Publications

Bitcoin Battle: Burning Bitcoin for Geopolitical Fun and Profit

Authors: Kris Oosthoek, Kelvin Lubbertsen and Georgios Smaragdakis

IEEE International Conference on Blockchain and Cryptocurrency • 2025

This study empirically analyzes the transaction activity of Bitcoin addresses linked to Russian intelligence services, which have liquidated over 7 Bitcoin (BTC), i.e., equivalent to approximately US$300,000 based on the exchange rate at the time. Our investigation begins with an observed anomaly in transaction outputs featuring the Bitcoin Script operation code, tied to input addresses identified by cyber threat intelligence sources and court documents as belonging to Russian intelligence agencies. We explore how an unauthorized entity appears to have gained control of the associated private keys, with messages embedded in the outputs confirming the seizure. Tracing the funds’ origins, we connect them to cryptocurrency mixers and establish a link to the Russian ransomware group Conti, implicating intelligence service involvement. This analysis represents one of the first empirical studies of large-scale Bitcoin misuse by nation-state cyber actors.

Quantifying Dark Web Shops’ Illicit Revenue

Authors: Kris Oosthoek, Mark Van Staalduinen and Georgios Smaragdakis

IEEE Access • 2023

The Dark Web, primarily Tor, has evolved to protect user privacy and freedom of speech through anonymous routing. However, Tor also facilitates cybercriminal actors who utilize it for illicit activities. Quantifying the size and nature of such activity is challenging, as Tor complicates indexing by design. This paper proposes a methodology to estimate both size and nature of illicit commercial activity on the Dark Web. We demonstrate this based on crawling Tor for single-vendor Dark Web Shops, i.e., niche storefronts operated by single cybercriminal actors or small groups. Based on data collected from Tor, we show that just in 2021, Dark Web Shops generated at least 113 million USD in revenue. Sexual abuse is the top illicit revenue category, followed by financial crime at a great distance. We also compare Dark Web Shops’ activity with a large Dark Web Marketplace, showing that these are parallel economies. Our methodology contributes towards automated analysis of illicit activity in Tor. Furthermore our analysis sheds light on the evolving Dark Web Shop ecosystem and provides insights into evidence-based policymaking regarding criminal Dark Web activity.

A Tale of Two Markets: Investigating the Ransomware Payments Economy

Authors: Kris Oosthoek, Jack Cable and Georgios Smaragdakis

Communications of the ACM • 2022

Ransomware attacks are among the most severe cyber threats. They have made headlines in recent years by threatening the operation of governments, critical infrastructure, and corporations. Collecting and analyzing ransomware data is an important step towards understanding the spread of ransomware and designing effective defense and mitigation mechanisms. We report on our experience operating Ransomwhere, an open crowdsourced ransomware payment tracker to collect information from victims of ransomware attacks. With Ransomwhere, we have gathered 13.5k ransom payments to more than 87 ransomware criminal actors with total payments of more than $101 million. Leveraging the transparent nature of Bitcoin, the cryptocurrency used for most ransomware payments, we characterize the evolving ransomware criminal structure and ransom laundering strategies. Our analysis shows that there are two parallel ransomware criminal markets: commodity ransomware and Ransomware as a Service (RaaS). We notice that there are striking differences between the two markets in the way that cryptocurrency resources are utilized, revenue per transaction, and ransom laundering efficiency. Although it is relatively easy to identify choke points in commodity ransomware payment activity, it is more difficult to do the same for RaaS.

Scan, Test, Execute: Adversarial Tactics in Amplification DDoS Attacks

Authors: Harm Griffioen, Kris Oosthoek, Paul van der Knaap and Christian Doerr

ACM Conference on Computer and Communications Security • 2021

Amplification attacks generate an enormous flood of unwanted traffic towards a victim and are generated with the help of open, unsecured services, to which an adversary sends spoofed service requests that trigger large answer volumes to a victim. However, the actual execution of the packet flood is only one of the activities necessary for a successful attack. Adversaries need, for example, to develop attack tools, select open services to abuse, test them, and adapt the attacks if necessary, each of which can be implemented in myriad ways. Thus, to understand the entire ecosystem and how adversaries work, we need to look at the entire chain of activities. This paper analyzes adversarial techniques, tactics, and procedures (TTPs) based on 549 honeypots deployed in 5 clouds that were rallied to participate in 13,479 attacks. Using a traffic shaping approach to prevent meaningful participation in DDoS activities while allowing short bursts of adversarial testing, we find that adversaries actively test for plausibility, packet loss, and amplification benefits of these servers, and show evidence of a ’memory’ of previously exploited servers among attackers. In practice, we demonstrate that even for commonplace amplification attacks, adversaries exhibit differences in how they work.

