Unknown Ripple Exchange Phishing Scam: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/unknownrippleexchangephishingscam.php}} An unnamed individual who apparently lost $80m in an unknown event in 2014, was later involved in phishing users of an unnamed exchange. The victims were a mix of 24 South Koreans and 37 Japanese, who were hand-picked as the users who didn't have two-factor authentication enabled on their accounts. Their private information was provided by an insider of the...") |
No edit summary |
||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/unknownrippleexchangephishingscam.php}} | {{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/unknownrippleexchangephishingscam.php}} | ||
{{Unattributed Citations}} | |||
An unnamed individual who apparently lost $80m in an unknown event in 2014, was later involved in phishing users of an unnamed exchange. The victims were a mix of 24 South Koreans and 37 Japanese, who were hand-picked as the users who didn't have two-factor authentication enabled on their accounts. Their private information was provided by an insider of the exchange, and they were sent warnings that their funds had been frozen. Once the information was provided, it was used to empty their accounts. | An unnamed individual who apparently lost $80m in an unknown event in 2014, was later involved in phishing users of an unnamed exchange. The victims were a mix of 24 South Koreans and 37 Japanese, who were hand-picked as the users who didn't have two-factor authentication enabled on their accounts. Their private information was provided by an insider of the exchange, and they were sent warnings that their funds had been frozen. Once the information was provided, it was used to empty their accounts. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country. | ||
<ref name="cryptoglobe-7297" /><ref name="cryptoglobe-7456" /><ref name="joongang-7457" /> | |||
== About Unknown == | == About Unknown == | ||
| Line 45: | Line 47: | ||
Don't Include: | Don't Include: | ||
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | * Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | ||
* Anything that wasn't reasonably knowable at the time of the event. | * Anything that wasn't reasonably knowable at the time of the event. | ||
| Line 67: | Line 68: | ||
|- | |- | ||
|July 14th, 2017 9:00:00 PM | |July 14th, 2017 9:00:00 PM | ||
| | |Main Event | ||
| | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
|- | |- | ||
| | | | ||
| Line 80: | Line 77: | ||
== Total Amount Lost == | == Total Amount Lost == | ||
The total amount lost | The total amount lost has been estimated at $800,000 USD. | ||
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | ||
| Line 91: | Line 88: | ||
== Total Amount Recovered == | == Total Amount Recovered == | ||
There do not appear to have been any funds recovered in this case. | |||
What funds were recovered? What funds were reimbursed for those affected users? | What funds were recovered? What funds were reimbursed for those affected users? | ||
| Line 104: | Line 101: | ||
== References == | == References == | ||
[https://www.cryptoglobe.com/latest/2020/01/ledger-user-allegedly-loses-16000-to-malicious-browser-extension/ Ledger User Allegedly Loses $16,000 to Malicious Browser Extension | Cryptoglobe] (Mar 19) | <references><ref name="cryptoglobe-7297">[https://www.cryptoglobe.com/latest/2020/01/ledger-user-allegedly-loses-16000-to-malicious-browser-extension/ Ledger User Allegedly Loses $16,000 to Malicious Browser Extension | Cryptoglobe] (Mar 19, 2022)</ref> | ||
[https://www.cryptoglobe.com/latest/2018/09/800000-ripple-xrp-phishing-scam-uncovered-by-south-korean-authorities-fbi/ $800,000: XRP Phishing Scam Uncovered By South Korean Authorities, FBI | Cryptoglobe] (Mar 25) | <ref name="cryptoglobe-7456">[https://www.cryptoglobe.com/latest/2018/09/800000-ripple-xrp-phishing-scam-uncovered-by-south-korean-authorities-fbi/ $800,000: XRP Phishing Scam Uncovered By South Korean Authorities, FBI | Cryptoglobe] (Mar 25, 2022)</ref> | ||
[https://www.joongang.co.kr/article/22970337 “해킹당했던 것처럼”…암호화폐 '리플'거래소 설립자의 몰락 | 중앙일보] (Mar 26) | <ref name="joongang-7457">[https://www.joongang.co.kr/article/22970337 “해킹당했던 것처럼”…암호화폐 '리플'거래소 설립자의 몰락 | 중앙일보] (Mar 26, 2022)</ref></references> | ||
Revision as of 11:24, 16 February 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
An unnamed individual who apparently lost $80m in an unknown event in 2014, was later involved in phishing users of an unnamed exchange. The victims were a mix of 24 South Koreans and 37 Japanese, who were hand-picked as the users who didn't have two-factor authentication enabled on their accounts. Their private information was provided by an insider of the exchange, and they were sent warnings that their funds had been frozen. Once the information was provided, it was used to empty their accounts.
