Understanding Cyber and Crypto-related Crime in Australia

Australia’s prosperity has made it a prime target for cybercrime. According to the Australian Cyber Security Centre’s (ACSC) latest Annual Cyber Threat report, one report of cybercrime is filed every 7 minutes in Australia. Targets span Australia’s largest corporations, small-medium businesses and ordinary individuals. Australia’s Minister of Home Affairs and Cyber Security Clare O’Neil has warned that Australia faces “a scale and intensity in the threat landscape that far outstrips the recent cases we have seen,” while Australian Signals Directorate (ASD) Assistant Director-General Rita Erfurt has described cybercrime in Australia as “prolific, overt and constantly evolving.”

With bad actors using increasingly sophisticated techniques to perpetrate cybercrimes, the nexus between cyber and crypto crime has grown stronger. The same qualities that make digital assets a force for good - decentralized, permissionless, cross border value transfer at the speed of the internet - also make them attractive to illicit actors who seek to move funds across the globe at unprecedented speed and scale.
‍

On the occasion of Australia’s Cyber Security Awareness Month, we take a look at some of the crypto-related cybercrime that has hit Australia in the past year, as well as efforts to disrupt these illicit acts.

‍Triple strikes in ransomware‍

Ransomware has been singled out by the ACSC as the “most destructive cybercrime.” This perhaps reflects a trend of “big game hunting” in ransomware, where attackers identify large, high value entities to maximize potential gains.

In the past year, three major Australian corporations have been hacked:

• Optus, September 2022: One of Australia’s largest telcos was hacked to the tune of ~11m customer records, including extensive personal information such as names, identity numbers, contact details and addresses. The hacker released 10,000 records on an online forum, before abandoning the attack for fear of “too many eyes.”

• Medibank, October 2022: The health insurer saw ~9.7m past and present customer records, including health claims data, compromised. Hackers released customer data in three sets of files - “good list” and “naughty list,” and later, “abortions,” onto the dark web.
  

• Latitude Financial, March 2023: The financial services giant saw ~14m customer records compromised, again including sensitive personal information.

A ransom demand was attached to all three cases, which the firms opted not to pay consistent with Australian government advice. Consistent with the Financial Action Task Force’s finding that “payments and subsequent laundering of ransomware proceeds are almost exclusively conducted through virtual assets,” we saw a crypto nexus in these ransom demands. The Optus hacker demanded their AUD1.5m (USD1m) ransom in cryptocurrency, while the Medibank hack has been linked to Russia-based cyber criminals, possibly including ransomware syndicate REvil, or its offshoot. These syndicates have a demonstrated history of moving its illicit proceeds on the blockchain. TRM Labs’ analysis has found that ransomware is by the far the largest driver of crypto extortion, and ransomware syndicates, like other illicit actors, favor the use of privacy-enhancing mechanisms such as mixers to obfuscate their trail of funds.

‍Hitting hard at hackers

The Australian Federal Police (AFP) has launched Operation Pallidus to nab the criminals behind the attacks, as well as Operation Guardian to monitor and disrupt any attempts to leak and/or profit from the stolen data. Both operations involve cross-border cooperation with international law enforcement partners. The AFP emphasized the “significant powers within its remit” to address such attacks, a “chilling reminder to hackers, and those who will attempt to piggyback off those criminals, that the AFP will relentlessly pursue them.” A Sydney man was arrested and charged for attempting to blackmail Optus customers, after text messages relating to his scam were uncovered by Operation Guardian.

Matt (Billy) Humphries, TRM’s APAC Director of Law Enforcement Relations and former AFP digital forensics specialist, notes the success of these types of operations relies heavily on not only meaningful international or cross border collaborations to coordinate intelligence sharing, but also the innovative collection of complex technical and non technical intelligence which informs critical discussions. “During my time in law enforcement, I have seen that criminals are always leveraging new or cutting edge technologies to facilitate criminal activity and importantly to avoid detection by police,” says Mr Humphries. “Use of cryptocurrencies to move and launder their ill-gotten gains is one example. Law enforcement needs to work together, and ensure they have the right tools to take down even the most sophisticated cybercriminals.” 

‍State-backed actors 

Aside from financially-motivated attacks, state actors also pose a significant cyber threat to Australia. The ACSC report writes that Australia has been a “target of persistent cyber espionage by a wide range of state actors due to its regional and global interests, international partnerships and participation in multilateral forums.” Of these, Minister O’Neil noted that the “apex predators” are advanced persistent threats (APTs), well-resourced and sophisticated cyber attacks that perpetrate prolonged network or system intrusions. 

One example of state-backed APTs is North Korea’s Lazarus Group, which has perpetrated some of the most prolific cryptocurrency hacks globally, including a USD41m theft from Australian-founded crypto betting platform Stake.com. TRM Labs analysis has found that Lazarus hackers often use sophisticated techniques such as token swaps, cross-chain movements, and cryptocurrency mixers to obfuscate their on-chain asset movements. 

“State-backed actors are often the most sophisticated cybercriminals, because they have access to substantial resources and advanced technical capabilities. They can carry out complex cyberattacks and espionage activities that have a substantial economic impact. They can disrupt businesses, steal valuable intellectual property, and undermine trust in digital systems, which can harm economic interests. For these reasons, law enforcement agencies closely monitor and respond to state-sanctioned cyber threats,” explains Mr Humphries. “Addressing state-sponsored cyber threats requires a multifaceted approach that combines technically sophisticated law enforcement activities and cybersecurity measures. It is not just about catching criminals, but developing cybersecurity policies and strategies to mitigate the risks associated with these actors.”

‍Cyber-enabled crimes and online scams

Aside from high-profile corporate hacks and state-sponsored attacks, Australians have also been frequently targeted by online scams. The ACSC’s report notes that the most frequently reported cybercrimes are cyber-enabled crimes such as online fraud, online shopping and online banking-related crimes, which made up 54% of total reports. The modus operandi in such schemes include impersonating legitimate businesses to phish personal information and/or trick victims into making payments.

Data from Australian Competition & Consumer Commission’s (ACCC) latest scam activity report aligns with this finding – 34% of reported scams start with an online contact method such as email, social media or other internet platforms. Phishing was the most reported scam, with over 74,000 reports made and losses totalling AUD24.6m (USD15.6m).

While scams are not a crypto-specific problem, its integration with cryptocurrency has grown in tandem with technological advancements. ACCC data indicates that the use of cryptocurrency as a scam payment method is on the rise. 3,910 people reported losses paid through cryptocurrencies in 2022, and such individuals were more likely to have been contacted via social media or mobile apps. 

With scammers and cybercriminals turning to crypto, Australian law enforcement has also doubled down on crypto-related capabilities, with the Australian Federal Police establishing a dedicated cryptocurrency unit in September 2022. Since then, there is a growing realization that “cryptocurrency movements leave a trail,” and one “only need[s] to find the tools to follow the money.” 

Jonno Newman, Global Investigator at TRM and former head of the South Australian Police’s Cybercrime Training and Prevention section points out: “The unique transparency of the blockchain enables investigators to follow the flow of funds in a more open and timely manner, than traditional financial investigations. TRM’s Forensics tool builds on this characteristic - allowing investigators to keep pace with the increasing complexity of laundering, such as cross chain swaps and identifying unplotted connections.”

In the fast evolving and distributed world of crypto, information sharing and industry collaboration are also critical. Recognizing the need, TRM came together with 10 other leading web 3 organizations to found Chainabuse, the first global, free fraud and scam reporting platform for crypto. On Chainabuse, anyone can report a scam, or check if a wallet address or URL is associated with one. Victims can also choose to report scams and fraud directly to law enforcement and opt in for free personalized support on their case. Since its launch in May 2022, Chainabuse has received close to 500,000 reports. 

‍Prevention is better than cure

But an ounce of prevention is worth a pound of cure. There is much that ordinary Australians, as well as Australian businesses, can do to gird themselves against cybercrime. 

“Education is key,” says Mr Newman. “The best way to protect yourself from cybercrime is to understand how you might be targeted, For example, phishing scammers often target their victims by creating email addresses that are similar to legitimate businesses, or using technology to ‘spoof’ the caller ID on text message, to make them appear as if they are coming from a legitimate source. They design messages to rush their victims by making them think that something bad has happened, and they have limited time to act. For example: “We have identified fraudulent activities on your account, verify your details below within 24 hours, or your account will be terminated.””

It is always wise to independently verify such messages, advises Mr Newman, for example by contacting the business via their official website. “Scammers and other cybercriminals are constantly finding new ways to trick their victims, and it is important that we stay vigilant. Everyone must play a part in the fight against cybercrime.” 

For more information on crypto-related scams and how to stay safe online, visit Chainabuse’s safety center.