Criminals hijack government sites to mine cryptocurrency used to hide wealth

Criminals are using cryptocurrencies, which are not regulated by any state or banking authorities, to launder billions of pounds’ worth of illegal gains, according to Europol.

Despite a dramatic fall in the value of bitcoin after record highs in December, up to £4bn is being laundered through cryptocurrencies, Europol director Rob Wainwright has told the BBC.

Regulators, law enforcement and cryptocurrency industry leaders need to work together to tackle the problem of not being able to track and trace illicit funds, he said in an interview to be broadcast on BBC One today (12 February) at 20:30 GMT.

The warning coincides with an investigation by the UK parliament’s Treasury Select Committee into cryptocurrencies and the details of planned EU-wide regulations to force traders to disclose identities and any suspicious activity, amid calls for a UK government inquiry and a crackdown on cryptocurrencies by France and Germany.

Europol’s warning also coincides with reports that more than 4,000 websites, including many in the public sector, have been injected with code designed to hijack visitors’ computers to mine for cryptocurrency.

Cryptocurrency is created when computers run complex mathematical equations, which is known as cryptocurrency mining. Criminals, attracted by the anonymous nature of cryptocurrencies and the prospect of making more for free, are increasingly targeting cryptocurrencies.

Towards the end of 2017, there was a series of attacks on cryptocurrency exchanges in which cryptocurrency was stolen, but this coincided with a sharp uptick in cyber criminals using malware to inject code into websites to hijack computers to mine cryptocurrency, known as cryptojacking.

The cryptocurrency mining code itself, like CoinHive, is often a legitimate cryptomining application that cyber criminals are using to generate cryptocurrency unbeknown to the owners of the targeted computers. Typically, the compromised website runs cryptomining code written in JavaScript inside a victim’s web browser.

At the weekend, it emerged that public sector websites were among the thousands being targeted in this way, including the websites of the UK’s Information Commissioner’s Office (ICO), NHS websites, the General Medical Council, several UK local councils, the Student Loans Company, several Australian government departments, and the US Courts website.

UK security researcher Scott Helme raised the alarm and identified the BrowseAloud plugin, which helps make websites more accessible to visually impaired people, as the source of the cryptojacking attacks.

Texthelp, the developers of BrowseAloud, responded to Helme’s report by posting an alert and taking the service offline. Texthelp found that a JavaScript file that is part of the BrowseAloud product was compromised.

“The attacker added malicious code to the file to use the browser CPU in an attempt to illegally generate cryptocurrency,” the alert said. “This was a criminal act and a thorough investigation is currently under way.”

According to Texthelp, no customer data has been accessed or lost during the four-hour period when the exploit was active on 11 February.

The UK’s National Cyber Security Centre (NCSC) said its technical experts were investigating the cryptojacking incidents and that the BrowseAloud service had been taken offline, largely mitigating the issue, adding that all government websites continue to operate securely.

“At this stage there is nothing to suggest that members of the public are at risk,” the NCSC said in a statement.  

Independent security adviser Graham Cluley said the reason many public sector websites had been hit by the poisoned version of BrowseAloud was because of their need to comply with legal obligations to make their information accessible to people with disabilities.

“Things could have been much worse,” he said in a blog post. “Imagine if the plugin had been tampered with to steal login passwords rather than steal CPU resources from visiting computers.”

Any organisation using someone else's code on their website is potentially increasing their exposure to attack, said Cluley. “If a hacker wants to infect 4,000 websites, it’s likely to be a lot less effort to tamper with one third-party script that is used by 4,000 websites than compromise each website one by one,” he said.

Fabian Libeau, vice-president of cyber security firm RiskIQ, said the company’s researchers are seeing threat actors around the world exploiting cryptocurrencies in a lawless digital world.

“Threat actors hack vulnerable sites or spin up fake, illegitimate websites to siphon money off of major brands, often with typosquatting domains and fraudulent branding to trick people into visiting their sites running cryptocurrency mining scripts,” he said.

According to Libeau, security teams often lack visibility into all of the ways they can be attacked externally, and struggle to understand what belongs to their organisation, how it is connected to the rest of their asset inventory, and what potential vulnerabilities are exposed to compromise.

“In the case of scripts like CoinHive, it means being able to inventory all the third-party code running on your web assets, and being able to detect instances of threat actors leveraging your brand on their illegitimate sites around the internet,” he said. “Digital threat management software can help companies get covered by continuously discovering an inventory of your externally facing digital assets and managing risks across your attack surface.”