Last week, FBI Director Christopher Wray drew the U.S. Senate’s attention to cybercrime by warning of a “wider-than-ever” array of adversaries that he said threaten the public’s confidence in the digital world. Thomas Breeden, a supervisory special agent in the bureau’s Baltimore field office, backed up his boss’s concern.
“It’s a challenging space,” Breeden told Technical.ly. “It’s a relatively new space, and it’s something we’re constantly learning about.”
He was specifically referencing virtual currency cybercrime, which, along with other forms of online criminal activity, is apparently on the rise. Increasingly, the FBI is encouraging corporations and other organizations to proactively ensure their own cybersecurity — even while they engage the FBI’s help.
“We’re constantly working with companies so they can mitigate any type of computer intrusion,” Breeden said. “That is an ongoing process. The FBI works with CISA, the Cybersecurity and Infrastructure Security Agency. Their focus is to prevent attacks; The FBI’s focus is to respond to the attacks.”
So, what do these attacks look like?
Breeden said that 90% of the threats he sees come from ransomware attacks. Perpetrators range from individuals to organizations, including many who may have developed cyber skills via the dark web instead of formal education. Most, but not all, crimes involve holding networks hostage for money.
“There are also instances where hackers will hack into a network and they won’t encrypt the network,” he said. “They’ll steal the data and then they’ll say, ‘We’ll sell the data back to you if you give us bitcoin.”
Breeden’s work intersects with that of Baltimore field office colleague Keith Custer, a supervisory special agent focusing on complex financial crimes that he says “increasingly” revolve around cryptocurrency.
“The amount of virtual currency in fraud that was reported [in 2016] was only $28 million,” Custer said. “Fast forward to 2021…and it went from $28 million to $1.6 billion. The growth has really been astronomical. It’s something we’re seeing continue to accelerate.”
As for what amounts ransomware attackers demand, Breeder said they can range from $500 to costs in the seven-figure range, with a potential average ransom of around $100,000. But virtual currency provides agents a silver lining: blockchain receipts.
“There’s a blockchain out there where all those transactions are public,” Breeden said. “We conduct some sort of analysis to track the movement of virtual currency. Ultimately, we understand that cybercriminals still need to turn that virtual currency into what we call ‘fiat currency.’ In the US, that’s dollars. Somewhere in Europe, that’s euros.”
Public surveillance, private assistance
The FBI has cyber squads in dozens of field offices around the country. But policing this crime can be an uphill battle for that many teams. The FBI’s Internet Crime Complaint Center received over 6 million complaints in 2021 alone. That same year, Wray reported, the FBI took 1,1000 actions (including “arrests, criminal charges, convictions, dismantlements and disruptions”) against cyber criminals.
Referencing such notable attacks as those against SolarWinds and Colonial Pipeline, Wray said, “We need the private sector to come forward to warn us —and warn us quickly — when they see malicious cyber activity.”
As cybercrime and virtual currency theft grow, the need for teamwork between companies, agencies and organizations across the spectrum of American life is clear to the FBI. Securing America’s digital future is not a one-agency job, Wray told the Senate.
“We need a whole-of-society approach that matches the scope of the danger,” he stated. “There is no other option for defending a country where nearly all of our critical infrastructure, personal data, intellectual property and network infrastructure sits in private hands.”
Cybercrime victims are encouraged to report incidents to the bureau’s aforementioned complaint center. Agents also suggest the public use two-factor authorizations whenever possible and remember that if something looks too good to be true, it probably is.