Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Well, here we are again. Another blog on a topic that’s often spoken about but little understood: cryptocurrency. Cryptocurrency-related decentralized finance (DeFi) is seeing unprecedented interest from retail and institutional investors alike. Both the cybercriminal-friendly Bitcoin and Ether, the token for the Ethereum blockchain, have hit all-time highs this week. The price of cryptocurrency tokens such as Solana and Cardano has exploded in recent months. And so-called “meme” coins like DogeCoin and Shiba Inu are attracting an ever-increasing number of retail investors to the scene. More and more money is pouring into the cryptosphere, and if you’re a regular reader of this blog, you’ll know that where there’s money, there’s crime. While DeFi grants users greater financial “freedom” by removing the influence of centralized institutions like banks, investors often have no legal recourse if they lose their funds through fraud or a hack. In this blog, we’ll look at one of the many ways cybercriminals seek to profit from this space: by exploiting vulnerabilities in smart contracts.
Essentially, a smart contract is a binding agreement between two parties written in code that can execute itself (i.e., it does not require a third party to enforce it). For example, a smart contract could be programmed to release payment once someone confirms receipt of delivered goods. You couldn’t break the terms of the contract without breaking the code in which it is written. Compare this to a non-smart contract, such as a lease for an apartment. Although it would be unwise, there’s nothing that actually stops you from not paying your rent on time. You’ll suffer consequences, sure, but the piece of paper on which your lease contract is written doesn’t actually enforce the terms – a bailiff does. It’s the same with eating food at a restaurant. You enter into a verbal contract with the patron to pay for what you’ve eaten, but the police will have to get involved if you try to dine and dash.
In the case of cryptocurrency, a smart contract is a set of instructions that will be followed once time or financial conditions are met. For instance, it could stipulate that once a cryptocurrency is worth a specified amount per coin e.g. when ETH 1 = USD 10,000, a percentage of funds locked into the contract will be released to a certain wallet. Once the conditions are met, the cryptocurrency will be released from the contract and recorded on the blockchain (the public ledger recording cryptocurrency transactions). There are two ways in which smart contracts can be vulnerable.
With some basic knowledge and the requisite capital, anyone can write a smart contract on popular blockchains such as Ethereum or Binance Smart Chain; qualifications or advanced coding skills are not required. As a result, authors may write contracts that they do not realize are vulnerable, just as a poorly written law might have unintended loopholes in it. As you can imagine, cybercriminals seek out vulnerable smart contracts, often exploiting the contract so that they receive the funds locked into it. As there’s no central authority to which victims could appeal, there’s no way for them to get their funds back.
Cybercriminal outfits often comprise various threat actors with specialized roles, and those looking to exploit smart contract vulnerabilities are no different. It’s a large and highly specialized ecosystem. There are threat actors who discover vulnerable contracts, those who develop and execute exploits for these vulnerabilities, and others who direct unsuspecting investors into entering into these contracts. We found one user on a prominent cybercriminal forum advertising their services as a “smart contracts hacker for hire” (see Figure 1). They sought a partner to identify vulnerable contracts for them, acknowledging that “finding contracts is not a simple process.” Forum threads relating to uncovering and exploiting these vulnerabilities receive lots of attention from users, and articles on the topic usually place highly during forum articles competitions.
Smart contracts written on newer, less time-tested blockchains are even more vulnerable. Insecurities could allow attackers to steal exposed wallet API keys, flood the network with spam transactions (a sort of blockchain DoS), and carry out 51% attacks (when a individual or group gains control of over 50% of a blockchain’s mining power), which could all result in investors being unable to withdraw their funds, or even in the draining of these funds into attackers’ wallets. In this case, even if your smart contract is coded correctly, if the blockchain on which it is written is vulnerable, so is your contract. This is a serious and widespread problem, although some protocols are doing their best to keep their code clean. In October, the company behind Polygon, a protocol and a framework for building and connecting Ethereum-compatible blockchain networks, paid a record USD 2 million bug bounty to an ethical hacker who discovered a flaw in the network. This flaw could have allowed an attacker to release more than USD 850 million in funds.
