Dutch cybersecurity specialists have linked a major cryptocurrency theft to the infamous Ebury botnet, which was responsible for the compromise of more than 400,000 servers over a 15-year period.
According to a report from Slovakian cybersecurity firm ESET, the incident was initially discovered during a 2021 investigation conducted by the Dutch National High-Tech Crime Unit (NHTCU). During this investigation, agents found the Ebury botnet on a server linked to cryptocurrency theft.
After this revelation, the Dutch crime unit collaborated with ESET, led by researcher Marc-Etienne Léveillé, who had been studying Ebury for over a decade.
Ebury operators allegedly used a sophisticated attack called Adversary-in-the-middle (AitM) to steal crypto funds. The attack occurs with the botnet intercepting network traffic and capturing login credentials and session information.
“Cryptocurrency theft was not something we had ever seen done before,” Léveillé noted.
The botnet redirects this traffic to servers controlled by cybercriminals, allowing them to access and steal cryptocurrency from victims’ wallets. In its report, ESET revealed that over 100,000 people were infected as of 2023.
Ebury specifically targets Bitcoin and Ethereum nodes, stealing wallets and other valuable credentials. The botnet would steal funds once unsuspecting victims entered their credentials on the infected server.
Flowchart of Ebury attack on crypto wallets | Source: welivesecurity
Additionally, once the victim’s system was compromised, Ebury would extract the credentials and use them to infiltrate related systems. The report identified a wide range of victims ranging from universities, businesses, internet service providers and cryptocurrency traders.
Attackers also use stolen identities to rent servers and launch their attacks. Therefore, it is very difficult for law enforcement agencies to trace the identities of those behind this cybercrime racket.
“They’re really good at confusing attribution,” Léveillé added.
You might also like: Crypto.com “disappointed” by the $3 million fine imposed by the Dutch central bank and intends to appeal
An Ebury operator, Maxim Senakh, was arrested on the Finnish-Russian border in 2015 and was extradited to the United States. The US Department of Justice accused Senakh of computer fraud, to which he pleaded guilty in 2017. He was sentenced to four years behind bars.
While the masterminds behind Ebury remain at large, the NHTCU revealed that several leads are being followed.
Cryptocurrency thefts have become increasingly complicated over the years. Earlier this month, North Korean hackers used a new malware variant called “Durian” to specifically attack at least two cryptocurrency companies.
Previously, a January report from cybersecurity firm Kaspersky revealed that malware was targeting cryptocurrency wallets on MacOS.
To know more: Kraken Obtains Dutch License, Expands Crypto Services in Europe