In the days since the bank’s meltdown, digital con artists have bombarded SVB customers with attempts to steal business information, credentials and financial data necessary to carry out wire fraud. One of their biggest targets: Cloudflare CEO Matthew Prince. 

Just four days after the March 10 collapse, an unidentified author hit send on an email to Prince crafted to look like a know-your-customer verification form from SVB. This is the kind of routine work that banks do to verify their customers are who they say they are — and something a bank might reasonably be expected to do after going into federal receivership. 

As more information about SVB’s customers appears online, scammers are getting increasingly creative and brazen. Many are attempting to impersonate customers of SVB and telling the clients of those customers that in the aftermath of SVB’s collapse their banking information has changed. By giving clients banking information that the attacker controls, scammers are attempting to intercept routine payments between a client and an SVB customer. 

The email sent to Prince was designed to look like a DocuSign template, bearing the SVB logo and an alternate signing method along with a security code, the email bore what would seem to be all the signs of a legitimate communication from a bank to its customer — the CEO of a deep-pocketed, publicly traded security firm, in this case. “It is always astonishing to me how quickly scammers and hackers take advantage of the news of the moment,” Prince told CyberScoop in an interview.  

The spearphishing email never reached his inbox thanks to the company’s security tools, but members of its security team described the incident in a blog post this week, reporting how scammers are trying to capitalize on SVB’s demise. In the aftermath of the bank’s collapse, Cloudflare, which had a small SVB account but no major exposure to the bank, has observed look-alike domains being set up that mimic SVB and the Federal Deposit Insurance Corporation, which has stepped in to guarantee the bank’s deposits, as part of schemes to steal banking information and redirect transactions. 

Other security firms have seen a similarly quick uptick in phishing attempts capitalizing on the SVB collapse. As early as March 10, the day of the SVB collapse, the threat intelligence firm Egress saw infrastructure being set up to support SVB-themed phishing campaigns. Among the domains impersonating SVB observed by the company are addresses like svb-payment[.]com and svbhelp[.]com.

Amid the collapse of an institution such as SVB, its customers will naturally be in a state of anxiety, and attacks that pose as SVB or an entity connected to them “manipulate them further to increase the likelihood that they make a mistake and fall victim to the attack,” Jack Chapman, the vice president of threat intelligence at Egress, wrote in an analysis shared with CyberScoop. 

Even employees at companies such as Cloudflare with its sophisticated security posture can fall victim to phishing attempts. Following the Twilio and Okta attacks, Cloudflare had eight employees that clicked on malicious links, and while the consequences were mitigated by the company’s security systems, Prince says no one is immune from getting phished. 

“I am hypervigilant around these things,” Prince said, but as phishing attacks are growing increasingly sophisticated, “there are definitely things that I’ve clicked on.” 

Phishing attacks require only one mistake to be successful — for one person to click on something or fill out a form that they shouldn’t. And that’s what makes the SVB collapse so attractive to scammers. “Humans are most likely to make mistakes at a time of stress,” Prince said. “If you as a CFO at a company were worried about making payroll then that is obviously incredibly stressful.” 

The post Scammers target Cloudflare CEO with Silicon Valley Bank-themed spearphishing  appeared first on CyberScoop.

Researchers at the cybersecurity firm Proofpoint observed in early December a massive wave of phishing emails from a cluster of North Korea-related hacking activity linked to TA444, the firm’s name for the group. The latest campaign, which blasted more emails than researchers attributed to that group in all of 2022, tried to entice users to click a URL that redirected to a credential harvesting page.

Proofpoint could not disclose the specifics about targets for confidentiality reasons, but most related to finance in some way. Documents attached in the emails included titles like “Profit and Loss,” “Invoice and statement receipts” and “Salary adjustments.” The malicious emails also included lures mentioning “analyses of cryptocurrency blockchains, job opportunities at prestigious firms, or salary adjustments” according to the report. To help avoid phishing detection tools, TA444 uses email marketing tools to engage with targets. 

Researchers say that the campaign is unusual for a few reasons. Technically, it deviates from the group’s previous activity in that the hackers focused on trying to steal the target’s login and passwords rather than a direct deployment of malware.

