Case: Theft - Bitcoin
Brief: A Blockchain related company engaged RP-DS to investigate on suspected stolen Bitcoin. Client realised that roughly 2000 Bitcoins were remitted from this Wallet. He suspect that the Bitcoins have been stolen.
Procedure: On-site forensic imaging of the laptop was done and the image was analyzed back at the lab. We analzyed the computer to look for any trace of malware that could have compromised the computer. Then we moved on to analyze the internet history and realised that one the day of the incident, a clone website was accessed. The client was googling for the website hosting the Wallet and Google AdWords displayed the Clone website "blokchain.info" as top search result. Client then went on to click on the clone website which are difficult to spot by user. Based on the internet history, the client then unknowingly login onto the clone website. Additionally, we also found out that the client has weak Window login password and confidential and sensitive data stored in plain text on the computer which could be easily compromised.
Outcome: The Bitcoin was stolen through a malicious technique called Clickjacking which exploited Google's Adwords advertising. By using the Google Adword advertising, the attackers displayed their own clone website as top result when user search for cryptocurrency websites. Also, there was an article published on this attack.
Read it here.
Email us for a confidential consultation: