Cybercriminals have abused API keys to steal millions in crypto

As soon as the cryptocurrency market exploded, companies began to offer apps and services to help traders streamline their trading process.

To use these services, traders can grant third-party programs access to their personal accounts on cryptocurrency exchanges via API keys which allow these programs to perform actions on their behalf, including opening and executing automatic trade orders without logging into the exchange.

The API keys includes two important elements: the public key and the private key, commonly referred to as the public key and the secret key. The secret key is used by third-party apps to sign operation requests and tells the cryptocurrency exchange that the app is authorized to access a trader’s account and carry out the operations supported by the API key.

Naturally, having your API keys exposed by cybercriminals can result in catastrophic consequences. With that said, even if someone else steals your secret API key, they shouldn’t be able to simply transfer your cryptocurrency balance to their own wallet, as cryptocurrency exchanges disable API withdrawal permissions by default.

However, when conducting threat intelligence operations, in recent weeks our researchers found that the number of trade offers for stolen cryptocurrency exchange API keys appeared to be increasing in the same rate across hacker forums.

How cybercriminals abuse stolen API keys?

Cryptocurrency exchanges offer three types of API permissions to traders:

• Data permissions allow APIs to read your exchange account data, including open orders, balances, and trade history, without making any changes to your account.
• Trade permissions allow APIs to execute trades, place open orders, and close orders on your behalf.
• A withdrawal permission allows APIs to withdraw cryptocurrencies from your exchange account and transfer them to another location. An app would be able to move your funds to another wallet without your say-so with this permission enabled.

For security reasons, cryptocurrency exchanges disable the withdrawal permission by default. With that said, most of the ads posted on cybercriminal forums claim that their owners were able to withdraw up to 80% of their victims’ cryptocurrency balance, which they would then split with the owner of the stolen API keys.

This would make you think that the criminal service providers behind those ads would require stolen API keys that have been granted withdrawal permissions. Even after conducting a series of tests, we were not able to find a single stolen API key for sale with withdrawal rights enabled.

Were criminals able to withdraw funds without withdrawal rights?

Unfortunately, to steal funds from exchange accounts, threat actors don’t even need to withdraw them directly: by trading on their victims’ behalf with the appropriate permissions, they can simply trade away their balances via outrageously unprofitable trades against bots set up by the culprits themselves.

During our investigation on cybercriminal’s stolen exchange API key abuse techniques, we come to know that threat actors primarily employ two API key exploitation methods to steal funds from traders: ‘sell wall’ buyouts and price boosting.

To know more about cyber security , login to Guvi

Reference link:https://www.guvi.in/category?search=Cyber%20Security%20&%20Ethical%20Hacking%20-%20Advanced