The bigger question is why a group known to be financially motivated would target government and education sectors alongside the far more lucrative financial sector. TA444, like other clusters of activity associated with the North Korean government, is almost exclusively financially motivated. In more recent years, North Korean hackers have honed in especially on the cryptocurrency industry.

TA444 has overlapped with Lazarus, a group of North Korean hackers to which the FBI attributed a record $600 million dollar cryptocurrency attack on Ronin Bridge, the infrastructure that connected the Axie Infinity video game with the Ethereum blockchain. The FBI on Monday attributed a separate $100 million hack of the Harmony Bridge to the group after the hackers recently tried to launder $60 million worth of currency stolen in the heist.

The December campaign comes on the heels of a noticeable shift in delivery tactics researchers began to notice in the fall, demonstrating that the group might be taking on more of a “start-up” mentality, Proofpoint researchers wrote.

“We can’t always derive the motive behind shifts in strategy. But we may have the answer later, when we see more of these attacks,” said Alexis Dorais-Joncas, senior manager of threat research at Proofpoint. “It might be a one-off. It might be a test to see how much success they could have hacking other types of organizations. But right now, it’s not really clear to us why they are actually doing that.”

Researchers at Kaspersky in December also noted North Korean hackers pivoting malware delivery methods. They found that hackers had created numerous fake domains, most of them imitating Japanese venture capital firms. Domains flagged by Proofpoint also included attempts to spoof Japanese financial institutions.

Proofpoint could not rule out that another actor had compromised TA444’s server or that the group was potentially moonlighting for other purposes, which could signal more differentiation in targets going forward.

The post North Korean cryptocurrency hackers expand target list appeared first on CyberScoop.

The report is just the latest indication that cryptocurrency-related scams still run rampant on social media despite continued warnings from consumer protection watchdogs. It also raises fresh questions about what Twitter is doing to rid its platform of fake accounts, which the company’s new owner, Elon Musk, vowed to get rid of or “die trying.”

Researchers at the threat intelligence firm Nisos found that between July 26 and Oct. 11 more than 3,000 Twitter accounts produced nearly 6,000 tweets linking to sham storefronts that offered to mint new NFTs — non-fungible token — for free. Thousands of other bogus accounts amplified those tweets, according to researchers.

The fake NFT stores prompted victims to share access to their wallets under the guise of minting a new NFT, allowing scammers to deplete the owner’s collection of NFTs along with other virtual currency funds.

NFTs, like bitcoin, are virtual assets that exist only on the blockchain. Because NFTs are unique and unable to be recreated, they’ve gained value among collectors.

Researchers were unable to assess how much scammers bilked from their victims. Wallet addresses tied to scammers have “received hundreds of transactions ranging from tens to hundreds of dollars” since the scam begin, according to an analysis researchers did with the assistance of cryptocurrency tracing firm Chainalysis.

Fraudsters gained the trust of victims by using similar account names and profile pictures to the Twitter accounts of real NFT marketplaces. For instance, researchers flagged the accounts @_Imaginry_Ones and @Imaginry_Ones_, riffs on @Imaginary_Ones, an NFT platform that has nearly half a million Twitter followers. In total, researchers found more than 500 domains used by the fraud network, all tied to a single IP address.

Researchers couldn’t definitively say where the network originated, but all the accounts that produced the original tweets followed three Indonesia-based accounts. The report only covers research through Oct. 11, but researchers confirmed that the network is still active on the platform as are many of the Twitter handles flagged in the report.

Twitter did not immediately respond to a request for comment.

The scam ring identified by researchers at Nisos is hardly an isolated incident. In May, Bloomberg reported on how scammers were hijacking some Twitter accounts to pose as popular NFT projects and push credential-stealing apps.

“This is pretty much standard fare from what I’ve seen,” Satnam Narang, a researcher at cybersecurity firm Tenable who has extensively studied cryptocurrency scams, said of the Nisos report.