Inside the Matrix: CTI Frameworks as Partial Abstractions of Complex Threats

Authors: Kris Oosthoek and Christian Doerr

IEEE International Conference on Big Data (Big Data) • 2021

The Cyber Threat Intelligence (CTI) field has evolved rapidly and most of its reporting is now fairly stan-dardized. Where the Cyber Kill Chain was its sole reference framework 5 years ago, today ATT&CK is the de facto standard for reporting adversary tactics, techniques and procedures (TTPs). CTI frameworks are effectively abstraction layers of malicious behavior and thus effective CTI dissemination hinges on their ability to accurately represent this behavior. We argue that this is an area with significant opportunity for improvement. The aforementioned models are attacker- and intrusion-centric, while much of the CTI reporting currently is artifact- and malware-centric. In other words, most analysis is performed using artifacts of adversary tools, while in-the-wild evidence of adversary techniques and procedures is limited or lacking. Applying an intrusion model to artifact-based analysis leads to information loss, affecting and potentially misleading CTI-based decision-making. Intelligence analysis naturally builds on imperfect information, but CTI frameworks should be oriented more towards this key premise. In this conceptual work we compare the intrusion-centric ATT&CK with Malware Behavior Catalog (MBC), which is malware-centric. We compare how their application affects reporting of analysis outcomes. For this we reverse a piece of APT malware, replicating how many CTI reports are produced. We find that compared to ATT&CK, the abstraction offered by MBC enhances the information density of our reporting. While currently in most industry malware reports ATT&CK is applied, our analysis shows that on these occasions using MBC, potentially in tandem with ATT&CK, improves reporting. With the daily amount of new malware samples only increasing, accurate behavior labeling is key to the success of CTI sharing and dissemination.

Flash Crash for Cash: Cyber Threats in Decentralized Finance

Authors: Kris Oosthoek

Arxiv Preprint • 2021

Decentralized Finance (DeFi) took shape in 2020. An unprecedented amount of over 14 billion USD moved into DeFi projects offering trading, loans and insurance. But its growth has also drawn the attention of malicious actors. Many projects were exploited as quickly as they launched and millions of USD were lost. While many developers understand integer overflows and reentrancy attacks, security threats to the DeFi ecosystem are more complex and still poorly understood. In this paper we provide the first overview of in-the-wild DeFi security incidents. We observe that many of these exploits are market attacks, weaponizing weakly implemented business logic in one protocol with credit provided by another to inflate appropriations. Rather than misusing individual protocols, attackers increasingly use DeFis strength of permissionless composability against itself. By providing the first holistic analysis of real-world security incidents within the nascent financial ecosystem DeFi is, we hope to inform threat modeling in decentralized cryptoeconomic initiatives in the years ahead.

Cyber Threat Intelligence: A Product Without a Process?

Authors: Kris Oosthoek and Christian Doerr

International Journal of Intelligence and CounterIntelligence • 2021

Cyber threats have become a permanent threat to society. Over the last few years, accounts of hacking campaigns into public- and private-sector enterprises have drawn significant attention. In 2017, Yahoo announced that three billion user account details were exposed in a hacking operation dating back to 2013. In 2018, Equifax disclosed that malicious actors had penetrated its corporate network and exposed sensitive personal data of 143 million U.S. citizens. The same year, Marriott Hotels declared that the records of 383 million guests were exposed to malicious actors. These breaches descended from state-coordinated hacking campaigns. Cybersecurity breaches cause technical catastrophes, but also have significant ramifications at economic, legal, and individual and personal levels. In many cyberattacks the victim network is breached long before detection. The average time to identify a breach is 206 days, with the mean time to then contain it being 73 days. Cybersecurity incidents caused by malicious actors are the most common and most expensive to solve.Footnote1 The unrecognized presence of malicious actors within the trusted enterprise network boundary effectively signifies an intelligence gap in computer network defense...

Cyber Security Threats to Bitcoin Exchanges: Adversary Exploitation and Laundering Techniques

Authors: Kris Oosthoek and Christian Doerr

IEEE Transactions on Network and Service Management • 2021

Bitcoin is gaining traction as an alternative store of value. Its market capitalization transcends all other cryptocurrencies in the market. But its high monetary value also makes it an attractive target to cyber criminal actors. Hacking campaigns usually target an ecosystem’s weakest points. In Bitcoin, the exchange platforms are one of them. Each exchange breach is a threat not only to direct victims, but to the credibility of Bitcoin’s entire ecosystem. Based on an extensive analysis of 36 breaches of Bitcoin exchanges, we show the attack patterns used to exploit Bitcoin exchange platforms using an industry standard for reporting intelligence on cyber security breaches. Based on this we are able to provide an overview of the most common attack vectors, showing that all except three hacks were possible due to relatively lax security. We show that while the security regimen of Bitcoin exchanges is subpar compared to other financial service providers, the use of stolen credentials, which does not require any hacking, is decreasing. We also show that the amount of BTC taken during a breach is decreasing, as well as the exchanges that terminate after being breached. Furthermore we show that overall security posture has improved, but still has major flaws. To discover adversarial methods post-breach, we have analyzed two cases of BTC laundering. Through this analysis we provide insight into how exchange platforms with lax cyber security even further increase the intermediary risk introduced by them into the Bitcoin ecosystem.

SoK: ATT&CK Techniques and Trends in Windows Malware

Authors: Kris Oosthoek and Christian Doerr

Security and Privacy in Communication Networks (SecureComm) • 2019

In an ever-changing landscape of adversary tactics, techniques and procedures (TTPs), malware remains the tool of choice for attackers to gain a foothold on target systems. The Mitre ATT&CK framework is a taxonomy of adversary TTPs. It is meant to advance cyber threat intelligence (CTI) by establishing a generic vocabulary to describe post-compromise adversary behavior. This paper discusses the results of automated analysis of a sample of 951 Windows malware families, which have been plotted on the ATT&CK framework. Based on the framework’s tactics and techniques we provide an overview of established techniques within Windows malware and techniques which have seen increased adoption over recent years. Within our dataset we have observed an increase in techniques applied for fileless execution of malware, discovery of security software and DLL side-loading for defense evasion. We also show how a sophisticated technique, command and control (C&C) over IPC named pipes, is getting adopted by less sophisticated actor groups. Through these observations we have identified how malware authors are innovating techniques in order to bypass established defenses.