad-blocker should be used to "reduce the risk of having your device used to harvest cryptocurrency without your consent."

Businesses, urges Carbon Black, should store cryptocurrency in an off-line wallet. "Never," it stresses, "store your cryptocurrency in an online or warm wallet (a dedicated device that must be connected to the internet to make transactions). Cold storage is best."

To demonstrate the size of the problem, the company compares the cryptocurrency losses it found in six months ($1.1 billion) to the total cost of all cybercrime in the whole of 2016 ($1.3 billion -- according to the FBI).

Carbon Black filed for an IPO in April 2018 with plans to sell 8 million shares at $15 to $17. It raised this price to $19 and started trading on the NASDAQ on May 4, raising $152 million. At the time of writing, shares have risen to $26.10.

Hacker stole $1.35 million from cryptocurrency startup Taylor
29.5.2018 securityaffairs Cryptocurrency

Hacker stole $1.3 million from cryptocurrency startup Taylor, the development team will stop the launch of its trading app that was initially planned for this month.
The author of the Taylor cryptocurrency trading app announced a security breach, an unknown hacker has stolen around $1.35 million worth of Ether from the wallets of the company.

The funds were collected by the company through an initial coin offering (ICO) round.

The attack occurred on May 22. the company is still investigating the incident but it believes the culprit is the same hacker that supposedly hacked CypheriumChain stealing more than 17,000 ETH.

According to the experts, the hacker stole funds from multiple companies and moved them in a wallet used as an aggregator, then transferred them to the same wallet (0x94f20ccff70d82d1579d8B11f2985F8dE9B287Cf) involved in the CypheriumChain hack in March .

“Today we arrived at the office and found out that we’ve been hacked and all of our funds have been stolen. Not only the balance in ETH (2,578.98 ETH), but also the TAY tokens from the Team and Bounty pools (more than 7% of the total supply). The only tokens that were not stolen are the ones from the Founders’ and Advisors’ pools, because there’s a vesting contract making them inaccessible for now.” reads the announcement published by the company on Medium.

“We are still investigating, but, as far as we know, the hacker is same person/group that supposedly hacked CypheriumChain (more than 17,000 ETH were stolen). “

The hacker was able to access one of the company devices and then gained the access to one of the 1Password files, the company excluded that attackers used a smart contract exploit.

The only tokens that were not stolen by the attacker are those belonging to the Founders’ and Advisors’ pool because they were held in an inaccessible vesting contract.

The company believes the TAY tokens could be soon exchanged for other cryptocurrencies, for this reason, asked the IDEX platform to temporary suspend the trade the TAY tokens to block the hacker. Such kind of countermeasure could have a dramatic effect on legitimate TAY token owners that will not able to trade their tokens.

Due to the hack, the Taylor team will stop the launch of its trading app that was initially planned for this month.

Someone is speculating this could be an exit scam.

Bitcoin Gold hit by double-spend attack, exchanges lose over $18 million
25.5.2018 securityaffairs Cryptocurrency

An unknown hacker made over $18 Million worth of BTG (Bitcoin Gold) powering “double spend” attacks on the Bitcoin Gold cryptocurrency network.
The attacks started on May 18, the attacker used a large number of servers that allowed him to take the control of the majority of the Bitcoin Gold’s network hashrate, an attack technique dubbed “51% attack.”

Bitcoin Gold ranks as the 26th-largest cryptocurrency, the overall circulating market cap is $827 million.

Bitcoin Gold director of communications Edward Iskra promptly notified the attacks to the users confirming that a malicious miner was using an exploit to steal funds from cryptocurrency exchanges in double-spend attacks. Iskra explained that the victims of the attack were not the end-users, instead the hacker targeted exchanges.

“An unknown party with access to very large amounts of hashpower is trying to use “51% attacks” to perform “double spend” attacks to steal money from Exchanges. We have been advising all exchanges to increase confirmations and carefully review large deposits.” wrote Edward Iskra, Director of Communications.

“There is no risk to typical users or to existing funds being held. The only parties at risk are those currently accepting large payments directly from the attacker. Exchanges are the primary targets.”

The technique allowed the attacker to control the blockchain and modify transactions making possible to spend the same amount of money two times.

The Bitcoin Gold team explained that due to the high cost of such kind of attack, the only way to make profits was to target exchanges to automatically withdraw a large amount of money.

The attacker monetized its effort by transferring large amounts of BTG coins at exchanges and at the same time sending the same amounts to his wallet.

“The cost of mounting an ongoing attack is high. Because the cost is high, the attacker can only profit if they can quickly get something of high value from a fake deposit,” states Bitcoin Gold team. “A party like an Exchange may accept large deposits automatically, allow the user to trade into a different coin quickly, and then withdraw automatically. This is why they are targeting Exchanges.”