He pointed out that it’s common for scammers to use secondary networks of accounts to quote-tweet the original tweet and spam users by tagging them, such was the case in the Nisos report. Doing show makes it more likely that the quote tweets will be flagged for removal but not the primary tweet with the storefront link.

The Nisos report drives home a well-known concern from consumer protection watchdogs: social media platforms are a huge vector for cryptocurrency scams. In fact, the FTC found that between January 2021 and March 2022, losses from cryptocurrency fraud climbed to over $1 billion and nearly half of those victims originated from social media. (The FBI cited losses from cryptocurrency-related fraud complaints for 2021 at $1.6 billion.)

Previously, social media-based scammers focused on so-called “giveaway” scams in which cybercriminals tell investors to send currency to a wallet address with the promise of doubling their returns when in fact the money is stolen. Such scams often feign involvement from high-profile cryptocurrency figures such as Musk to add credibility to their scams. 

But Narang says that many scammers have moved toward tricking victims into connecting wallets to malicious programs, a much more efficient way of stealing victims’ assets.

While scammers such as the one in the Nisos report didn’t rely on verified accounts to pull in their marks, Narang said that verified accounts often serve as a valuable tool for scammers, especially when trying to impersonate big names in the industry. That remains true, even as Musk’s purchase of the company raises confusion over how the platform will verify users in the future.

“I know a lot of the focus has been around like, ‘oh scammers are just going to spend $8 and purchase verified accounts and use those to like impersonate X, Y and Z,” said Narang. “The thing I think that’s get lost in that whole equation is that [scammers] don’t have to go and purchase those accounts right now. They are able to compromise existing verified accounts that have not paid any money to Twitter and turn those into scam accounts.”

Making verification available to users could only make it easier for scammers to pull off such feats, he says.

Cryptocurrency scammers have even latched on to the confusion about Elon Musk’s verification plans, with one scam offering users Twitter Blue and an NFT to users for free if they linked their wallets. The scam reached 35,000 RT before being removed.

Even with the uncertainty surrounding Twitter’s policies on account verification, it’s unlikely cryptocurrency scammers are going anywhere. “Twitter is a basic communications platform for a lot of these projects,” Narang said. “So, it naturally makes sense that these scammers are going to be on Twitter because that’s where cryptocurrency users live.”

The post Thousands of bogus Twitter accounts push NFT scams to steal cryptocurrency appeared first on CyberScoop.

Zurich initially denied claims from Mondelez after the malware, which experts estimate caused some $10 billion in damages globally, wreaked havoc on its computer networks. The insurance provider claimed an act of war exemption since it’s widely believed Russian military hackers unleashed NotPetya on a Ukrainian company before it spread around the world.

Now, however, it’s increasingly clear insurers aren’t off the hook for NotPetya payouts or from covering losses from other attacks with clear links to nation-state hackers.

That’s because in this case, what Mondelez and many other corporations endured was not an act of war, but “collateral damage” in a much larger cyberconflict that had nothing to do with them, said James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies.

“We’re going to need to rethink what act of war means in cyberspace when it comes to insurance,” said Lewis. “The current definitions come out of the 19th century when we had pirates, navies and privateers.”

Last week’s ruling in favor of Mondelez follows a January ruling in a New Jersey court that sided with global pharmaceutical company Merck in a similar case. Its insurance companies initially refused to pay for damages from NotPetya. Merck claimed losses that amounted to $1.4 billion. The insurers are appealing the ruling.

While the New Jersey ruling may not have set a binding precedent, “it was certainly an indication of how judges and juries might view Zurich’s argument,” said Josephine Wolff, an associate professor of cybersecurity policy at the Fletcher School of Law and Diplomacy at Tufts University and author of “Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks.”

The Merck and Mondelez cases involved the exact same set of circumstances, which were “not being interpreted, at least so far, as an act of war,” she said. “I don’t think insurers will stop fighting to deny coverage for large state-backed cyberattacks, but I think they will shift the strategy for how they do it by writing new exclusions and moving away from arguing that these attacks are ‘warlike’ acts.”