It’s important to do your due diligence before you use a smart contract. Examine the code in which the contract is written for anything that looks untoward or erroneous, such as a spelling or calculus mistake. Like non-smart legal contracts, one small typo in the code could have massive ramifications; it could allow for arbitrary code execution, or could simply release more funds than you expected. If you don’t understand the code, get a trusted and capable entity to do it for you. Reviewing the code should always be possible: DeFi smart contracts are open-source, so an inability to review the code is a huge red flag. You should also find out whether the blockchain has a record of previous dodgy dealings (does it have a solid bug bounty program, or was it previously involved in scandals?) or is a favored target of cybercriminals.
We’ve all heard that cryptocurrency is volatile and that investors stand to lose all their funds. One of the reasons for this volatility, aside from the widely speculative nature of the market and the fluctuations in global mining power, is the fact that the cryptosphere is very much a Wild West, in which anyone, provided they have the know-how and the capital, can create a blockchain. There really isn’t much to stop adversaries from creating an intentionally insecure blockchain. They can then encourage victims to enter into easily exploitable smart contacts or carry out so-called “rug pull” attacks, in which the blockchain’s creator manipulates the market by holding a large proportion of the blockchain’s coin supply, artificially inflating the value of the coin as the available supply to other investors decreases, and then selling off their holdings before the market can react. In traditional finance this would be known as insider trading or market manipulation.
An established user on one Russian-language cybercriminal forum recently sought partners with “experience in creating their own coins and PR for them” with the aim of getting a “meme” coin listed on a cryptocurrency exchange (see Figure 2). This threat actor likely intended to conduct a “pump and dump” scheme or rug-pull attack.
We also observed one forum user commenting on how easy it was to get a coin listed on an exchange. They wrote that it would be enough to provide a positive impression of a coin to an exchange and then “provide BNB 300 [USD 167,821] to their liquidity pool”. Several forum members have also provided guides on using a freshly listed cryptocurrency to conduct airdrop scams, a sophisticated phishing attack whereby malicious tokens generate fake error messages that redirect holders to phishing pages.
And it doesn’t stop there. Provided an adversary has sufficiently developed social engineering and marketing skills, they can get unwitting investors to buy coins for “cryptocurrencies” that don’t even have a blockchain. There are numerous articles on cybercriminal forums that tell users how to construct fake blockchains and market them to (mostly retail) investors. Perhaps the most famous example of such a scam is OneCoin, a Ponzi scheme promoted as a cryptocurrency by Bulgaria-based offshore companies that defrauded investors out of billions from 2014 to 2016.
Aside from making their own dubious blockchains, some attackers seek to create intentionally malicious smart contracts on established blockchains such as Ethereum or Binance Smart Chain. In September 2021, one forum user offered USD 2,500 for an “Ethereum smart contract developer” to write a script that would automatically withdraw balances from Ethereum wallets. Again, if you end up the victim of such an attack, there’s no running to law enforcement to get your funds back – that money is gone.
Even the exchanges themselves are at risk. In March 2014, Mt. Gox, a massive Bitcoin exchange, filed for bankruptcy due to legal action by traders, who had lost USD 460 million and alleged that their operation was fraudulent. Although the exchange initially claimed it had been hacked, the CEO was later charged for fraud and embezzlement. Even when exchanges are totally legitimate, cybercriminal bug hunters are constantly on the lookout for vulnerabilities within them. Digital Shadows (now ReliaQuest) (now a ReliaQuest company) recently found one cybercriminal forum user advertising a proof of concept for a two-factor authentication bypass vulnerability in a large cryptocurrency trading platform (see Figure X). The more money is loaded onto these exchanges, the more likely cybercriminals will be to target them.
In all situations, it is imperative that cryptocurrency investors educate themselves on the risks involved with cryptocurrency and the threat cybercriminals pose to cryptocurrency exchanges, blockchains, and the smart contracts written on them. It’s worth reiterating that you are your own bank here – all the required reading and research that banks and their employees must take on is now your responsibility. Knowledge is power here, more than ever. Of course, it’s tough to keep on top of all the ways in which adversaries are seeking to part cryptoinvestors from their funds, but Digital Shadows (now ReliaQuest) (ReliaQuest) constantly scours all corners of the dark web to make sure our clients are aware of the new angles of attack.
To stay in the know about recent cybercriminal developments, request a demo of ReliaQuest GreyMatter Digital Risk Protection. Digital Risk Protection (DRP) clients receive real-time, actionable intelligence updates relating to new attack types, including analysis from our team of global analysts and intelligence on new posts to platforms across open and closed sources.