»Protecting the Bank in Your Pocket - Ukraine Crypto Edition«
2019-05-17, 16:00–16:40, Main Hall

Abstract: Come get an inside sneak peek how Coinbase Security utilizes innovative detection techniques and threat intelligence capabilities to help keep its users and the entire cryptocurrency community safe. We will focus specifically on what Coinbase Security is doing to track major financial actors and protect users in the Ukraine region, a hotbed for crypto theft, and how we are working with top notch law enforcement entities to help take the fight to the bad guys.

Agenda: Team Introduction/Background Coinbase Intelligence - Building a Security Abuse System from Scratch Case Studies: ElectroHunt, Google Ads, Crypto Phishing en masse (from UA) Coinbase in Ukraine (how we can help secure, goals, adoption) * Conclusion

The cryptocurrency hype train has slowed down a bit among civilians, however, criminals are still suffering greatly from the “crypto fever”. This new class of digital assets has captured the attention of varying degrees of criminal organizations from nation-state actors to large-scale organized crime and scammer groups. Malicious adversaries have discovered that cryptocurrency newbies are easy targets that offer a consistent stream of fraudulent revenue. In this talk come see how the world-class security team at Coinbase, one of the most popular exchanges in the world, uses its global visibility to detect and investigate these financial attacks with a heavy concentration coming from rogue hosting providers in the Ukraine region.

Coinbase is one of the largest, and most trusted cryptocurrency exchanges in the world and is committed to protecting its users and these emerging crypto technologies. Ukraine is a breeding ground for financial theft and other computer crimes involving stealing cryptocurrencies such as ransomware, phishing, scams, coin-stealing malware, and more. Coinbase Security is here to help take the fight to the attacker, teaming up with top law enforcement entities including Europol to map out the underground economy and track different kinds of crypto attacks resulting in hundreds of millions of dollars in losses. In the first part of our talk, the audience will learn how to build a cryptocurrency fraud detection system from scratch to gain intelligence on the current threat landscape. We will discuss the architecture of the data pipeline we are building, including the utilization of unsupervised and supervised machine learning techniques in order to predict malicious sites and infrastructures to protect the crypto community. We are then storing our results in an intelligence database we are building as part of the Crypto Anti-Crime Alliance and Phishfort including addresses, domains, IPs, email addresses, and other data associated with financially motivated actors. We also will talk about the increase in fraudulent activity we are seeing in the Ukraine region and how criminals are evolving their tactics to make their malicious sites nearly indistinguishable from legitimate ones, and what we are doing to counteract those measures in our pipeline. We will also discuss how we are monitoring the money laundering techniques of these actors with our in-house blockchain analysis tool Neutrino, and how we are cataloging and gaining intelligence on underground bulletproof exchanges used as safe cashout points for criminals.

The first awesome case study we will present in this talk involving Ukrainian actors is the Electrohunt case, where researchers from Coinbase Security teamed up to uncover the latest set of attacks and on the Electrum network, a lightweight Bitcoin wallet, and detect and monitor the phishing campaigns serving back the coin stealing malware through clever delivery tactics. Tracing the funds with Neutrino blockchain analysis software, this group has netted over $2M in a couple of months with these types of attacks, and we have intelligence that they are part of larger group of attacks focused on attacking the cryptocurrency ecosystem as a whole. We will also discuss some of the other criminal groups engaging in coin stealing at large scale and rogue hosting infrastructures coming out of Ukraine targeting the financial realm, which we are working to take down.

Another case study we will talk about is the remediation of the mass malvertising campaigns targeting cryptocurrency wallets/exchanges in Google ads. We will talk about different Ukrainian syndicates we have observed abusing Google Ads at scale. We will discuss the adversarial machine learning techniques that these actors are taking advantage of to circumvent our detection procedures and continue to deliver their financial attacks. Coinbase researchers have been working closely with the Google Security and Abuse team to help diagnose the scale of the problem with Google Ads and Cloudflare to identify the large scale abuse of SSL certificates, helping to save hundreds of millions of tokens from being hijacked. In these case studies, we will also discuss how we have performed blockchain analysis tracing transactions and money laundering for these specific campaigns using our in-house transaction tool Neutrino.

Lastly, we will discuss how Coinbase Security is working to protect the cryptocurrency ecosystem as a whole. Not only do we have to worry about attacks directly against Coinbase but we are also concerned with illicitly gotten funds stolen being laundered onto our platform by major actors. We have been working with top security professionals in the cryptocurrency wallet and exchange community, such as MyCrypto, Neutrino and the Crypto Anti-Crime Alliance to help protect the cryptocurrency community members from having their tokens stolen. Lastly, we will discuss how the crypto-security community from financial, private, and public sectors need to come together in order to solve these crimes more efficiently and we will discuss our analysis on cryptocurrency adoption and security in Ukraine.