ALPS blog

by Richard Werner, Business Consultant

The emergence of cryptocurrencies over ten years ago was the basis for today’s attack boom and the new dimension of cybercrime. At first glance, this seems a daring thesis. But money is one of the earliest achievements of mankind and is crucial for the emergence of civilisation. Only money and the value associated with it allowed specialisation, and the stability of a currency is the foundation of a healthy economy. But money has also always been a major driver of crime – more than 95% of all cyber attacks are financially motivated (the remaining percentages are shared by political attacks as well as “just for fun” actions). However, it was only when Bitcoin gained in value in 2009 that criminals’ profits also increased enormously and underground services gained in popularity.

Of course, cybercrime also existed before Bitcoin, and of course services were offered and paid for even then. But this was always associated with considerable risks for both sides – buyer and provider. For example, common payment methods were stolen credit cards, so “hot goods were exchanged for hot goods”, or direct payment services, where the buyer had to trust the seller, a “criminal”, and always carried the risk of being targeted by police investigators himself. But even if the transaction was successful, the risk of detection remained high on both sides. The generated – pardon – stolen “proceeds” had to be smuggled past investigating authorities and the bank’s own detection algorithms. Even if there were options for this (e.g. money mules), only relatively small amounts could be exchanged in this way to make it more difficult for the police to detect them.

Ukash was the first electronic means of payment and is considered the predecessor of cryptocurrency. The so-called “Ukash Trojan”, also called the “BKA Trojan”, is a well-known example of ransomware that relied on Ukash as a means of payment.

But it was only with Bitcoin, which was developed in 2009 and gained an attractive value from around 2012, that this situation changed massively – to the point of offers of Ransomware as a Service and other services.

The underground is booming

In fact, the rise of the underground economy began around 2012/2013. The first, clear signs of this were in 2015 with the first massive wave of ransomware. Now in 2021, there was a massive increase in cyberattacks, both in quantity and quality – continuing a trend of recent years. Memorable this year alone were attacks such as those involving the Sunburst backdoor, the Colonia Pipeline attack and Kaseya, with the underlying cyber incidents in each case being unique (so far) in their scale. In part, the pandemic has contributed to this development, but all the schemes, techniques and especially the organisation behind these attacks existed before.

The biggest change compared to the pre-Bitcoin & Co. era was the increased appearance of “as a service” offerings. Cybercriminal gangs sold their knowledge and tools to more and more paying customers. Today, there is “ransomware as a service”, “hacking as a service”, “access as a service”, “translation services”, “call centre services”, escrow agents, lawyers and much more directly related to cybercriminal activities.

And this development was made possible because “Bitcoin” was the first currency outside of a state control. It did what every currency does, it created a new economic space.

Specialisation of the protagonists

In every advanced value chain, there are people, or companies, that are better at certain things than others – as is also the case in cybercrime, as the above list of service offerings available in the underground shows. The phases of a modern cyber attack, for example with the aim of digital blackmail, show the approximate breakdown. First, the aim is to gain access to a victim. The network and the creators of the Emotet group were among the top specialists here. With sophisticated social engineering, such as stolen email communication, the group managed to get past even well-trained professionals.

The stolen access data is also often sold by various groups, either for Bitcoins or some kind of “profit sharing”. The buyers are groups that specialise in spreading themselves within a victim system, stealing data there and largely crippling its infrastructure. The individual perpetrators specialise in companies of different sizes.

But that’s not all, because in order to get a victim’s money, contact is necessary. It is a matter of possible negotiations about the ransom sum or even proof that one is able to decrypt the data again. The skills required here include language talent and negotiating skills. There are specialists for this, too.

Specialist services are expensive, and here, too, Bitcoin is the pioneer, because the currency allows services to be traded anonymously. There is no state control or banking supervision. Anyone can deal with anyone -worldwide. A situation that is unique in the history of mankind (so far).

Large sums

And the cybercurrency has yet another effect. Before bitcoin, individual crimes were usually limited to smaller sums in the two- to five-digit range. The reason: the larger the sum, the easier it was to trace for banks and ultimately for the police. Bitcoin also eliminated this “problem”. The currency allows the quick transfer to accounts that can be anonymised and thus the undisturbed transfer of sums in the millions.

It is therefore not surprising that the offence of “extortion” in particular has massively increased in cybercrime. Nor is it surprising that the perpetrators are targeting more and larger targets. However, the question arises as to whether it is really still about money, or whether it is not already about being the most “notorious” of all gangsters. For example, when the Ukrainian police stormed the Emotet infrastructure on camera, they counted the gold bars and cash seized from the criminals that were stored there alongside old hard drives and cables:

And especially the attack on the Colonial Pipeline in the USA startled not only the investigating authorities but also the government. Perhaps that was the famous straw that broke the camel’s back and endangered the entire cyber underground. We can only hope so.


From a cybersecurity perspective, it is clear that as long as Bitcoin or other cryptocurrencies have a measurable value and are not subject to any government control, the current situation of targeted cyber attacks and extortion will continue. The specialisation of the attackers currently meets largely overstretched defenders who often – equipped with outdated strategies and techniques – “hope” not to be hit.

In addition, the acts that have made headlines around the world will motivate more criminals to try their luck in the cyber underground (similar to the gold rush of the 19th century). This continuing growth in crime will not be interrupted even by major police investigative successes such as the Emotet takedown.

The impact of Bitcoin & Co on the criminal underground also worries many banks, and individual countries have decided to take action against cryptocurrencies. However, political tensions are to be expected in the process, especially in Western democracies, which is why it is quite questionable whether anything will change in the near future.

Companies would therefore do well to take the situation seriously and assume that the situation will continue to escalate. The political threatening gestures in connection with the Colonial Pipeline hack will perhaps lead to a small respite and could support especially large corporations and companies in similarly critical areas. For the bulk of industry, however, there will be little help. In particular, medium-sized companies with comparatively high values will find themselves exposed to the attention of malicious hackers.

We have already written about countermeasures several times. Due to specialisation, it is to be expected that attackers will manage to get past defensive measures. The most important thing is therefore to get a grip on the management of one’s own security and to have an emergency plan ready. An expansion to include automated detection and response functions – i.e. the recognition of successful attackers and corresponding countermeasures – should also be on the agenda as soon as possible. Trend Micro and its specialised trade partners will be happy to provide you with advice and support.