Malware gang steals $1.4 Million and sets up bitcoin exchange to launder it

Daniel Cawrey
Oct 30, 2013 at 23:21 UTC
Updated Sep 10, 2014 at 13:39 UTC

Last week, four men were arrested in the Netherlands for spreading a type of malware that allowed them to obtain Dutch bank account information. And they used a bitcoin exchange to launder some of $1.4 million that was stolen from approximately 150 bank accounts.

The malware, known as TorRAT, targeted only Dutch speakers. TorRAT used the anonymizing network Tor to use its command and control (C&C) servers. The men also paid for a Turkish crypting service to circumvent antivirus software and utilized the hosted tormail.org in order to communicate.

Once the malicious software was able to obtain financial information from its victims, the four suspects would then steal money from the bank accounts. They then used a bitcoin exchange that they set up called FBTC Exchange in order to launder some of the stolen cash into euros.

According to the Bitcoin Wiki, FBTC Exchange was launched on June 25, 2013. The site is no longer in operation, and trading has been halted since October 21. The past 6-month volume on FBTC Exchange was 9,007.55 BTC or €743,792.67, according to Bitcoin Charts.

3-month FBTC Exchange chart before it shut down on 10/21. Source: Bitcoin Charts3-month FBTC Exchange chart before it shut down on October 21. Source: Bitcoin Charts

The police reportedly seized 56 bitcoins from the men, and they were able to exchange them for more than €7,700, or $10,000.

The men were arrested by the Dutch National High Tech Crime Unit (NHTCU). InformationWeek reports that it is possible the men were uncovered by the FBI during its investigation of Silk Road mastermind Ross Ulbricht.

And much like Tor enabled the accused Dutch thieves, Silk Road also relied on the anonymous network in order to hide its users’ identities and enable illegal activity. The FBI has reportedly seized hundreds of thousands of bitcoins from bitcoin wallets owned by Ulbricht, a 29-year-old graduate student who was operating Silk Road from a residence in San Francisco.

The stated plan an FBI spokesperson told Forbes is to sell the seized bitcoins, which eventually would dump a large number of bitcoins back on the market. Yet it’s questionable whether the feds currently have the access they need to sell them.

It was ultimately the reliance on third parties that likely got the TorRAT suspects arrested, according to Trend Micro.

“Buying a service from a crypting service, using tormail.org, and recruiting and abusing money mules puts cybercriminals at risk of getting caught. A single error can lead to the unraveling of the whole cybercrime operation. Tor offers a high degree of anonymity, but Tor tools are not immune to data leaks,” says the Trend Micro post on the subject of TorRAT.

And although bitcoin exchanges being used as a tool for criminal activity is not good, government intervention will not help, according to Tuur Demeester who is a bitcoin expert and investor.

“It’s an illusion to believe that ‘a war on fraud’ in the exchange sector will make the problem go away,” he said.

“I think making the cost-benefit analysis, educating bitcoin users about the importance of security and the dangers of fraud will go a much longer way than creating ever more bureaucratic hoops for legitimate entrepreneurs to jump through.”