Crypto Mixer Co-founder Sentenced to 5 Years

May 16 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s got more hacks than a Comedy Central Roast πŸ™ƒ

Today’s hottest cybersecurity news stories:

  • πŸŒͺ️ Tornado Cash co-founder sentenced to 5 years πŸ‘¨β€βš–οΈ

  • πŸ–₯️ 400k Linux servers compromised by Ebury bonet πŸ€–

  • 🐻 Russia-linked Turla deploys LunarWeb, LunarMail πŸ‘¨β€πŸ’»

He’s in the eye of the storm now 😏

🚨 Crypto Mixer Co-founder Sentenced to 5 Years: Dutch Court Ruling πŸŒͺ️

A Dutch court has delivered a verdict in the case of Alexey Pertsev, co-founder of the infamous Tornado Cash crypto mixer service. Pertsev has been sentenced to 5 years and 4 months in prison for his involvement in money laundering activities.

πŸ“œ Background

The 31-year-old Russian national, Pertsev, was apprehended in Amsterdam back in 2022, shortly after the U.S. Treasury Department had sanctioned Tornado Cash. This move came as a response to the service's facilitation of criminal activities, including aiding groups like the Lazarus Group in laundering illicit proceeds.

βš–οΈ Court's Ruling

The court's ruling emphasised Tornado Cash's failure to implement adequate measures to prevent its misuse for illegal activities. Despite Pertsev's claim that the service aimed to offer privacy solutions for the crypto community, the court held him accountable for enabling criminal endeavours.

πŸ’Ό Consequences

Alongside the prison sentence, Pertsev has been ordered to forfeit cryptocurrency assets worth a staggering €1.9 million (~$2.05 million) and a Porsche that was previously seized by authorities.

πŸ—£οΈ Debate Ignited

The case has ignited a fierce debate between privacy advocates and regulatory bodies. While some argue for the necessity of anonymity tools like Tornado Cash, others stress the importance of regulating such platforms to prevent exploitation by malicious actors.

πŸ”š Final Thoughts

The court's decision underscores the pressing need for accountability within the cryptocurrency space. It highlights the delicate balance between safeguarding user privacy and ensuring compliance with anti-money laundering regulations. πŸ“‰πŸ’Ό

Keep up with AI

How do you keep up with the insane pace of AI? Join The Rundown β€” the world’s largest AI newsletter that keeps you up-to-date with everything happening in AI with just a 5-minute read per day.

Sign up with one click.

It leaves them dead and Eburied 😬

🚨 Ebury Botnet: Cyber Threat Alert! πŸ›‘οΈ

A malicious botnet named Ebury has wreaked havoc, compromising a staggering 400,000 Linux servers since 2009. Shockingly, over 100,000 servers remained under its control as of late 2023.

🌐 Cybersecurity Firm's Report

The findings stem from a report by Slovak cybersecurity firm ESET, which labelled Ebury as one of the most sophisticated server-side malware campaigns primarily focused on financial gains.

πŸ”’ Intricate Operations

Security researcher Marc-Etienne M.LΓ©veillΓ© delved deep into the analysis, revealing that Ebury's operators engaged in various monetization activities, including spam dissemination, web traffic redirections, and credential theft.

πŸ”¨ Development and Prosecution

Ebury's history dates back over a decade, documented as part of Operation Windigo. In 2017, Russian national Maxim Senakh was sentenced to nearly four years in a U.S. prison for his involvement in the botnet's development and management.

πŸ’» Ebury's Arsenal

The malware employs diverse methods for infiltration, ranging from SSH credential theft to exploiting vulnerabilities like CVE-2021-45467 in Control Web Panel.

πŸ•΅οΈβ€β™‚οΈ Stealth Tactics

Ebury's operators employ sophisticated techniques to evade detection, including using fake identities and compromising other perpetrators' infrastructure.

βš™οΈ Advanced Features

Ebury acts as both a backdoor and a credential stealer, facilitating the deployment of additional payloads like HelimodSteal and HelimodRedirect, among others.

πŸ”’ Enhanced Concealment

Recent versions of Ebury introduce new obfuscation techniques and userland rootkit functionality to better conceal its presence.

πŸ’³ Monetization Methods

The compromised servers serve as a hub for various illicit activities, from credit card data theft to cryptocurrency hijacking and spamming.

🌐 Global Impact

Ebury's reach extends across 34 countries, targeting over 200 servers and more than 75 networks between February 2022 and May 2023.

πŸ›‘οΈ Countermeasures

Combatting Ebury requires a multi-pronged approach, including regular security updates, robust authentication measures, and vigilant monitoring for suspicious activities.

Bloody Lunatics πŸ’€ Don’t Turla blind eye 😬

🚨 LunarWeb and LunarMail Strike European Diplomatic Missions 🌌

An unnamed European Ministry of Foreign Affairs and its three diplomatic outposts in the Middle East fell victim to a sophisticated cyberattack orchestrated by previously undocumented backdoors known as LunarWeb and LunarMail.

πŸ›‘οΈ Turla Strikes Again

ESET, a cybersecurity firm, linked this activity with medium confidence to Turla, a Russia-aligned cyberespionage group notorious for its advanced tactics and strategic overlaps with past campaigns.

πŸ–₯️ LunarWeb: Silent Saboteur

LunarWeb lurks on servers, camouflaging its command-and-control communications within HTTP(S) traffic. Its modus operandi involves mimicking legitimate requests, rendering detection a formidable challenge.

πŸ“§ LunarMail: Stealthy Infiltrator

On the workstation front, LunarMail manifests as an Outlook add-in, utilising email channels for its command-and-control communications. Its clandestine nature facilitates prolonged stealth operations.

🌐 Long-standing Threat Actor

Turla, affiliated with Russia's Federal Security Service (FSB), has been a persistent menace since at least 1996, targeting diverse sectors such as government, military, and research.

πŸ”“ Intrusion Vectors

While the exact entry point remains elusive, suspicions point towards spear-phishing and potential exploitation of misconfigured Zabbix software, indicative of Turla's multifaceted approach to infiltration.

βš™οΈ Intricate Attack Chain

ESET's analysis unravelled a complex attack chain, unveiling LunarLoader and LunarWeb's deployment through ASP.NET web pages and malicious Word documents, respectively.

πŸ” Operational Insights

LunarWeb conducts reconnaissance and executes commands cleverly embedded within image files, while LunarMail leverages Outlook to maintain stealth and execute malicious actions.

The discovery of LunarWeb and LunarMail underscores the persistent threat posed by Turla, emphasising the critical need for heightened cybersecurity vigilance and robust defence measures.

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles