Cyber criminals have infected hundreds of thousands of computers with a virus called “Pony” to steal bitcoins and other digital currencies, in the most ambitious cyber attack on virtual money uncovered so far, according to security firm Trustwave.
Trustwave said on Monday that it has found evidence that the operators of a cybercrime ring known as the Pony botnet have stolen some 85 virtual “wallets” that contained bitcoins and other types of digital currencies. The firm said it did not know how much digital currency was contained in the wallets.
“It is the first time we saw such a widespread presence of this type of malware. It was on hundreds of thousands of machines,” said Ziv Mador, security research director with Chicago-based Trustwave.
Trustwave said it believes the crime ring is still operating, though it does not know who is running the group. The company said it has disrupted the servers that were controlling machines infected with Pony, but expects the group to launch more attacks on virtual currency users.
A representative for the Bitcoin Foundation, a trade group that promotes adoption of the virtual currency, advised bitcoin users to store their currency offline in a secure location to prevent cyber criminals from stealing them.
“Electronic wallet security continues to improve by leaps and bounds as hardware wallets become available and we start to see software wallets that support multi-signature transactions,” said the Bitcoin Foundation’s director of public affairs, Jinyoung Lee Englund.
Trustwave’s discovery comes after an unrelated cyber attack that spammed bitcoin exchanges earlier this month. That attack prompted at least three online virtual currency traders to halt withdrawals, causing bitcoin’s value to plunge 33 percent over three weeks.
Bitcoin is a digital currency sustained by software code written by an unknown programmer or group of programmers. It is not governed by any one company or person, and its value is determined by user demand.
People who buy digital currency can store it in virtual wallets on their own machines or with companies that offer storage and security services.
Mador said digital currency theft is still in its infancy, but that it is likely to grow. He said that digital currency buyers can protect themselves from hackers by using encrypted files.
“Most websites don’t encrypt them by default, but you can turn them on,” he added.
Botnets are collections of infected computers that take orders from central “command and control” servers. The botnets steal data from compromised PCs and can also deliver other types of malware that force them to perform tasks.
This is at least the third type of fraud to surface involving digital currencies. Criminals have previously hacked into marketplaces where digital currencies are traded by exploiting security flaws in those sites, then stealing those currencies, according to Trustwave. (http://bit.ly/1hphzRj)
Cyber criminals have also developed botnets that force enslaved computers to create, or “mine”, digital currencies, which the fraudsters then claim as their own.
Bitcoin mining is a time-consuming process in which computers perform complex math calculations. The operators of those botnets are stealing electricity and data center resources when they use compromised machines to mine digital currencies.
Trustwave in December uncovered a trove of some 2 million stolen passwords to websites including Facebook Inc, Google Inc, Twitter Inc and Yahoo Inc while probing a command and control server using a less sophisticated version of the Pony malware.
Trustwave said on Monday that the new version of Pony compromised another 600,000 website credentials.
(Users can go to these Trustwave sites to check if their bitcoin wallets and credentials have been stolen: http://bit.ly/1epIUiH – http://bit.ly/1fNAym5)
(Addition reporting by Emily Flitter in New York)