Investigating Wrench Attacks: Physical Attacks Targeting Cryptocurrency Users

Authors Marilyne Ordekian , Gilberto Atondo-Siu , Alice Hutchings , Marie Vasek



PDF
Thumbnail PDF

File

LIPIcs.AFT.2024.24.pdf
  • Filesize: 0.78 MB
  • 24 pages

Document Identifiers

Author Details

Marilyne Ordekian
  • Department of Computer Science, University College London, UK
Gilberto Atondo-Siu
  • Department of Computer Science, University of Cambridge, UK
Alice Hutchings
  • Department of Computer Science, University of Cambridge, UK
Marie Vasek
  • Department of Computer Science, University College London, UK

Cite AsGet BibTex

Marilyne Ordekian, Gilberto Atondo-Siu, Alice Hutchings, and Marie Vasek. Investigating Wrench Attacks: Physical Attacks Targeting Cryptocurrency Users. In 6th Conference on Advances in Financial Technologies (AFT 2024). Leibniz International Proceedings in Informatics (LIPIcs), Volume 316, pp. 24:1-24:24, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)
https://doi.org/10.4230/LIPIcs.AFT.2024.24

Abstract

Cryptocurrency wrench attacks are physical attacks targeting cryptocurrency users in the real world to illegally obtain cryptocurrencies. These attacks significantly undermine the efficacy of existing digital security norms when confronted with real-world threats. We present the first comprehensive study on wrench attacks. We propose a theoretical approach to defining wrench attacks per criminal law norms, and an interdisciplinary empirical approach to measure their incidence. Leveraging three data sources, we perform crime script analysis, detecting incidents globally across 10 interviews with victims and experts, 146 news articles, and 37 online forums. Our findings reveal diverse groups of attackers ranging from organized crime groups to friends and family, various modi operandi, and different forms of attacks varying from blackmail to murder. Despite existing since Bitcoin’s early days, these attacks are underreported due to revictimization fears. Additionally, unlike other cryptocurrency crimes, users with advanced security experience were not immune to them. We identify potential vulnerabilities in users' behavior and encourage cryptocurrency holders to lean into digital as well as physical safety measures to protect themselves and their cryptocurrency. We offer actionable recommendations for the security community and regulators, highlighting the double-edged sword of Know Your Customer policies.

Subject Classification

ACM Subject Classification
  • Applied computing → Law
  • Applied computing → Digital cash
  • Security and privacy → Social aspects of security and privacy
  • Social and professional topics → Financial crime
Keywords
  • cryptocurrency
  • Bitcoin
  • crime
  • wrench attack
  • physical attack