This is a global/international case not involving a specific country. [1][2][3]
About Unknown
"Blogger A (33) caught the attention of the industry at a glance when he first created the cryptocurrency 'Ripple' exchange in 2014. Mr. A, who had been having fun with the exchange for a while, was hacked a year after opening the exchange. Although it was reported to the investigative agency, it was impossible to track the hacker, and the exchange was closed with a loss of about 80 million." As a "victim of [that] phishing scam [he] lost a large investment. When investigators failed to recover his stolen funds, he became “inspired” to orchestrate phishing scams himself."
"Although it was reported to the investigative agency, it was impossible to track the hacker, and the exchange was closed with a loss of about 80 million. Mr. A, who lost a lot of money thought, 'Then if I cheat in the same way using cryptocurrency, I won't be caught'."
"Person A started conspiring to commit a crime in earnest with [person] B, a Japanese cryptocurrency exchange operator he met while working as a Japanese interpreter in the past. Person A collected the information of the members of the exchange that was closed and the information of the members of the Japan Exchange received through Mr. B. [O]nly users who can transfer cryptocurrency using [user] ID and password without additional authentication procedures such as mobile phone authentication were selected." "[The] Japanese cryptocurrency exchange operator who provided him with the user data (email accounts, affiliated exchanges, and 2FA status) needed to amass a list of potential targets."
"In July 2017, he created a 'phishing site' that was planned through programmer C (42). In order to avoid being pursued by investigative agencies, it was also shown that they were meticulous in using overseas hosting companies." "Prosecutors said the man hired a 42-year-old programmer to create a fake Ripple exchange website. The mastermind then sent emails to Ripple users in South Korea and Japan, claiming their funds had been frozen. The email redirected Ripple users to the fraudulent site, where he was able to convince them to enter their IDs and passwords, which he then used to access their accounts. It is thought that the FBI became involved because the phishing site targeted users of Ripple, an American cryptocurrency."
"The mastermind then spoofed or impersonated the real exchange’s email account and contacted users saying their funds had been frozen." "They sent an e-mail to the selected members stating, 'If you do not transfer your cryptocurrency to a specific site, you will not be able to use the cryptocurrency in the future' to induce them to access the phishing site they created. After that, they made the site use members' IDs and passwords to steal account information."
"The email contained a link to the fake website, where 24 Korean investors and 37 Japanese investors were convinced to enter their login details which were then recorded by the scammer and used to gain access to user funds on the real exchange site. While the scam exclusively targeted Korean and Japanese citizens, the FBI may have gotten involved last December due to the fact that Ripple is an American company."
"In this way, Mr. A and others transferred about 2 million ripples (unit XRP) from 47 victims (17 Koreans and 30 Japanese) to their accounts without permission, and then withdrew about 400 million won in cash. Concerned that a large amount of cryptocurrencies would be transferred at once, fearing that they would be suspicious, so-called 'mixing' work was also carried out by washing and withdrawing with other currencies such as Bitcoin."
"South Korean Authorities and the U.S. Federal Bureau of Investigation (FBI) uncovered a [total of] $800,000 [collected from the] phishing scam targeting XRP investors." "The man allegedly mastermind[ed] an email-powered sting that drew in 24 South Koreans and 37 Japanese investors."
"As detailed by local sources, 37 Japanese, and 24 South Korean traders fell for the scam as they proceeded to enter their login details on the fake website. Users’ login information was then used to access and steal funds from their crypto accounts on the real digital currency trading website."
"According to Korean news outlet JoonAng Ilbo, authorities were able to track down the scammer as he quickly converted the stolen XRP to South Korean won (KRW)." "Per TV news station MBC, at least one of the two men arrested is described as an office worker." "[T]he suspect claims that he has spent all of the money and cryptocurrency holdings, and has nothing left over." "He reportedly used the money to book a room at a five-star apartment building and buy various luxury items." "Mr. A stated that he spent most of the 700 million won in crime proceeds out of 900 million won for the use of luxury officetels, entertainment and living expenses. He claims that there is currently no remaining cryptocurrency or cash balance."
"[T]he Korean police cannot legally freeze or confiscate his other assets due to the nature of the crime – cryptocurrencies are not deemed legal tender under South Korean law." "The prosecution service said it would be hard for the victims to receive any compensation for their losses – largely because cryptocurrencies are not deemed to have any monetary value under South Korean law." "[P]rosecutors [stated] that it is very unlikely that the victims of the scam will be compensated."
"The Japanese accomplice is still at large and believed to be in Japan at this time – Seoul’s cybercrime division say they are reaching out to Japanese authorities for collaboration."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| July 14th, 2017 9:00:00 PM | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost has been estimated at $800,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
From the standpoint of individuals, this can be prevented by enabling two-factor authentication, and never responding to phishing emails or unsolicited contact. If you receive something that you didn't request, always navigate directly to the official website and confirm with official points of contact there.
From the standpoint of platforms, this can be prevented by placing a delay on withdrawals to new addresses by default, especially if the action is initiated from a new IP address and the user does not have a dynamic IP address normally. Most successful attacks target less experienced users, who would leave settings as default and therefore be protected even if a platform chose to allow sophisticated users to disable these protections at their own risk.