Pony Botnet Virus Steals $220k from 30 Types of Digital Wallets

shutterstock_93428671
24 February 2014

In what is being called one of the most ambitious cyberattacks affecting virtual currency to date, Chicago-based IT security services provider Trustwave has revealed that a crybercrime ring known as Pony botnet is using a Trojan virus to steal from 30 types of digital currency wallets.

Trustwave researchers found that credentials for approximately 700,000 digital wallet, email and desktop accounts have been compromised, and that up to $220,000 had been stolen from 85 digital currency wallets as of the time of writing.

Ziv Mador, director of security research at Trustwave, told CoinDesk that consumer and merchant wallets were both affected, and that bitcoins, litecoins, primecoins and feathercoins had been stolen in the attack.

But, what makes the Pony botnet unique, Mador said, is the breadth of its assault:

“The new thing about this complaint is that it was widely spread. The Pony malware affected hundreds of thousands of machines and scanned for digital wallets from 30 virtual currencies on those computers.”

Trustwave indicates that while the attack has been persisting for months, it stopped suddenly on 24th February. However, in talks with other media outlets, Trustwave suggested it believes the cybercriminal network is still operating.

Initial data

Mador indicates that Trustwave has been following Pony botnet since September 2013. The official company blog post on the findings revealed that virtual currencies weren’t the only digital assets attacked, as 600,000 website login credentials have been stolen by the group to date.

The $220,000 total represents the maximum amount stolen, as once cybercriminals have obtained a user’s wallet.dat file, Trustwave noted that both parties share the file and that the true owner is impossible to reveal.

The total confirmed theft so far includes 335 bitcoins, 280 litecoins, 33 primecoins and 46 feathercoins. Trustwave provides a full list of the affected currencies, as well as charts that detail the coordinated efforts of Pony botnet’s attacks in its blog post.

Screen Shot 2014-02-24 at 5.41.45 PM

Stolen passwords across all affected digital assets – not just digital currency wallets – were most commonly retrieved from consumers in Germany, Poland and Italy, with roughly 50% of stolen passwords originating in these locations.

Protecting your wallet from attacks

Trustwave noted that Pony botnet likely found virtual wallets attractive, given their inherent qualities that provide for irreversible transactions, and the ease with which the currencies can be exchanged for fiat.

Still, relatively simple protections can stop Pony botnet’s virus. Said Mador:

“If they use that option and encrypt their wallets with a strong key, then they should be fine, even if the malware were to infect the digital wallet, the botnet would not be able to generate transactions from that wallet.”

Those who believe their wallet may have been compromised by the attack can use a free tool provided by Trustwave that searches for affected wallets by public keys.

Screen Shot 2014-02-24 at 5.25.30 PMImage credit: Digital crime scene via Shutterstock