Insurers seized on the NotPetya episode to test how courts would rule on cyber coverage questions, particularly when there’s so much evidence pointing to one particular nation-state actor. Since NotPetya was widely attributed to the Russian government it gave the industry a “really strong opportunity” to set legal precedent limiting their responsibility in these instances, Wolff said.

Now, she expects insurers will be much more upfront about the fact that they aren’t going to cover acts of cyberwar or limit payouts for NotPetya type incidents in the future.

Already, Lloyd’s of London said it will stop covering certain cyberattacks next year. The Register reported that the company’s underwriting director Tony Chaudhry wrote in a memo that due to “systematic risk” policies should include “a suitable clause excluding liability for losses arising from any state-backed cyberattack.”

“Over time the risks have gotten larger and more people have gotten larger amounts of insurance,” said Ari Schwartz, managing director of cybersecurity services at the Washington law firm Venable LLP. “It started to become a more mature insurance marketplace … [where] they’re not just going to pay every claim.”

Schwartz said many factors contribute to whether NotPetya should be considered an act of war, including whether damages could have been prevented with patching or other “remedial steps which make it seem like it’s not really an act of war.” Timing of the attack and how quickly the company reacts are also key factors.

In September, the Treasury Department asked for industry input on whether it should provide any “support for the cyber insurance market,” FedScoop reported. It is exploring policy measures such as “the creation of a backstop program for cyber insurance risk akin to the Terrorism Risk Insurance Program, which was created after 9/11 to allow Wall Street to continue to offer property insurance policies that include coverage for damage caused by acts of terrorism.”

FedScoop also noted the rising cost of cyber insurance and that the total cost of premiums increased 75% to $4.8 billion in 2021 compared to the previous year, according to data from the ratings agency A.M. Best. “In a June report, the agency noted that the number of reported claims in the U.S. cyber market had swelled to nearly 26,000 during 2021, up from 22,000 in the prior year, and about 6,000 in 2016.”

Despite the fact that the cyber insurance market is still evolving, Davis Hake, vice president of policy for the cyber underwriter Resilience Insurance, said it has matured since the initial 2017 NotPetya attack. There’s “improved coverage clarity and confidence [for] clients in purchasing dedicated cyber insurance.”

Put more simply, insurance companies are becoming more transparent. The judge who ruled against the insurers in the Merck case made that point, too.

“Both parties to this contract are aware that cyber attacks of various forms, sometimes from private sources and sometimes from nation states, have become more common,” New Jersey Superior Court Judge Thomas Walsh said in his opinion. “Despite this, insurers did nothing to change the language of the exemption to reasonably put the insured on notice that it intended to exclude cyber attacks.”

The post Insurance giant settles NotPetya lawsuit, signaling cyber insurance shakeup appeared first on CyberScoop.

The agencies brought $24 and $29 million dollar fines respectively, resulting in a total of $29 million in fines after remittance.

An investigation by Treasury’s Office of Foreign Assets Control and Financial Crimes Enforcement Network, or FinCEN, found that Bittrex repeatedly failed to identify thousands of prohibited transactions, including direct transactions with dark web marketplaces such as AlphaBay, Agora and Silk Road. The company also failed to detect and investigate transactions connected to ransomware attacks against individuals and small businesses in the U.S.

“Bittrex failed to implement effective transaction monitoring on its trading platform, relying on as few as two employees with minimal anti-money laundering training and experience to manually review all of the transactions for suspicious activity, which at times were over 20,000 per day,” FinCEN said in the consent decree.

Bittrex also allegedly conducted over 116,000 transactions, valued at over $263 million, with individuals and entities in sanctioned jurisdictions including Iran, Cuba, Sudan, Syria and Crimea. OFAC determined that because Bittrex had access to customer IP addresses at onboarding, it had reason to know that the customers were in sanctioned jurisdictions. However, the company didn’t begin screening IPs until 2017.

U.S. officials called the penalties a warning to virtual currency firms that fail to enact effective anti-money laundering and sanctions compliance.

