Since cryptocurrency, blockchain, and smart contracts have been in the news quite a bit recently, we thought we’d go ahead and add another buzzword to the combo by working deception into it!
A strong need has emerged for early detection of attacks targeting cryptocurrency. We are therefore happy to introduce Cryptocurrency Deception. The idea is straightforward: starting with the next MazeRunner version, our users will be able to incorporate cryptocurrency elements into their deception stories when deploying a deception campaign.
Screenshot 1: A deception campaign including cryptocurrency deception elements
Users can create a new wallet using MazeRunner and then independently transfer a small amount of funds into it. MazeRunner will then deploy breadcrumbs for that wallet to selected endpoints on the network. The breadcrumbs are actually the private key for the wallet, making it a hackable target. Once the breadcrumbs are deployed, MazeRunner will monitor this wallet for transactions.
Screenshot 2: MazeRunner’s supported installation formats for manual breadcrumb installation
Once an attacker sees that wallet as an “easy to pick” target and touches any of the funds in that wallet, a new transaction will be recorded on the blockchain and the defender will be alerted to the attacker’s presence in the network.
Screenshot 3: MazeRunner alerting on stolen funds
As a fascinating anecdote, while developing this capability, Cymmetria’s senior developer Gal Singer ran into a real alert:
“When I started to develop this solution, I used the library ‘moneywagon’ to generate the bitcoin wallet. Since it was only for the initial development, I generated the wallet with the following code:
# first parameter is the crypto type, second is the seed
from moneywagon import generate_keypair
It is important to note that anyone using the above code will get the same private key, public key, and wallet address.
I then transferred money into the wallet and as expected saw the following alert:
Screenshot 4: Moving funds into our deception wallet
More surprising was when I got a second, unexpected alert of my wallet being promptly emptied of all its funds:
Screenshot 5: An alert on bitcoin being stolen from the wallet
What actually happened here is that we used a “known private key” and thus a known wallet that everyone has the key to. We transferred money into that account, which was then promptly stolen by someone else monitoring that wallet.
This proves two things:
- Our blockchain monitoring works
- Attackers are constantly monitoring wallets with weak private keys to steal cryptocurrency”
This idea can be incorporated into multiple deception scenarios, from wallets used by developers to wallets in production, or even in organizations not dealing with cryptocurrency: personal wallets that were used by employees on work computers. A straightforward use-case would be placing these wallets on executive workstations or other high-value targets, and getting alerts when these targets are compromised.
This monitoring does have a few limitations: it’s not possible to trace which endpoint was compromised. It’s only possible to know that an attack has happened, not where, unless the defender is using a different wallet for each endpoint. This capability is still incredibly useful as it provides another easy way to be alerted to attackers’ presence in the network.
In the next couple of weeks we will be releasing this capability code as open source as part of the Honeycomb project, our open-source honeypot platform.
EDIT: We updated our conclusions about what attackers are doing on wallets with weak private keys, based on comments we received.
Imri Goldberg is Co-founder & CTO at Cymmetria, where he leads innovation and participates in product design and setting the company’s roadmap. His experience lies in leading the design and development of high-tech products.