TADSummit Online Conference

Crypto investigations with Bohdan Hopanchuk, Andrii Halych, and Jack Sessions

Leave a comment

Intro

A couple of weeks ago Andrii teased us on some of the work ProDefense does with the FBI on crypto investigations. This session brings Andrii Halych back with Bohdan, and ‘its been way too long’ Jack Sessions, to deep dive on Crypto investigations.

What is ProDefense?

ProDefense are an offensive security team specializing in penetration testing, red team operations, zero-day research, and security engineering. They find vulnerabilities before adversaries do with a complete cyber security offer, including their own polygraph machine (i.e. lie detector machine).

Our focus with this session is their work on Crypto investigations, that is crypto currency stolen from wallets, often by malicious software know as drainers. Drainers have affected many crypto users large and small, including celebrities like Mark Cuban and Seth Green

But all is not lost if you are a victim of such theft, crypto currency can be restored, but speed of reporting is essential. Andrii reviews the processes from several crypto investigations. Highlighting his work with 3 US citizens, representing them to the FBI, producing reports on their loses.

Prodefense are part of anti-money laundering (AML) organizations that are often combined with organizations focused on combating the financing of terrorism. They are able to tag crypto currency as stolen within 5 minutes of the theft, such as with Global Ledger. Which stops the currency being traded on reputable exchanges.

Crypto currency theft is rising rapidly as crypto has grown in popularity. The FBI released a document on the risks, There are simply many more opportunities for theft. The methods are various, including social engineering, hacking, calling and pretending to be from an crypto exchange, claiming a link is for a crypto checker to prove your currency is clean, when its a malicious crypto drainer.

Sources of Risk

If there’s a scam call center, crypto theft is part of their portfolio.

The FBI can access your phone, Andrii has seen this first hand with the video / audio recording unbeknownst to the criminal as well as file access on the device. And the FBI can extradite criminals to the US, providing their citizenship allows such extradition.

Bohdan asked about how dangerous are messaging apps for crypto drainers?

Andriii’s point is its not the core messaging platform, rather the risks of clicking on links. And platforms like Telegram have grown in popularity, acting more like a social network, than a messaging app. You can even buy stocks over Telegram.

You can buy stocks using the Telegram app, primarily through tokenized representations of U.S. stocks via the built-in Wallet feature and integrated mini-apps, often utilizing USDT (USDT (Tether) is a stablecoin pegged 1:1 to the US dollar) or TON (Telegram Wallet).

Its the same risk as always, if in doubt, do not click.

Andrii highlighted an important difference between Telegram and WhatsApp. If someone connects to your WhatsApp account online, you’re disconnected from your mobile app. While Telegram supports multiple sessions for an account. I was not aware of this. WhatsApp supports linking up to four companion devices.

Hence Telegram is used to extract customer data, including 2FA. Jack highlights an important trend given the availability of social engineering tools available on the open web, e.g. from Github, combined with openclaw / Claude to poison skill sets targeting crypto. The gap is in the methods to protect customers, given the automation made possible thanks to AI.

Social Engineering

Social engineering is the top vector for attacks. And as Jack mentioned, its freely available and automated. Andrii sees 30-50 clients suffering drainer attacks. Drainers are mature and available like a SaaS.

Bohdan asked a question about whether drainers wait until the wallet achieves sufficient funds. Andrii highlights we’re at the point of commoditization of drainers, school children have access to them.

Andrii referenced a case in Spain were a client was convinced to access a drainer thinking it was a AML link, to prove her crypt was clean, Bohdan asked if virustotal can be used to check if the link is a drainer. There was a discussion on that topic, with an unclear conclusion. The answer seems to be, do not click links, full stop.

Beyond vigilance, speed of action is key, when a theft occurs, report the theft, log it on the exchanges and bring a criminal case. so with a court judgement you can recover the cash.

Bohdan asks if the crypto is converted to FIAT is everything lost? Fiat is government-issued currency (e.g., USD, EUR) used as legal tender. All is not lost, documentation is key, stolen cash remains stolen cash, just make sure your have the documentation, use AML (Anti Money Laundering technology) and document your receipt.

Jack highlighted the importance of having a remediation plan. Drainers run in memory, so capture a snapshot of the memory, and use virtual machines to protect yourself. However, security is about protecting customers from themselves. In the limit with Crypto you must be educated.

Andrii then runs through how he helps clients. He started the investigation part of the business in response to customer demand. He would represent clients, and often an investigation was required on behalf of the client. Helping the law enforcement officers, with the cyber security investigations has a positive impact. Prodefense has clients across the US, Germany, Spain, Australia, Ukraine, etc. The keys appear to be report the theft fast, identify the crypto currency as stolen and get it tagged, and run a criminal case so you can get the cash back.

Jack leaves us with the reflection that if your using crypto, you’re accepting a degree of risk, but be educated on that that means.

Leave a Reply

Your email address will not be published. Required fields are marked *