“When virtual currency firms fail to implement effective sanctions compliance controls, including screening customers located in sanctioned jurisdictions, they can become a vehicle for illicit actors that threaten U.S national security,” OFAC Director Andrea Gacki said in a statement. “Virtual currency exchanges operating worldwide should understand both who—and where—their customers are. OFAC will continue to hold accountable firms, in the virtual currency industry and elsewhere, whose failure to implement appropriate controls leads to sanctions violations.”

This isn’t the first time FinCEN brought civil penalties against a U.S. virtual currency entity for failing to report activity related to cybercrime.

In 2020, FinCEN fined the operator of the mixer service “Helix” $60 million for failing to meet federal anti-money laundering standards. It has also taken starker actions, sanctioning exchanges and mixers, most recently Tornado Cash, which was used by North Korean hackers.

In response to a March executive order on virtual currencies by President Biden, Treasury is currently drafting a report on the potential illicit finance and national security risks posed by virtual currencies and is seeking public comment.

“Bittrex is pleased to have fully resolved this matter with OFAC and FinCEN on mutually agreeable terms,” the company said in a statement provided by its lawyer. “The settlement provides full resolution of both OFAC’s inquiry into transactions in sanctioned jurisdictions that occurred predominantly through 2017, and FinCEN’s assertion that Bittrex did not fully implement all of its Anti-Money Laundering Program controls through 2018.”

The post Treasury fines virtual currency exchange Bittrex for failing to catch ransomware payments appeared first on CyberScoop.

The former employee, Jareh Sebastian Dalke, allegedly told the undercover agent that he had access to information “relating to foreign targeting of U.S. systems and information on cyber operations,” according to the affidavit.

Dalke was only employed by the NSA for about three weeks before quitting on July 1, but while there he had a top-secret clearance in his role as an “information systems security designer,” according to the FBI.

The affidavit alleges that between August and September 2022, Dalke used an encrypted email account to “transmit excerpts of three classified documents he had obtained during his employment to an individual Dalke believed to be working for a foreign government.”

The affidavit is cryptic about which government Dalke believed the agent was purporting to work for. But a footnote in the document references the fact that in trying to confirm the person he was speaking with was a Russian agent, Dalke reached out through “multiple published channels to gain a response.” This included “submission to the SVR TOR site,” the affidavit says.

The SVR, or Foreign Intelligence Service, is the Russian government’s external intelligence agency.

Dalke was arrested in Denver — he resides in Colorado Springs — on Wednesday after arranging to transfer a new batch of classified information to the undercover FBI agent. He allegedly asked to be paid in cryptocurrency.

Dalke has been charged with three violations of the Espionage Act, which carries a potential sentence of death or any term of years up to life in prison. A lawyer for Dalke could not be immediately located.

The post Ex-NSA employee charged with violating Espionage Act, selling U.S. cyber secrets appeared first on CyberScoop.

Without litigating the finer points of Zatko’s complaint or his testimony in front of the Senate Judiciary Committee on Tuesday, this is the latest episode in a string of tech companies hiring respected names in infosec only to have them ushered out or resign (often in protest). This pattern raises more questions about whether the C-suite can face difficult truths than it does about the ability of strong personalities to conform to corporate culture.

The affair also raises suspicions of performative tokenism on the part of some tech giants, who sometimes appear to keep some of their security and ethics personnel on staff merely for window-dressing. Just recently, Meta disbanded its Responsible Innovation Team just about a year after touting them, while Patreon, which suffered a massive data breach in 2015, laid off its entire security staff.

This is not a new phenomenon. Organizational customs are in many ways a byproduct of the humans that inhabit them — or the most successful ones, of a conscious and systematic struggle against bias, territoriality and tribalism.

From the animal kingdom to the business world to the military, deference to hierarchy and “managing upward,” however, is a reality with which everyone must grapple. The farther up the food-chain you go, the more tightly the wagons tend to circle. In the most extreme cases, in-group loyalties are tested against one’s own ethical compass, the echo-chamber around the boss proves impenetrable, group consensus takes precedence over innovation and the choice comes down to “love it or leave it.”