With this attack scheme, the hacker was able to withdraw funds before being discovered.

In the attempt of mitigating the attacks, exchanges have raised the threshold needed to confirm a transaction.

“Requiring more confirmations greatly increases safety. Until now, some Exchanges were operating with less than five confirmations required. We have been urging higher limits to prevent such an attack, and urging manual review of large deposits of BTG before clearing the funds for trading.” continues the advisory published by Bitcoin Gold.

“It appears that actions on the part of the exchanges have deterred the attacker, for now.”

The Bitcoin Gold team was able to follow the stolen funds from exchanges to the BTG address GTNjvCGssb2rbLnDV1xxsHmunQdvXnY2Ft, the hacker transferred more than 388,000 BTG coins (roughly $18 million).

BTG double-spend

Even if users are not affected, the attacks could have severe consequences on the exchanges that could end in bankrupt.

According to one of the exchanges involved in the attacks, the mysterious attacker is the same actor that attempted a double-spend attack on the original Bitcoin network in the past.

“One of the targeted Exchanges reported that they strongly believe this attacker attempted to hit them with a double-spend of BTC in the past. In their words, “we are 100% sure that it is the same person, we found many associations between the accounts.” concluded Iskra.

Many users reported in the past few weeks their Macs have been infected with a new Monero Miner
25.5.2018 securityaffairs Cryptocurrency

In the past weeks, many Mac users have been infected with a new strain of Monero miner, the infections confirm the rise of this kind of malware.
According to researchers at Malwarebytes, many Mac users in the past weeks have been infected with a new strain of Monero miner. The owners of the infected Mac systems noticed the presence of a process named “mshelper” had been consuming a lot of CPU power and draining their batteries.

“The malware became public knowledge in a post on Apple’s discussion forums, where the “mshelper” process was found to be the culprit. Digging deeper, it was discovered that there were a couple other suspicious processes installed as well. We went searching and found copies of these files.” reads the analysis published by MalwareBytes.

“The malware is mining for Monero cryptocurrency. Here’s a breakdown of its components.”

Monero Miner

The Mac malware is likely installed by a fake Adobe Flash Player installers, through the downloading from piracy websites, or bait documents specially crafted to trick victims into opening them.

According to the experts, the launcher, the pplauncher file, is kept active by a launch daemon (com.pplauncher.plist), a circumstance that suggests that the dropper had root privileges. The launcher was developed in Golang, it has a relatively large executable file (3.5 Mb).

“Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs.” continues the analysis published by Malwarebytes.

The launcher creates the miner process mshelper which is installed in the following location:

The miner is an older version of the legitimate and open source mining tool named XMRig.

This malware is not particularly dangerous, but in case the infected system has a problem such as damaged fans or dust-clogged vents it could cause overheating.

“Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware,” concludes Malwarebytes.

“This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate. I’d rather be infected with a cryptominer than some other kind of malware, but that doesn’t make it a good thing.”

Users can manually remove the malware by deleting these two files and rebooting their devices:

/Library/Application Support/pplauncher/pplauncher

Macs Infected With New Monero-Mining Malware
24.5.2018 securityweek  Cryptocurrency

Many Mac users reported in the past few weeks that a process named “mshelper” had been eating up a lot of CPU power and draining their batteries. It turns out that the process is associated with a piece of malware designed to mine for Monero (XMR) cryptocurrency.

Researchers at Malwarebytes have analyzed the mshelper malware and while they haven’t been able to precisely determine how it’s distributed, they believe fake Flash Player installers, malicious documents or pirated software are likely involved rather than some other, more sophisticated, method.

Experts noticed that the launcher, a file named pplauncher, is kept active by a launch daemon (com.pplauncher.plist), which suggests that the dropper likely had root privileges on the compromised system. The launcher was developed in Golang and it’s relatively large (3.5 Mb).

“Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs,” explained Malwarebytes’ Thomas Reed.

Once the launcher creates the mshelper process, the compromised device starts mining for Monero cryptocurrency on behalf of the cybercriminals who distribute the malware. The miner itself is a legitimate and open source mining tool named XMRig.

“This malware is not particularly dangerous, unless your Mac has a problem like damaged fans or dust-clogged vents that could cause overheating. Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware,” Reed said.

Based on reports from victims, anti-malware products initially either did not detect the threat at all or they could not completely remove the infection – the malware reappeared after a reboot. Now that news of the malware has spread, security companies have likely updated their products to ensure complete removal.

Alternatively, users can manually remove the malware by deleting these two files and rebooting their devices:


/Library/Application Support/pplauncher/pplauncher

This is not the only cryptocurrency miner delivered recently to Mac users. In February, Malwarebytes reported that a Monero miner had been delivered through malicious versions of applications available through the MacUpdate website.

