Best Infosec-Related Long Reads for the Week, 10/21/23

Garantex’s clientele has grown during the war to include regular Russians and local businesses looking for a fast and cheap method to move large sums of rubles out of and into the country. Although sanctions primarily ban people and firms with U.S. connections from dealing with blacklisted entities, Treasury has also said non-U.S. persons face risk too if they circumvent the sanctions on Russia or provide support to already-sanctioned actors.

For a single transaction, Garantex tells clients it accepts up to 100 million rubles in cash at its Moscow office, or around $1 million at current exchange rates. Ruble transactions of this size often cause concern at international banks, leading to account freezes and demands for customers to provide more information. Garantex customers could make multiple transactions without raising red flags.

Since Russia invaded Ukraine in February 2022, at least $7 billion has flowed through Garantex, according to Coinpaprika, which says it obtained the figures directly from Garantex’s platform. 

Another crypto research firm, which tracked flows through Garantex on the blockchain, said the total sum could be multiples of this, estimating as much as $30 billion.

Williams' alleged connection to physical violence was part of a much broader, and bloody, trend in Comm [a broader criminal community of which ACG was a part]. Not content with thefts in the digital world, hackers in groups like ACG violently robbed, attacked, and kidnapped one another for money. Someone tied a victim up and threatened to inject him with heroin unless he handed over his Bitcoin. Another man laid face down in a ditch, his head in a black hood, after being fleeced. “I promise you I do not have money,” another man in just his underwear whimpered as blood gushed from his head. “On my little brother’s soul that’s all I have,” he added. The attackers had a hammer and wore high-viz vests; in some cases, thieves have posed as police officers to gain entry to a target’s house. In another instance, a young man screamed in pain as someone cut off his ear.

Up until this point, SIM swappers typically performed heists against ordinary people who held a lot of cryptocurrency, like individual investors. But as Comm members got more and more rich, they flaunted their own new found wealth on Telegram and Discord. As well as videos of their international trips to nightclubs, members posted a constant stream of screenshots showing their current balance in Bitcoin and other cryptocurrency. To them, flexing the cash was just as an important part as actually owning it. It meant you had “made it” in Comm.

But the SIM swappers’ blatant displays showed others they were rolling in cash. SIM swappers themselves became the targets, and started using physical violence to rob one another. 

A service economy emerged of people who were willing to perform these attacks for a fee or a cut of the takings. On Telegram, one group offered brickings, robberies, and kidnappings for a few hundred to thousands of dollars. Name the state, and they would see if they had people there. When the heists were digital-only, Searchers found juicy targets by rummaging through emails before bringing in a Holder to take over their phone number. Searchers now hunted for victims and then provided their details to new roles in these organizations: the Bricker. The Fighter. The Gunman.

Over the years, the value of the bitcoin stolen by the Silk Road hacker had soared to more than $3 billion, according to court documents. Investigators could track the location of the currency on the blockchain, which is a public ledger of all transactions. But they couldn’t see the identity of the new owner of the funds. So they watched and waited for years as the hacker transferred funds from account to account, peeled some away, and pushed some of it through crypto “mixers” designed to obscure the source of the money.

Finally, Chainalysis, a blockchain analytics company that was tracing the digital wallets containing the stolen Silk Road assets, saw the hacker made a tiny mistake. He transferred around $800 worth to a crypto exchange that followed established banking rules, including so-called know your customer processes, requiring real names and addresses of account holders.

The account was registered in Zhong’s name. The transaction took place in September 2019, six months after Zhong’s 911 call to the local police.

That alone wasn’t enough to prove Zhong was the hacker. They had to be sure.

So the IRS called the Athens-Clarke County Police Department and asked for some help, according to sources at both agencies. At the time, the police investigation into Zhong’s own crime report had been languishing.

Haaretz has learned that a long list of firms have been enlisted to help Israel since last Saturday, focusing mainly on search and rescue operations, but not only. Among them are offensive cyber firms like NSO, Rayzone, Paragon and Candiru; different digital intelligence firms like Cobwebs, AnyVision and Intelos; as well as dozens of defensive firms, including Cato Networks, Palo Alto, Persist, and even ActiveFence, which provides anti-disinformation services.

Normally, there are no ties between these firms – many work in different fields, while others are competitors, or, in some cases, bitter rivals on different sides of the cyber world.

However, according to a number of sources with knowledge of the matter, over the past twelve days, they are all collaborating as part of what was described as an unprecedented joint effort to help on the digital intelligence front. All the firms mentioned as well as dozens more have refused to comment on this report for fear it would harm their efforts.

Haaretz has also learned that over 100 hackers and senior researchers from the world of offensive and defense cyber, and others with background in Israeli intelligence or even the police’s intel units, have also volunteered and helped set up a so-called cyber war room.

We don’t have a policy team. We’re about 45 people now. I’ve done [policy] work, but I don’t have time to read a 200-page bill every three hours when another one in another country is published. So we’re lucky to have an informal but very good network of folks around the world.

I joined in September of last year. One of the first things I did was convene a meeting in Berlin of a bunch of the old heads of the digital rights and policy space to be like, let’s map what’s happening. What’s the fight like? Who are our allies, what are the pretexts they’re using? So we work with InternetLab in Brazil. We work with Internet Freedom Foundation in India.

We have a geopolitical position that is similar to Meta and others in terms of the global importance of Signal. What we don’t have is armies of policy folks in offices in every capital city, or the ability to just pay lobbyists or external law firms. We don’t have any of those resources. So we have to be smart and we basically have to organize with people who are doing this work — to be [well] networked.

It is unacceptable in a democratic society to make digital intermediaries monitor everyone’s communications without any suspicion of wrongdoing. Child sex crimes are abhorrent, but that doesn’t justify discarding the fundamental rights of half a billion people (and everyone they talk to). Suspicionless mass surveillance is a wildly disproportionate invasion of individual privacy. And when democracies do it, they give repressive regimes an excuse to do the same – and for “crimes” far afield from child sex abuse. Europe should not set a precedent in this regard. (Especially since it’s debatable which of those two columns, democratic or repressive, certain EU members and aspirants – Hungary, Poland, and Turkey – belong in.)

Plus, the proposal’s deleterious effects on cybersecurity should be completely unacceptable to a Council that’s had front-row seats to a land war in Europe for over a year now. Ukraine was invaded without provocation by an aggressor that has some of the best hacking capabilities of any country in the world and isn’t afraid to use them. European nations – their governments, their businesses, their people – need all the digital security they can get, not a new law that undermines their ability to protect themselves.

The Council should go back to the drawing board on the CSA Regulation. The stakes are too high to get this wrong.