These time-tested vestiges of bureaucratic survival are likely the wrong yardstick to measure Zatko’s duties to Twitter, particularly for an industry that has long prided itself on innovation and upending the status quo. Moreover, in a world short on cybersecurity talent and plagued by growing and costly cyber risk, a new dose of humility from C-suites may be in order. 

Security evangelists have spent nearly three decades trying to make inroads in the corporate landscape (the first CISO was hired by CitiGroup in 1995 after a major breach), only to keep finding themselves standing athwart a hurricane of disincentives to invest the necessary time, talent, tech and funding to survive a growing swathe of vulnerabilities. In a very real sense, corporate America is drowning, and keeps asking its security hires to describe the water more politely, and to toss their lifelines with a little less visible gusto. 

Viewing Zatko’s plight within Twitter’s ecosystem through such a Darwinian corporate lens is probably unfair, as he was reportedly brought on not despite, but because of, his noted straight-shooting demeanor and no-nonsense approach to infosec. There are, however, other insights to be drawn from evolution that illustrate the recurring tendency he and so many like him have encountered. 

For instance, author Howard Bloom outlines in his 2000 book “Global Brain” how collectives — from bacteria to boardrooms — either survive or perish, depending on the outcome of internal tensions between “conformity enforcers,” “diversity generators,” “resource shifters” and “inner judges.” A healthy synergy among these elements enables an organism to evolve and develop fitness for changing environments; imbalance, however, threatens peril (or extinction).

In the C-suite, security and compliance experts usually fall in the latter category; their diagnoses are frequently at odds with a company’s inertia, expansion or frugality, but nevertheless dangerous to disregard. Bloom’s description of this result is also apt for Twitter’s current showdown with Zatko: “If a crisis seems indecipherable, its victims are condemned by their inner-judges to a shutdown, the helpless nail-biting of anxiety. But if the causes of a crisis seem explainable, the result is surprisingly healthier … .”

Ultimately, corporate leaders will face a choice as to whether cybersecurity and product integrity are peripheral to their business survival and their duty to shareholders, or critical elements thereof — the only real question is when. Zatko’s allegations only lend further impetus to force that choice. As former Cybersecurity and Infrastructure Security Agency Director Chris Krebs noted earlier this year, “business as usual” needs to change. CISA, the Securities and Exchange Commission, and other agencies all appear poised to reinforce by regulatory fiat many of the practices for which Krebs, Zatko and other prominent cybersecurity voices have long advocated voluntary adoption.

To the extent security imperatives and their champions can be likened to “healthy inner-judges,” Bloom asserts that they can “shift a creature from inhibition to boldness, depending on the signals hinting at its value to society.” In that regard, between the Mudges of the world and the C-suites, it seems clear who in fact has failed to “read the room” or “align with the culture.” Unless executives can get on the right side of this issue, they’ll face even more damaging consequences sooner than they think. 

Gavin Wilde is a Senior Fellow in the Technology and International Affairs program at the Carnegie Endowment for International Peace. He previously worked as a managing consultant for the Krebs Stamos Group, a cybersecurity advisory, and served as a director on the National Security Council staff. The views expressed here are his own.

The post Twitter, Mudge and survival of the quittest appeared first on CyberScoop.

The Treasury Department’s Office of Foreign Assets Control added Tornado Cash to its sanctions list in response to ongoing use of the technology by North Korea’s Lazarus cybercriminal group to launder more than half a billion in stolen cryptocurrency.

But according to some critics and legal experts, the agency may have overstepped its authorities and placed a number of U.S. consumers in the crossfires.

“We believe that OFAC has overstepped its legal authority by adding certain Tornado Cash smart contract addresses to the [Specially Designated Nationals] List, that this action potentially violates constitutional rights to due process and free speech, and that OFAC has not adequately acted to mitigate the foreseeable impact its action would have on innocent Americans,” cryptocurrency think tank Coin Center’s Jerry Brito and Peter Van Valkenburgh wrote in a post Monday announcing the group’s effort to overturn the decision. Coin Center is also exploring a legal challenge to the designation.