PANDA Banker malware used in several campaigns aimed at banks, cryptocurrency exchanges and social media
14.5.2018 securityaffairs
Virus  Cryptocurrency

Security firm F5 detailed recently discovered campaigns leveraging the Panda Banker malware to target financial institution, the largest one aimed the banks in the US.
Researchers at security firm F5 recently detected several campaigns leveraging the Panda Banker malware to target financial institution, the largest one aimed the banks in the US.

In March, security researchers at Arbor Networks discovered a threat actor targeting financial institutions in Japan using the latest variant of the Panda Banker banking malware (aka Zeus Panda, PandaBot).

Panda Banker was first spotted in 2016 by Fox-IT, it borrows code from the Zeus banking Trojan and is sold as a kit on underground forums, In November 2017, threat actors behind the Zeus Panda banking Trojan leveraged black Search Engine Optimization (SEO) to propose malicious links in the search results. Crooks were focused on financial-related keyword queries.

The main feature of the Panda Banker is the stealing of credentials and account numbers, it is able to steal money from victims by implementing “man in the browser” attack.

According to F5, the malware continues to target Japanese institutions and it is also targeting users in the United States, Canada, and Latin America.

“We analyzed four campaigns that were active between February and May of 2018. The three May campaigns are still active at the time of this writing. Two of the four campaigns are acting from the same botnet version but have different targets and different command and control (C&C) servers.” reads the analysis published by F5.

“Panda is still primarily focused on targeting global financial services, but following the worldwide cryptocurrency hype, it has expanded its targets to online cryptocurrency exchanges and brokerage services. Social media, search, email, and adult sites are also being targeted by Panda.”

Experts observed a spike in the activity associated with the malware in February when the malicious code was used to target financial services and cryptocurrency sites in Italy with screenshots rather than webinjects. With this technique, the attackers are able to spy on user interaction at cryptocurrency accounts.

“The Panda configuration we analyzed from February was marked as botnet “onore2.” This campaign leverage the same attack techniques as previously described, and it is able to keylog popular web browsers and VNC in order to hijack user interaction session and steal personal information.” states the analysis.


In May, the experts monitored three different Panda Banker campaigns each focused on different countries.

One of them, tracked by F5 as botnet “2.6.8,” had targets in 8 industries in North America, most of the targets (78%) are US financial organizations.

“This campaign is also targeting major social media platforms like Facebook and Instagram, as well as messaging apps like Skype, and entertainment platforms like Youtube. Additionally, Panda is targeting Microsoft.com, bing.com, and msn.com,” says F5.

Experts discovered that the same botnet 2.6.8 is also targeting Japanese financials as well.

Comparison of the two botnet configurations reveals that when Zeus.Panda is targeting Japan, the authors removed the Content Security Policy (CSP) headers: remove_csp – 1 : The CSP header is a security standard for preventing cross-site scripting (XSS), clickjacking and other code injection attacks that could execute malicious code from an otherwise trusted site.

This last campaign also targets Amazon, YouTube, Microsoft.com, Live.com, Yahoo.com, and Google.com, Facebook, Twitter, and a couple of two sites.

The third campaign aimed at financial institutions in Latin America, most of them in Argentina, Columbia, and Ecuador, The same campaign also targeted social media, search, email, entertainment, and tech provider as the other attacks.

“This act of simultaneous campaigns targeting several regions around the world and industries indicates these are highly active threat actors, and we expect their efforts to continue with multiple new campaigns coming out as their current efforts are discovered and taken down,” F5 concludes.

Malicious package containing Bytecoin cryptocurrency miner found on the Ubuntu Snap Store
13.5.2018 securityaffairs
Virus  Cryptocurrency

An Ubuntu user has spotted a Bytecoin cryptocurrency miner hidden in the source code of an Ubuntu Snap Pack in the Official Ubuntu Snap Store.
An Ubuntu user that goes online with the GitHub moniker “Tarwirdur” has discovered a malware in the source code of an Ubuntu snap package hosted on the official Ubuntu Snap Store, a first analysis revealed that it is a cryptocurrency miner.

The malicious code was able to mine the Bytecoin (BCN) cryptocurrency, the account hardcoded in the malware is “myfirstferrari@protonmail.com.”

The malicious app is 2048buntu, it is a copycat of the legitimate of the 2024 game included as an Ubuntu snap.

2048buntu-game ubuntu snap store

Tarwirdur discovered the app contained a cryptocurrency mining application disguised as the “systemd” daemon, the package also includes an init script that allows gaining boot persistence on the target.

Tarwirdur reported his discovery to the maintainers at the Ubuntu Snap Store team that promptly removed the app. The user also noticed another app uploaded by the same developers and after a check, he discovered it also contained a malicious code and for this reason, it was removed too.

“At least two of the snap packages, 2048buntu and Hextris, uploaded to the Ubuntu Snaps Store by user Nicolas Tomb, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, “pending further investigations“.” states a post published on the website linuxuprising.com.

Currently, it is impossible to establish the number of affected users because the Ubuntu Snap Store does not provide an install count.

The problem is that submitted snaps do not go through a security check, this means that ill-intentioned can upload malicious snap packages to the Ubuntu Snap Store.

A New Cryptocurrency Mining Virus is Spreading Through Facebook
9.5.2018 thehackernews  Cryptocurrency

If you receive a link for a video, even if it looks exciting, sent by someone (or your friend) on Facebook messenger—just don't click on it without taking a second thought.
Cybersecurity researchers from Trend Micro are warning users of a malicious Chrome extension which is spreading through Facebook Messenger and targeting users of cryptocurrency trading platforms to steal their accounts’ credentials.
Dubbed FacexWorm, the attack technique used by the malicious extension first emerged in August last year, but researchers noticed the malware re-packed a few new malicious capabilities earlier this month.
New capabilities include stealing account credentials from websites, like Google and cryptocurrency sites, redirecting victims to cryptocurrency scams, injecting miners on the web page for mining cryptocurrency, and redirecting victims to the attacker's referral link for cryptocurrency-related referral programs.
It is not the first malware to abuse Facebook Messenger to spread itself like a worm.
Late last year, Trend Micro researchers discovered a Monero-cryptocurrency mining bot, dubbed Digmine, that spreads through Facebook messenger and targets Windows computers, as well as Google Chrome for cryptocurrency mining.

Just like Digmine, FacexWorm also works by sending socially engineered links over Facebook Messenger to the friends of an affected Facebook account to redirect victims to fake versions of popular video streaming websites, like, YouTube.
It should be noted that FacexWorm extension has only been designed to target Chrome users. If the malware detects any other web browser on the victim's computer, it redirects the user to an innocuous-looking advertisement.
How Does the FacexWorm Malware Work
If the malicious video link is opened using Chrome browser, FacexWorm redirects the victim to a fake YouTube page, where the user is encouraged to download a malicious Chrome extension as a codec extension to continue playing the video.
Once installed, FacexWorm Chrome extension downloads more modules from its command and control server to perform various malicious tasks.
"FacexWorm is a clone of a normal Chrome extension but injected with short code containing its main routine. It downloads additional JavaScript code from the C&C server when the browser is opened," the researchers said.
"Every time a victim opens a new webpage, FacexWorm will query its C&C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviors on that webpage."
Since the extension takes all the extended permissions at the time of installation, the malware can access or modify data for any websites the user opens.
Here below I have listed a brief outline of what FacexWorm malware can perform:
To spread itself further like a worm, the malware requests OAuth access token for the Facebook account of the victim, using which it then automatically obtains the victim's friend list and sends that malicious, fake YouTube video link to them as well.
Steal the user's account credentials for Google, MyMonero, and Coinhive, when the malware detects that the victim has opened the target website’s login page.
FacexWorm also injects cryptocurrency miner to web pages opened by the victim, which utilizes the victim computer's CPU power to mine Cryptocurrency for attackers.
FacexWorm even hijacks the user's cryptocurrency-related transactions by locating the address keyed in by the victim and replacing it with the one provided by the attacker.
When the malware detects the user has accessed one of the 52 cryptocurrency trading platforms or typed keywords like "blockchain," "eth-," or "ethereum" in the URL, FacexWorm will redirect the victim to a cryptocurrency scam webpage to steal user's digital coins. The targeted platforms include Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and the wallet Blockchain.info.
To avoid detection or removal, the FacexWorm extension immediately closes the opened tab when it detects that the user is opening the Chrome extension management page.
The attacker also gets a referral incentive every time a victim registers an account on Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, or HashFlare.

So far, researchers at Trend Micro have found that FacexWorm has compromised at least one Bitcoin transaction (valued at $2.49) until April 19, but they do not know how much the attackers have earned from the malicious web mining.
Cryptocurrencies targeted by FacexWorm include Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR).
The FacexWorm malware has been found surfacing in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain. But since Facebook Messenger is used worldwide, there are more chances of the malware being spread globally.
Chrome Web Store had removed many of the malicious extensions before being notified by Trend Micro researchers, but the attackers keep uploading it back to the store.
Facebook Messenger can also detect the malicious, socially engineered links and regularly block the propagation behavior of the affected Facebook accounts, researchers said.
Since Facebook Spam campaigns are quite common, users are advised to be vigilant when clicking on links and files provided via the social media site platform.