One cyber criminal group might be responsible for stealing around $200 million from various crypto exchanges over the course of two years, cybersecurity firm ClearSky said in a post on 24 June.

According to the firm’s research, the so-called “CryptoCore” cyber criminal group has almost exclusively targeted cryptocurrency exchanges since 2018, and is known to have stolen $70 million from heists, though in reality ClearSky estimates that number to be more than $200 million. Though it has been investigating the group for almost two years now, ClearSky still has no solid evidence of the operators’ origin, but it is suspected that the criminals are connected to the East European region – Ukraine or Russia.

The company has associated CryptoCore to at least five crypto exchange hacks, that follow a particular pattern, over the past two years, but has noticed that the criminals had targeted another 10 to 20 exchanges in that time. The group’s activities have also been documented in several reports, though they were identified under different names, such as “Dangerous Password” and “Leery Turtle”.


The firm said in its paper:

“In recent years, cryptocurrency exchanges have become targets for constant attacks, mainly from criminal groups and lone hackers. Threat actors of all kinds try to infiltrate corporate networks for reconnaissance, ransomware deployment, and plainly to steal money from those exchanges, specifically from their “hot” (i.e. active, connected) wallets.”

In its report, ClearSky further noted that the criminals’ tactics have been almost the same for the past two years. It all starts with gathering the required information which will allow the criminals to target an exchange’s management, IT staff or other employees. Then, using the fact that personal email accounts usually have less security, the group would initiate phishing attacks.

Later the group would use a spear-phishing email, “either from the target company itself or from a company that deals with the target”, to implant malware on an employee’s system, and gain access to a password manager account. From there, the group would use the passwords to enter accounts and wallets, and eventually drain the funds from the exchange’s hot wallets.

If ClearSky’s research is accurate, CryptoCore is the second group to repeatedly target crypto exchanges. In the past years, North Korea has been the biggest threat to crypto exchanges, according to a report presented to the U.N. Security Council North Korea sanctions committee last September. Per the report, North Korea has been responsible for stealing around $2 billion in fiat and cryptocurrency through hacks on banks and cryptocurrency exchanges.