Fundamental to critics’ concerns is the Office of Foreign Assets Control’s decision to sanction addresses on the Ethereum blockchain that the Tornado Cash code runs on. The problem is the code’s developers have no control over the smart contract, or application, that runs the mixer. As long as the Ethereum blockchain exists, the code will keep running and mixing cryptocurrency indefinitely, regardless of sanctions. If a developer destroys the administrative key to the smart contract, as Tornado Cash’s founder claims he did, then the code will continue to operate without any human intervention in perpetuity.

“They basically sanctioned a robot,” Brito, executive director of Coin Center, explained to CyberScoop. Coin Center argues that because the authorities under which OFAC brought the sanctions require that an individual be tied to the sanction, the agency has overreached.

“Sanctions are a behavior change mechanism. It’s not punishment. So, it’s a pretty novel use here that hasn’t really been done before to sanction a smart contract, rather than a person or organization,” Michael Mosier, a former acting director of the Treasury Department’s Financial Crimes Enforcement Network who now works at a Web3 startup Espresso Systems, told CyberScoop “It’s unclear how code or a protocol — including without administrative keys — could change its behavior or petition for delisting on its own.”

Cryptocurrency owners use mixers to combine various types of virtual currencies to mask the origin of the assets. That promise of anonymity has made them popular with cybercriminals and therefore of interest to enforcement agencies going after financial criminals. The Treasury Department in May sanctioned individuals related to the Blender.io mixer for facilitating the transactions of criminal outfits such as the Lazarus group and several Russian cybercriminal gangs. The sanctions, which targeted individuals involved in running the operation, sparked little pushback from industry because the sanctions targeted Blender the company, not the technology.

The distinction between a mixer as a software and a mixer as a service provider (implying a human component) is a messy enough question that the U.S. government has addressed it before. The Financial Crimes Enforcement Network (FinCEN), another Treasury Department that oversees money laundering, issued guidance in 2019 that mixer technology should be considered a software and not a service provider. OFAC isn’t bound by FinCEN guidance, however, and was free to take a different approach. It did, leaving the roughly 70 percent of Tornado Cash’s transactions not tied to any illicit activity in a legal grey area.

“Users and developers of this technology are in a real bind,” Coin Center’s Brito told CyberScoop. “Treasury took this action without seemingly evaluating the impact this would have on millions of Americans and not contemplating answers to basic questions.”

This lack of clarity has left industry frustrated and eager for Treasury engagement. In a Twitter Spaces conversation on Friday hosted by Espresso Systems, several industry and legal experts expressed frustration that Treasury had offered little engagement before or after the sanctions to help industry understand the ramifications and deal with potential collateral impact, a process the agency typically undergoes around enacting sanctions.

“It’s the lack of clarity and also the haphazard kind of way of going about this,” Jill Gunter, co-founder at Espresso Systems, pointed to as a key concern.

Despite frustrations, speakers during the Twitter Spaces event encouraged engagement with regulators.

“The main takeaway is that we have to work ourselves on privacy protecting solutions at the same time that we’re educating the government on ways that they could satisfy all of these national security interests, including privacy, through a more rifle shot approach,” said Gus Coldebella, a partner at True Ventures, a venture capital firm that invests in web3 technologies, and former lawyer at the Department of Homeland Security.

Several sources confirmed to CyberScoop that some of that discussion is already ongoing and OFAC has been engaging industry in conversation since late last week. The sources declined to comment on the private nature of the conversations.

The Treasury Department did not immediately respond to CyberScoop’s requests.

The sanctions come ahead of a wave of September deadlines set by the Biden administration’s March executive order on virtual currencies, which will create even more ground for discussion between industry and government. Industry reacted to the initial executive order with strong support, but some industry members have expressed concerns that the recent sanctions point to a clash between the administration’s investment in emerging technology and national security prerogatives like sending a strong message to North Korea.

Mosier, who has first-hand experience with the tensions that can emerge between technical expertise and political pressures at Treasury, sees a middle ground.

“I think some will say, ‘Well, we can’t stop enforcing against North Korea while we write reports.’ Which is somewhat fair but I think the other point is that you should be doing very tailored restrained, rather than novel, actions until you figure out what you want your policy to be,” he said.

Long before the political dust settles, the Tornado Cash sanctions are primed to have a chilling effect on developers and companies in the cryptocurrency space who seek to develop similar privacy-preserving technologies.

“This is a rough equivalent to sanctioning the email protocol in the early days of the internet, with the justification that email is often used to facilitate phishing attacks,” Lia Holland, campaigns director at Fight for The Future said in a statement.

The Electronic Frontier Foundation also expressed concerns about the sanctions, pointing to long-established legal precedent that code is free speech.

The tech sector is already seeing ramifications of the Tornado Cash sanctions. Last week, GitHub removed the account hosting Tornado Cash’s source code as well as three developer accounts who contributed to it, including found Roman Semenov and developer Alexey Pertsev, who was arrested last week by Dutch Police in relation to his work with Tornado Cash.

The post Why Tornado Cash sanctions are drawing fierce criticism, potential court challenge from crypto group appeared first on CyberScoop.

The mixer, which combines various types of crypto assets to mask their origin, has gained notoriety as the money laundering tool of choice for the Lazarus Group, a group of state-sponsored North Korean hackers responsible for a series of massive cryptocurrency heists.

The mixer has been used to launder more than $7 billion worth of virtual currency since 2019, including more than $455 million stolen by the Lazarus Group, according to a Treasury press release. That includes funds from a $600 million theft from Ronin Bridge, a technology used by the Axie Infinity video game to connect with the Ethereum blockchain.

The U.S. Treasury Department expanded its sanctions against the Lazarus Group in April after tying the group to the theft.

“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.”

CyberScoop has reached out to Tornado Cash for comment, but has not yet received a response.

Mixer technologies have become popular tools for cybercriminals looking to launder illicit funds. Most recently, unnamed hackers used Tornado Cash to launder nearly $8 million stolen from the hack of a blockchain bridge Nomad.

Tornado Cash is the second mixer this year sanctioned by Treasury, which in May sanctioned Blender.io for also facilitating laundering by North Korean hackers.

The post Treasury Department sanctions cryptocurrency ‘mixer’ Tornado Cash appeared first on CyberScoop.

Outside cryptocurrency analysis firms have placed the losses at roughly $5 million worth of Solana currencies. Solana has not provided its own estimate.

Solana says it has not yet identified the source of the exploit and is still investigating the attack. However, it appears to have affected “a software dependency shared by several software wallets,” Solana head of communications Austin Federa wrote on Twitter Tuesday night.

The exploit allowed the attacker to sign transactions as users themselves, suggesting private keys were compromised. Researchers at cryptocurrency analysis firm Elliptic also suggested the attack was software-based.

A software-based attack would stand out among other major cryptocurrency hacks in 2022, most of which involved a hacker exploiting a vulnerability in the blockchain itself. Solana’s co-founder Anatoly Yakovenko suggested the hack may have begun as a supply chain attack through another connected iOS and Android-based app.

Wallets affected by the hack include Slope and Phantom. Solana is encouraging users to move funds to hardware-based wallets.

Solana referred CyberScoop to its Twitter account in response to a request for additional information.

The incident follows a $200 million hack Monday of Nomad, a blockchain bridge. Numerous hackers flocked to exploit a vulnerability that allowed them to withdraw more than they deposited by bypassing the protocol’s verification system. Hackers have since returned $9 million of the stolen assets, the company said Wednesday.

Blockchain bridges allow for the movement of cryptocurrency from one blockchain to another, making them an attractive target for criminals. For instance, hackers linked to North Korea stole more than $600 million in cryptocurrency earlier this year from the bridge that connected blockchain game Axie Infinity. Researchers at Chainalysis estimate 13 separate attacks amounting to $2 billion in cryptocurrency losses, making up 69 percent of total stolen cryptocurrency funds so far this year.

The cryptocurrency industry has seen close to $2 billion in attack-based losses so far in 2022, the Verge reported based on research from cryptocurrency security firm CertiK.

The post Solana hack wipes more than 7,000 wallets, totaling nearly $5 million in losses appeared first on CyberScoop.