ESET and Dutch police expose Ebury botnet’s cryptocurrency theft operations

Dutch cybersecurity specialists have linked a major cryptocurrency theft to the infamous Ebury botnet, responsible for compromising over 400,000 servers over a 15-year period.

According to a report from Slovakian cybersecurity firm ESET, the incident was initially uncovered during a 2021 investigation by the Dutch National High Tech Crime Unit (NHTCU). During this investigation, operatives found the Ebury botnet on a server linked to crypto theft.

After this revelation, the Dutch crime unit collaborated with ESET, led by researcher  Marc-Etienne Léveillé, who had been studying Ebury for over a decade.

Ebury operators allegedly used a sophisticated attack dubbed adversary-in-the-middle (AitM) to steal the crypto funds. The attack transpires with the botnet intercepting network traffic and capturing login credentials and session information.

“Cryptocurrency theft was not something that we’d ever seen them do before,” Léveillé noted.

The botnet redirects this traffic to servers controlled by the cybercriminals, allowing them to access and steal cryptocurrency from the wallets of the victims. In its report, ESET revealed that over 100,000 remained infected as of 2023.

Ebury specifically targets Bitcoin and Ethereum nodes, making off with wallets and other valuable credentials. The botnet would steal the funds once the unsuspecting victims entered their credentials on the infected server.

Further, once a victim’s system was compromised, Ebury would exfiltrate credentials and use them to infiltrate related systems. The report identified a wide array of victims ranging from universities, enterprises, internet service providers, and cryptocurrency traders.

The attackers also employ stolen identities to rent servers and deploy their attacks. As such, it is very difficult for law enforcement agencies to track down the identities of those behind this cybercrime racket.

“They’re really good at blurring the attribution,” Léveillé added.

One Ebury operator, Maxim Senakh, was arrested at the Finland-Russia border in 2015 and was extradited to the United States. The U.S. Department of Justice charged Senakh with computer fraud, to which he pleaded guilty in 2017. He was sentenced to four years behind bars.

While the masterminds behind Ebury remain at large, the NHTCU has revealed that several leads are being pursued.

Crypto thefts have become increasingly complicated over the years. Earlier this month, North Korean hackers employed a new malware variant dubbed “Durian” to targeted attacks on at least two cryptocurrency firms.

Prior to that, a January report from cybersecurity firm Kaspersky revealed that a malware was targetting cryptocurrency wallets on MacOS.