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads

References

  1. Svetlana Abramova and Rainer Böhme. Perceived benefit and risk as multidimensional determinants of bitcoin use: A quantitative exploratory study. In Proceedings of the International Conference on Information Systems - Digital Innovation at the Crossroads, 2016. Google Scholar
  2. Svetlana Abramova and Rainer Böhme. Anatomy of a High-Profile data breach: Dissecting the aftermath of a Crypto-Wallet case. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, 2023. Google Scholar
  3. Svetlana Abramova, Artemij Voskobojnikov, Konstantin Beznosov, and Rainer Böhme. Bits under the mattress: Understanding different risk perceptions and security behaviors of crypto-asset users. In Conference on Human Factors in Computing Systems, pages 1-19, 2021. Google Scholar
  4. Ross Anderson, Chris Barton, Rainer Böhme, Richard Clayton, Carlos Gañán, Tom Grasso, Michael Levi, Tyler Moore, Stefan Savage, and Marie Vasek. Measuring the changing cost of cybercrime. In 18th Workshop on the Economics of Information Security (WEIS), 2019. Google Scholar
  5. Michael Bailey, Jon Oberheide, Jon Andersen, Z Morley Mao, Farnam Jahanian, and Jose Nazario. Automated classification and analysis of internet malware. In Recent Advances in Intrusion Detection, pages 178-197. Springer, 2007. Google Scholar
  6. Tobias Bamert, Christian Decker, Roger Wattenhofer, and Samuel Welten. Bluewallet: The secure bitcoin wallet. In Security and Trust Management: 10th International Workshop, pages 65-80, 2014. Google Scholar
  7. Cesare Beccaria. On crimes and punishments. Transaction Publishers, 2016. Google Scholar
  8. BitcoinTalk. URL: https://bitcointalk.org/.
  9. Apolline Blandin, Gina C Pieters, Yue Wu, Anton Dek, Thomas Eisermann, Damaris Njoki, and Sean Taylor. 3rd global cryptoasset benchmarking study. Cambridge Centre for Alternative Finance Reports, 2021. URL: https://www.jbs.cam.ac.uk/wp-content/uploads/2021/01/2021-ccaf-3rd-global-cryptoasset-benchmarking-study.pdf.
  10. Rainer Böhme, Nicolas Christin, Benjamin Edelman, and Tyler Moore. Bitcoin: Economics, technology, and governance. Journal of Economic Perspectives, 29(2):213-238, 2015. Google Scholar
  11. Rainer Böhme, Johanna Grzywotz, Pesch Paulina, Christian Ruckert, and Christoph Safferling. Bitcoin and alt-coin crime prevention, 2017. URL: https://www.bitcrime.de/presse-publikationen/pdf/BITCRIME-RegulRep.pdf.
  12. British Society of Criminology. Statement of ethics, 2015. URL: https://www.britsoccrim.org/ethics/.
  13. Nancy Carter, Denise Bryant-Lukosius, Alba Dicenso, Jennifer Blythe, and Alan Neville. The use of triangulation in qualitative research. Oncology Nursing Forum, 41:545-547, September 2014. Google Scholar
  14. Chainalysis. 2023 crypto crime trends: Illicit cryptocurrency volumes reach all-time highs amid surge in sanctions designations and hacking, 2023. URL: https://blog.chainalysis.com/reports/2023-crypto-crime-report-introduction/.
  15. Chainalysis. The 2023 global crypto adoption index, 2023. URL: https://www.chainalysis.com/blog/2023-global-crypto-adoption-index/.
  16. Yi-Ning Chiu, Benoit Leclerc, and Michael Townsley. Crime script analysis of drug manufacturing in clandestine laboratories: Implications for prevention. The British Journal of Criminology, 51(2):355-374, March 2011. Google Scholar
  17. Derek B Cornish. Crimes as scripts. In International Seminar on Environmental Criminology and Crime Analysis, volume 1, pages 30-45. Florida Criminal Justice Executive Institute, 1994. Google Scholar
  18. Derek B Cornish. The procedural analysis of offending and its relevance for situational prevention. Crime prevention studies, 3(1):151-196, 1994. Google Scholar
  19. Sara Giro Correia. Patterns of online repeat victimisation and implications for crime prevention. In 2020 APWG Symposium on Electronic Crime Research (eCrime), pages 1-11. IEEE, 2020. Google Scholar
  20. Hashem Dehghanniri and Hervé Borrion. Crime scripting: A systematic review. European Journal of Criminology, 18(4):504-525, 2021. Google Scholar
  21. Norman K Denzin. Triangulation. The Blackwell encyclopedia of sociology, 2007. Google Scholar
  22. Shayan Eskandari, David Barrera, Elizabeth Stobert, and Jeremy Clark. A first look at the usability of bitcoin key management. Workshop on Usable Security (USEC), February 2015. Google Scholar
  23. European Union. Regulation (EU) 2023/1113 of the european parliament and of the council of 31 may 2023 on information accompanying transfers of funds and certain crypto-assets and amending directive (EU) 2015/849, 2023. Google Scholar
  24. FATF. Guidance for a risk-based approach to virtual assets and virtual asset service providers, 2019. URL: https://www.fatf-gafi.org/publications/fatfrecommendations/documents/guidance-rba-virtual-assets.html.
  25. George P Fletcher. Blackmail: The paradigmatic crime. University of Pennsylvania Law Review, 141(5):1617-1638, 1993. Google Scholar
  26. Michael Froehlich, Philipp Hulm, and Florian Alt. Under pressure. a user-centered threat model for cryptocurrency owners. In 4th International Conference on Blockchain Technology and Applications, pages 39-50, 2021. Google Scholar
  27. Graham R Gibbs. Analyzing qualitative data. SAGE Publications Ltd, 2018. Google Scholar
  28. Nicholas Gilmour. Understanding money laundering. a crime script approach. The European Review of Organised Crime, 1(2):35-56, 2014. Google Scholar
  29. Andriana Gkaniatsou, Myrto Arapinis, and Aggelos Kiayias. Low-level attacks in bitcoin wallets. In International Conference on Information Security, pages 233-253, 2017. Google Scholar
