Feb 05, 2024NewsroomCryptocurrency / Financial Fraud

A 42-year-old Belarusian and Cypriot national with alleged connections to the now-defunct cryptocurrency exchange BTC-e is facing charges related to money laundering and operating an unlicensed money services business.

Aliaksandr Klimenka, who was arrested in Latvia on December 21, 2023, was extradited to the U.S. If convicted, he faces a maximum penalty of 25 years in prison.

BTC-e, which had been operating since 2011, was seized by law enforcement authorities in late July 2017 following the arrest of another key member Alexander Vinnik, in Greece.

The exchange is alleged to have received deposits valued at over $4 billion, with Vinnik laundering funds received from the hack of another digital exchange, Mt. Gox, through various online exchanges, including BTC-e.

Court documents allege that the exchange was a “significant cybercrime and online money laundering entity,” allowing its users to trade in bitcoin with high levels of anonymity, thereby building a customer base that engaged in criminal activity.

This included hacking incidents, ransomware scams, identity theft schemes, and narcotics distribution rings.

“BTC-e’s servers, maintained in the United States, were allegedly one of the primary ways in which BTC-e and its operators effectuated their scheme,” the U.S. Department of Justice (DoJ) said.

These servers were leased to and maintained by Klimenka and Soft-FX, a technology services company controlled by the defendant.

BTC-e has also been accused of failing to establish an anti-money laundering process or know-your-customer (KYC) verification in accordance with U.S. federal laws.

In June 2023, two Russian nationals – Alexey Bilyuchenko and Aleksandr Verner – were charged for their roles in masterminding the 2014 digital heist of Mt. Gox.

News of Klimenka’s indictment comes as the DoJ charged Noah Michael Urban, 19, of Palm Coast, Florida, with wire fraud and aggravated identity theft for offenses that led to the theft of $800,000 from at least five different victims between August 2022 and March 2023.

Urban, who went by the aliases Sosa, Elijah, King Bob, Anthony Ramirez, and Gustavo Fring, is said to be a key member of the cybercrime group known as Scattered Spider, according to KrebsOnSecurity, as well as a “top member” of a broader cybercrime ecosystem that calls itself The Com.

It also follows the Justice Department’s announcement of charges against three individuals, Robert Powell, Carter Rohn, and Emily Hernandez, in relation to a SIM swapping attack aimed at crypto exchange FTX to steal more than $400 million at the time of its collapse in 2022.

Powell (aka R, R$, and ElSwapo1), Rohn (aka Carti and Punslayer), and Hernandez (aka Em) are accused of running a massive cybercriminal theft ring dubbed the Powell SIM Swapping Crew that orchestrated SIM swapping attacks between March 2021 and April 2023 and stole hundreds of millions of dollars from victims’ accounts.

Blockchain analytics firm Elliptic, in October 2023, said the plunder assets had been laundered through cross-chain crime in collaboration with Russia-nexus intermediaries in an attempt to obscure the trail.

Jan 05, 2024NewsroomNetwork Security / Malware

Mobile network operator Orange Spain suffered an internet outage for several hours on January 3 after a threat actor used administrator credentials captured by means of stealer malware to hijack the border gateway protocol (BGP) traffic.

“The Orange account in the IP network coordination center (RIPE) has suffered improper access that has affected the browsing of some of our customers,” the company said in a message posted on X (formerly Twitter).

However, the company emphasized no personal data was compromised and that the incident only affected some browsing services.

The threat actor, who goes by the name Ms_Snow_OwO on X, claimed to have gained access to Orange Spain’s RIPE account. RIPE is a regional Internet registry (RIR) that oversees the allocation and registration of IP addresses and autonomous system (AS) numbers in Europe, Central Asia, Russia, and West Asia.

“Using the stolen account, the threat actor modified the AS number belonging to Orange’s IP address, resulting in major disruptions to Orange and a 50% loss in traffic,” cybersecurity firm Hudson Rock said.

Further analysis has revealed that the email address of the admin account is associated with the computer of an Orange Spain employee who was infiltrated by Raccoon Stealer malware on September 4, 2023.

It’s currently not known how the stealer found its way to the employee’s system, but such malware families are typically propagated via malvertising or phishing scams.

“Among the corporate credentials identified on the machine, the employee had specific credentials to ‘https://access.ripe.net’ using the email address which was revealed by the threat actor (adminripe-ipnt@orange.es),” the company added.

Even worse, the password used to secure Orange’s RIPE administrator account was “ripeadmin,” which is both weak and easily predictable.

Security researcher Kevin Beaumont further noted that RIPE neither mandates two-factor authentication (2FA) nor enforces a strong password policy for its accounts, making it ripe for abuse.

“Currently, infostealer marketplaces are selling thousands of credentials to access.ripe.net — effectively allowing you to repeat this at organizations and ISPs across Europe,” Beaumont said.

RIPE, which is currently investigating to see if any other accounts have been affected in a similar manner, said it will directly reach out to affected account holders. It has also urged RIPE NCC Access account users to update their passwords and enable multi-factor authentication for their accounts.

“In the long term, we’re expediting the 2FA implementation to make it mandatory for all RIPE NCC Access accounts as soon as possible and to introduce a variety of verification mechanisms,” it added.

The incident serves to highlight the consequences of infostealer infections, necessitating that organizations take steps to secure their networks from known initial attack vectors.