🎉 Gate.io Growth Points Lucky Draw Round 🔟 is Officially Live!
Draw Now 👉 https://www.gate.io/activities/creditprize?now_period=10
🌟 How to Earn Growth Points for the Draw?
1️⃣ Enter 'Post', and tap the points icon next to your avatar to enter 'Community Center'.
2️⃣ Complete tasks like post, comment, and like to earn Growth Points.
🎁 Every 300 Growth Points to draw 1 chance, win MacBook Air, Gate x Inter Milan Football, Futures Voucher, Points, and more amazing prizes!
⏰ Ends on May 4, 16:00 PM (UTC)
Details: https://www.gate.io/announcements/article/44619
#GrowthPoints#
What is more terrible than losing money? Data of course! Data leakage in the Web3 field, your information has been sold on the dark web for 10 days...
Written by: Certik
In today's society, whether we work or live, the Internet has long been inseparable from people's lives. You don’t have to bring a wallet, but you must take your mobile phone with you when you go out. There is no physical card as a payment method, and even street beggars have begun to use the Internet to transfer and collect money with QR codes.
It is not difficult to imagine that most of the threats currently faced by individuals, enterprises, organizations and their customers actually come from network vulnerabilities and attacks. Nowadays, the data privacy and personal privacy that people are concerned about have become extremely important. There are countless cases of loss of sensitive data due to vulnerabilities every year.
Numerous major security incidents have occurred in the history of Web3.0, ranging from the loss of private keys of centralized exchanges to the theft of investors' personal data. And that data could exist for years in online hacking forums and darknet marketplaces, meaning a data breach would put those affected users at risk for a long time.
The CertiK analysis looked at 74 security incidents that occurred in centralized Web 3.0 entities. 23 of these incidents resulted in a long-term high risk of data loss, and of those 23 incidents, 10 packets were found to still be available for purchase on dark web forums.
A series of law enforcement campaigns against hacker forums can prevent certain data from being extracted, but such measures are only palliative after all.
This article will take you through: the classification of Web3.0 data leakage incidents, and what measures we should take to protect our data security.
background
Hacking, exploits, ransomware, and all cybersecurity threats are increasing in size and severity. The Web 3.0 ecosystem is unique in that it provides malicious actors with a variety of attack vectors not found in other technologies, including vulnerabilities in smart contracts and novel phishing techniques.
However, the story of Web 3.0 security incidents is closely related to the situation in other industries. Non-Web 3.0 areas miss out on the same types of security holes that centralized projects and companies fail to address.
We wanted to take a closer look at the cybersecurity incident history against Web 3.0 goals and assess whether past incidents pose an ongoing risk to community members today.
To do this requires a careful analysis of how the security incidents in this report differ from vulnerabilities caused by exploiting smart contract protocols.
We have studied many incidents against Web3.0 companies since 2011, and they can be roughly divided into two categories:
There are several important differences between the two categories in terms of near-term and long-term risk.
Protocol malicious exploits happen within a definite timeframe, starting when the attacker executes the exploit and ending when they exhaust all available funds, run out of gas, or cause the targeted project to terminate. Some of these events may last for hours or days, with post-event negotiations further extending this timeframe, and there have also been cases of projects being shut down immediately afterwards. The key, however, is that these attacks have clear starting and ending nodes.
Vulnerabilities, by contrast, qualify as sustained incidents (the attacker gains access to the network and stays there for a long time). A breach is usually defined as the exfiltration of data that is exploited in an attack or subsequently sold on the darknet or online forums.
Network breaches can also lead to serious financial losses. Most Web 3.0 organizations are financial entities with a high flow of money, which makes them a natural target for hackers.
Data breaches can be devastating and the risk can last for years—especially if personally identifiable information (PII) is lost during the breach.
With this in mind, we collected a sample of 74 past incidents that we classify as breaches that pose an ongoing risk to community members (includes only incidents where a company’s internal network was compromised and does not include data on protocol exploitation) .
We believe it is necessary to distinguish between incidents in which sensitive data is lost and incidents in which only funds are lost. To better assess the ongoing risk of these breaches, we will highlight breaches whose data is still available for sale or freely available on the darknet or other areas of the clearnet, and offer our thoughts on the accessibility of these platforms.
Data Breach & Loss of Funds
To assess the ongoing risk associated with these events, we grouped them into the following defined events:
The second category of unretrievable data loss incidents primarily consists of breaches that only result in the loss of funds or private keys. In such cases, lost funds are usually irretrievable.
Unusual events include those where the stolen data was never released, returned or used for other purposes. For example, in June 2020, the Japanese centralized exchange Coincheck was attacked, and the PII of more than 200 customers fell into the hands of the attackers. The attackers compromised Coincheck's network and then sent phishing emails from the company's internal email address, demanding PII from customers. But no specific database was lost in this incident, and the lost data was only that of customers who responded to the emails.
In another incident in June 2020, Canadian centralized exchange Coinsquare also experienced a breach where 5,000 email addresses, phone numbers and home addresses were leaked and lost.
After hopping back and forth between Coinsquare, the attackers said they would use the data in SIM-swapping attacks, but would not try to sell them in order to "fish for a long time." This type of event is also classified as a second type of irreparable event.
Of the 74 incidents we identified, 23 could be classified as data retrievable incidents, or approximately 31%. The remaining 51 incidents were either the anomalous incidents described above, or those that simply resulted in a loss of funds.
Graph: Retrievable vs. non-retrievable data for events occurring between 2011 and 2023 (Source: CertiK)
We can see a few points:
① Data events that are highly likely to be retrieved or recovered have increased significantly after 2019. This is directly proportional to the increase in hacking attacks and data leakage incidents in various industries during the epidemic.
② The growth of government aid during this period, some of which has been injected into the Web3.0 ecosystem, coupled with the bull market in 2021, may provide attackers with more opportunities to sell ransomware and data.
**Where did the stolen data go? **
Darknet and Telegram
Lost data often ends up being sold or dumped on the dark web (.onion sites) or clear net. If the data is presumed to have some economic value (PII and other data used for fraud), then it will appear frequently in darknet markets or even Telegram channels. If the attacker's demands (ransomware) are not fulfilled, the data is simply dumped in paste sites or hacker forums.
**Where the data ends up determines the long-term risk it poses to its original owner. **
Compared with data that can only be purchased on the dark web, data dumped on hacker forums at very low or no cost has a higher risk of leakage.
The continued accessibility of such sites also "helps" the long-term risk of a victim's data breach. Below, we take a deeper look at the sales of Web 3.0 data found in these venues.
Online Forum
Over the years, online hacking forums have sprung up. Given the growth in incidents of retrievable data after 2019, only a few forums deserve to be considered case studies in this context. These forums include the Raid Forum, the Breach Forum, and the Dread Forum.
Multiple breaches have chosen the Raid forum as one of the preferred forums for dumping and selling breached data. The Raid Forum started in 2015 and has been running on the clear net for years. However, in 2022, the Raid Forum domain was seized by US law enforcement in cooperation with Europol.
Image: US and European law enforcement take down notice on Raid Forum website
Founded in 2015, the Dread Forum appears to be active until the end of 2022, although there are numerous indications on social media that it may also be defunct by now. We tried accessing the darknet (.onion) and IP2 versions of this forum, but those also seem to be down.
The Breach forum went live immediately after the Raid forum closed.
The Breach forums provide a reasonable place to stay for users who were "displaced" by the closure of the Raid forums.
It has a similar interface to Raid Forum, a member reputation scoring system, and high activity, with users reaching 60% of Raid Forum's original user base (approximately 550,000 users). Just one year later, in March 2023, the FBI arrested Conor Brian Fitzpatrick, who ran the forum Breach, and after a wave of internal drama about redeploying the site, the site collapsed.
Less than a week after the Breach forum collapsed, another replacement appeared, allegedly run by a self-proclaimed ex-anonymous hacker named Pirata (@_pirate18). But it only has 161 members, which means that this time the replacement failed to absorb the old players of the forum.
Many other forums popped up during this hiatus (the last few weeks of March). Some of these were taken down as typically offending forums, so it's reasonable to assume that the rest might be law enforcement masquerading.
Image: List of VX-Underground forums after the Breach forum closed (Source: Twitter)
We can only confirm that some Web3.0 data exists on one of the forums.
The ARES forum reportedly absorbed some activity from other closed forums, but it's not clear how much. The forum, which is said to be affiliated with ransomware groups and other malicious actors, also runs a public Telegram channel that advertises sales of data in its locked VIP sales channel. The channel went live on March 6, running hundreds of ads (including posts on two centralized exchange-related databases).