  30. Wim Hardyns and Anneleen Rummens. Predictive policing as a new tool for law enforcement? recent developments and challenges. European journal on criminal policy and research, 24:201-218, 2018. Google Scholar
  31. Jonathan Herring. Criminal law: Text, cases, and materials. Oxford University Press, USA, 2014. Google Scholar
  32. Alice Hutchings. Crime from the keyboard: organised cybercrime, co-offending, initiation and knowledge transmission. Crime, Law and Social Change, 62:1-20, 2014. Google Scholar
  33. Alice Hutchings. Leaving on a jet plane: the trade in fraudulently obtained airline tickets. Crime, Law and Social Change, 70(4):461-487, 2018. Google Scholar
  34. Alice Hutchings and Thomas J Holt. A crime script analysis of the online stolen data market. British Journal of Criminology, 55(3):596-614, 2015. Google Scholar
  35. James Jones. Protect yourself against $5 wrench attacks, 2017. URL: https://steemit.com/bitcoin/@jamesjones/protect-yourself-against-usd5-wrench-attacks.
  36. Légifrance. Code pénal, 1992. URL: https://www.legifrance.gouv.fr/codes/texte_lc/LEGITEXT000006070719/2024-05-23.
  37. Jameson Lopp. Known physical bitcoin attacks. URL: https://github.com/jlopp/physical-bitcoin-attacks/.
  38. Jonathan Lusthaus. How organised is organised cybercrime? Global Crime, 14(1):52-60, 2013. Google Scholar
  39. Donna L Mailloux and Ralph C Serin. Sexual assaults during hostage takings and forcible confinements: Implications for practice. Sexual abuse: a journal of research and treatment, 15:161-170, 2003. Google Scholar
  40. Patrick McCorry, Malte Möser, and Syed Taha Ali. Why preventing a cryptocurrency exchange heist isn’t good enough. In Security Protocols XXVI: 26th International Workshop, pages 225-233. Springer, March 2018. Google Scholar
  41. Robert McMillan. An extortionist has been making life hell for bitcoin’s earliest adopters, 2014. URL: https://www.wired.com/2014/12/finney-swat/.
  42. Michael S Moore. Act and crime: The philosophy of action and its implications for criminal law. Oxford University Press, 2010. Google Scholar
  43. Tyler Moore and Nicolas Christin. Beware the middleman: Empirical analysis of bitcoin-exchange risk. In Financial Cryptography and Data Security, pages 25-33. Springer, April 2013. Google Scholar
  44. Tyler Moore, Nicolas Christin, and Janos Szurdi. Revisiting the risks of bitcoin currency exchange closure. ACM Transactions on Internet Technology (TOIT), 18(4):1-18, 2018. Google Scholar
  45. Marilyne Ordekian, Ingolf Becker, and Marie Vasek. Shaping cryptocurrency gatekeepers with a regulatory “trial and error”. In Workshop on the Coordination of Decentralized Finance, pages 113-133. Springer, May 2023. Google Scholar
  46. Sergio Pastrana, Daniel R Thomas, Alice Hutchings, and Richard Clayton. Crimebb: Enabling cybercrime research on underground forums at scale. In Proceedings of the 2018 World Wide Web Conference, pages 1845-1854, 2018. Google Scholar
  47. Michel Rauchs, Apolline Blandin, Kristina Klein, Gina C Pieters, Martino Recanatini, and Bryan Zheng Zhang. 2nd global cryptoasset benchmarking study. Cambridge Centre for Alternative Finance Reports, December 2018. URL: https://ideas.repec.org/p/jbs/altfin/201812-sgcbs.html.
  48. Corina Sas and Irni Eliana Khairuddin. Design for trust: An exploration of the challenges and opportunities of bitcoin users. In Conference on Human Factors in Computing Systems, pages 6499-6510, May 2017. Google Scholar
  49. Maria Tcherni, Andrew Davies, Giza Lopes, and Alan Lizotte. The dark figure of online property crime: Is cyberspace hiding a crime wave? Justice Quarterly, 33(5):890-911, 2016. Google Scholar
  50. Theft act, 1968. URL: https://www.legislation.gov.uk/ukpga/1968/60.
  51. Transparency International. Corruption perception index, 2022. URL: https://www.transparency.org/en/cpi/2022.
  52. Arianna Trozze, Josh Kamps, Eray Arda Akartuna, Florian J Hetzel, Bennett Kleinberg, Toby Davies, and Shane D Johnson. Cryptocurrencies and future financial crime. Crime Science, 11:1-35, 2022. Google Scholar
  53. Scott F Turner, Laura B Cardinal, and Richard M Burton. Research design for mixed methods: A triangulation-based framework and roadmap. Organizational Research Methods, 20(2):243-267, 2017. Google Scholar
  54. Rodanthi Tzanelli. Capitalizing on value: Towards a sociological understanding of kidnapping. Sociology, 40(5):929-947, 2006. Google Scholar
  55. Paul Van Schaik, Debora Jeske, Joseph Onibokun, Lynne Coventry, Jurjen Jansen, and Petko Kusev. Risk perceptions of cyber-security and precautionary behaviour. Computers in Human Behavior, 75:547-559, 2017. Google Scholar
  56. Artemij Voskobojnikov, Svetlana Abramova, Konstantin Beznosov, and Rainer Böhme. Non-adoption of crypto-assets: Exploring the role of trust, self-efficacy, and risk. In European Conference on Information Systems, 2021. Google Scholar
  57. Artemij Voskobojnikov, Borke Obada-Obieh, Yue Huang, and Konstantin Beznosov. Surviving the cryptojungle: Perception and management of risk among north american cryptocurrency (non) users. In Financial Cryptography and Data Security, pages 595-614. Springer, 2020. Google Scholar
  58. Artemij Voskobojnikov, Oliver Wiese, Masoud Mehrabi Koushki, Volker Roth, and Konstantin Beznosov. The u in crypto stands for usable: An empirical study of user experience with mobile cryptocurrency wallets. In Conference on Human Factors in Computing Systems, pages 1-14, 2021. Google Scholar
  59. XKCD. Security, 2009. URL: https://xkcd.com/538/.
  60. Lucia Zedner. Criminal justice. Oxford University Press, 2004. Google Scholar
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail