Inside money, markets, and big tech

Hackers launch cunning affiliate scheme to incentivize Bitcoin ransomware

The hackers sought ransoms as large as $8,000

bitcoin, cryptocurrency

Researchers have unearthed a new cryptocurrency ransomware scheme that implicates a group of Russian-speaking hackers into stealing large sums of Bitcoin BTC from unsuspecting victims – and laundering the stolen funds on an obscure cryptocurrency gambling site.

The cunning scheme, dubbed Kraken Cryptor (not to be mistaken with popular exchange desk Kraken), was discovered by security experts from Inskit Group and McAfee.

The malicious service was first spotted in the wild in August 2018, but it got the attention of experts after it disguised as legitimate antivirus software and distributed from the compromised website of SuperAntiSpyware. Kraken Cryptor has also previously been linked to the notorious Fallout exploit kit.

The researchers note that – contrary to regular ransomware usually sold on one-time basis – Kraken Cryptor relied on an affiliate program which incentivizes participants to spread the virus by offering them a cut from the Bitcoin ransom payments.

This technique, commonly known as ransomware-as-a-service (RaaS), is especially popular among dark web users. The research notes that Kraken Cryptor affiliate program exclusively uses Bitcoin as ransom currency. The ransom amounts tend to range from around $500 (0.075BTC) to $8,000 (1.25BTC).

The researchers have been able to link back the stolen cryptocurrency to little-known Bitcoin casino, BitcoinPenguin. The experts speculate the hackers have opted for BitcoinPenguin due to its non-existent identity verification procedures, which make it a perfect money-laundering tool.

What’s particularly fascinating is how well-organized the operation appears.

Kraken Cryptor requires all potential affiliate partners to pay $50 per payload and offers no refunds; its program also reserves all rights to reject any member or candidate without any explanation – at any point. In return, affiliates are promised 80 percent of the paid ransom.

While the hackers conducted most of their business on Russian dark web forums, the researchers’ analysis of their nationality is inconclusive at best. The study notes that the hackers spoke Russian and English, but often made mistakes in both; this suggests the attackers were neither English or Russian native speakers.

Interestingly, the hackers forbid affiliate partners from targeting a bunch of countries from the former Soviet bloc; the list includes: Armenia, Azerbaijan, Belarus, Estonia, Georgia, Kyrgyzstan, Kazakhstan, Lithuania, Latvia, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.

The total amount of funds stolen as a result of Kraken Cryptor remains unclear, but reports suggest cryptocurrency thieves have duped naive users out of nearly $1 billion in 2018 alone.

Published October 31, 2018 — 13:00 UTC