Image: Telegram Centralized Exchange Data channel ad on the ARES Forum (Source: Telegram)
Overall, the hacking and data dumping forum community is currently functioning in a rather chaotic way. With no clear replacement for traditional forums and international law enforcement agencies stepping up their crackdown on these groups, it's almost certain that forums won't be the site of any major data breaches (including Web 3.0) anytime soon Preferred route.
Dark Web - Data Breaches on .onion Sites
Dark web markets and forums have long been places where people dump or sell their data.
These ecosystems have also faced crackdowns from law enforcement, although those crackdowns have been more on markets that facilitate drug sales. That said, even in lesser-known markets, data breaches appear to be occurring with a very high frequency, or at least are being advertised. The difference is now starkly different than online forums, which also store data but have been shut down across the board.
Image: Ledger customer data for sale on a darknet market (Source: Digital Thrift Shop)
To recap, 23 of the 74 breaches in our identified data breach sample involved data that had some chance of being retrieved. Of these 23, we were able to find 10 active data sale ads (43%). Such samples are highlighted in green in our previous chart:
The increased paid data sales in this chart indicate several things. First, we do not have access to data sources for any breaches that occurred after 2021.
Based on the nature of the 2022 target, there is a reasonable possibility that data may have appeared in a forum that no longer exists.
However this is hard to prove, especially when these datasets don't appear on any of the forums that would replace Raid and Breached. Second, these datasets are also notably absent from any of the darknet markets that we can see from 2019 and earlier—probably because the marketplaces from which we obtained these data are very old and little known. We cannot assess whether this data is actually still available through these vendors, but these advertisements do.
**Are these data breaches a long-term risk? **
It's hard to try to quantify the long-term risk, but at least you can compare the data loss risk to the non-data-related events in this sample. Note that we can classify the risks of non-compliance events that only result in direct financial losses as lower risk because:
Loss is immediate, we can measure impact in terms of lost fiat or Web3.0 currency
All data lost during this process is replaceable. In the event of a compromise, private keys, passwords, and privileged network access points must be changed to resolve the issue.
Breaches of breaches that lose sensitive data, especially customer data, do pose greater long-term risk
Much of this data is sold or freely available on the dark or clear web, extending its long-term availability.
Customers' personal data points, i.e. phone numbers, first/surnames, addresses and transactional data, are difficult or impossible to alter. So even if someone changes their personal information as a result of a breach, all the data of other individuals involved in the breach is still at risk.
The impact of this breach is difficult or impossible to measure. Depending on the lost data, the victim may or may not have been the target of multiple scams.
We found data for sale in a breach in 2014. This particular data point is further evidence of the difficulty of measuring long-term risk. The 2014 hack that attacked the now-defunct crypto exchange BTC-E, which was seized by US law enforcement in 2017 - is actually a much lower risk associated with data loss than others.
However, to be clear the risk remains ongoing that these data may match data from newer breaches, thereby increasing the long-term risk of individuals participating in Web 3.0 during this period.
Looking at the space as a whole, data lost after 2019 (especially data that remains readily available for sale on darknet markets) most likely poses the highest ongoing long-term risk. From 2022 onwards, those affected almost certainly face a significant risk that their data could be used for fraudulent activity (even if it cannot be physically located). Despite the shutdown of many online forums, we should assume that all lost data, especially with recent data breaches, is likely still available somewhere and can reappear at any time.
Write at the end
The reality is that security holes cannot be 100% eliminated. When data is stored and processed by a centralized entity, most users affected by a data breach have limited means of remediation.
However, we can reduce exposure risk by limiting the usage of centralized services, including centralized exchanges. Individuals should also use two-factor authentication whenever possible to help prevent unwanted exchange wallet activity, or use of PII to access or modify account details.
Depending on the nature of the breach, we might even consider trying to change some of the information exposed in the breach, such as email addresses or phone numbers.
And in a Web 3.0 data breach, if you intend to operate anonymously, then your identity will face an additional threat of disclosure.
There are other steps people can take to protect data and investments. Such as reducing investment and financial risk by distributing assets in self-custody wallets and hard wallets.
Of course, data can also be protected by: