ESET and Dutch police expose Ebury botnet’s cryptocurrency theft operations

Dutch cybersecurity experts have linked a massive cryptocurrency theft to the infamous Ebury botnet, which was responsible for compromising more than 400,000 servers over a 15-year period.

The incident was first uncovered during an investigation conducted by the Dutch National High-Tech Crime Unit (NHTCU) in 2021, according to a report by Slovak cybersecurity firm ESET. During this investigation, operators found the Ebury botnet on a server linked to crypto theft.

Following this announcement, the Dutch crime unit cooperated with ESET, led by researcher Marc-Etienne Léveillé, who has been working on Ebury for more than a decade.

Ebury operators allegedly used a sophisticated attack called adversary in the middle (AitM) to steal crypto funds. The attack occurs when the botnet hijacks network traffic and captures login credentials and session information.

“Cryptocurrency theft is not something we have seen them do before,” Léveillé said.

The botnet directs this traffic to servers controlled by cybercriminals, allowing them to access and steal cryptocurrency from victims’ wallets. ESET revealed in its report that more than 100,000 people remain infected by 2023.

Ebury specifically targets Bitcoin and Ethereum nodes, capturing wallets and other valuable credentials. Once unsuspecting victims entered their credentials into the infected server, the botnet would steal the funds.

Flowchart of Ebury’s attack on crypto wallets | Source: welivesecurity

Furthermore, once a victim’s system was compromised, Ebury would leak their credentials and use them to infiltrate the relevant systems. A wide range of victims were identified in the report, from universities to companies, from internet service providers to cryptocurrency traders.

Attackers are also using stolen identities to rent servers and deploy their attacks. Therefore, it is very difficult for law enforcement to trace the identities of the people behind this cybercrime ring.

“They are really good at blurring attribution,” Léveillé added.

Ebury operator Maxim Senakh was arrested at the Finland-Russia border in 2015 and extradited to the United States. The U.S. Department of Justice charged Senakh with computer fraud, and he pleaded guilty in 2017. Senakh was sentenced to four years behind bars.

The masterminds behind Ebury are still at large, but NHTCU has revealed that many leads have been followed.

Crypto thefts have become increasingly sophisticated over the years. Earlier this month, North Korean hackers used a new malware variant called “Durian” for attacks targeting at least two cryptocurrency firms.

Before this, a January report from cybersecurity firm Kaspersky revealed that malware was targeting cryptocurrency wallets on MacOS.