Across the globe, CL0P ransomware group is extorting hundreds of organizations after exploiting an unknown SQL injection vulnerability in file transfer service MOVEit. The victims need to contact the ransomware group by June 14 or their stolen data will be published publicly on the group’s extortion site. Join Matt Radolec, David Gibson, and special guest Dvir Sason to learn more about how the ransomware group exploited the critical flaw in the transfer application, which they were likely experimenting with since 2021.
[00:00:00]
Matt Radolec: Hello everybody. Welcome to another episode of State of Cybercrime. Want to give a shout out right off the bat here to our special guest: the myth, the security research legend like Prince and Cher, just one name: Dvir. Dvir, how's it going? Thanks for joining us today.
Dvir Sason: Everything's amazing, thank you for having me.
Matt Radolec: So I've been waiting, I think, almost two weeks to say this to everybody, but I want to MOVEit right into this show today. And I hope we have plenty of MOVEit [00:01:00] puns as we crack right into it.
go over some of our usual segments. We'll start with Is There Any Good News? We'll jump on the highway to the Danger Zone and talk to you about a couple of threat actors and exploits that you should be aware of, we'll round it out with a few Vulnerable Vulnerabilities,So with that, let's crack right into it.
So we always like to start out by talking about whether or not there's any good news. Oftentimes in cyber, everything is doom and gloom. And we really want to make sure that we cover the fact that sometimes the good people do get it right. Just to get things kicked off let's talk about the latest privacy fine from Meta.
So, What started as a complaint back in 2013 from privacy activist Max Shrems has turned into over a billion dollar privacy violation for Meta, beating out Amazon for the largest fine awarded by the EU by about half a billion dollars. Now, I'm not sure if this is an award that I'd want to have, but Meta [00:02:00] has earned top spot in terms of fine being issued by EU regulators.
Now they've got until October to stop transferring EU user data to the US but they've made it known that they've got both plans to appeal the decision and like past experience would tell us likely they're gonna do everything that they can to A, avoid paying the fines, and B, stop the collection and transfer of information.
Now this case highlights the strict and rather conflicting differences between US privacy laws and privacy guidelines and EU privacy law and guidelines. And David, I know this is a topic that you're really passionate about. What do you think is gonna happen here? Is this actually gonna have any teeth or any long-term effect on data security and data privacy?
David Gibson: It's interesting, you throw around these billion dollar numbers and privacy violations, and it's clear I think we can all assume that Meta knew what was coming by taking the profile data from the EU citizens and moving them [00:03:00] to the US.
And Matt you actually, I think, had some information on why they're doing this, right?
Matt Radolec: Yeah we went back to the testimony from Mark Zuckerberg then CEO of Facebook now, I guess still CEO, Chairman of the Board of Meta talking about how the algorithm performs better the more data that it's fed.
So it's almost as if, and I wonder if this is a billion dollar business decision, if we could get Zuckerberg on the line, maybe we could ask him to join us for an episode of State of Cybercrime and ask him ourselves.
David Gibson: I think he's calling.
Matt Radolec: Yeah. You might, you better get back to that, David.
But what I would wanna know is it actually worth it to try to deal with the fine, whether, I'm sure they're gonna settle for some amount that's less than 1.3 billion.
Are they actually making more money from pulling that data in than the cost of dealing with the regulators? I think that's the core business question that's on my mind.
David Gibson: Yeah, and imagine what that means, the data itself is worth more than the 1.3 billion dollars of fine that they're gonna incur by continuing [00:04:00] to bring the data over from the EU to the US.
Matt Radolec: Now that's not the only bit of good news though. There is something related to a hacking forum, I wanna say is it called the Raid Forum, Dvir? And there's some leak of user data, but I don't think people should be confused here. It's not user data that was found on the Hacking Forum.
It's user data of users of the Hacking Forum, right?
Dvir Sason: Correct. I might not be shedding any tears at the moment regarding Raid Forums, but just to explain it and to address it, Raid Forums was one of the most popular platforms regarding any sort of marketplace and of tooling of exploits, of data leaks, of automations required in order to carry that attacks against companies, services, individuals and whatnot.
Everything related to credential stuffing attacks and automations was actually shared among raidForums and RaidForum users, which again it's a marketplace. Anyone could [00:05:00] sell their own inventory over there, anyone from threat actors to skiddie and the fact that it was taken down around 2022 and since then threat actors were looking, and again, skiddie were looking for any sort of other platforms to be using in that sense.
Now, I'm not talking about dark web. This is completely available, was available to be honest, from using any sort of regular browser. In that sense, the fact that this database was leaked at the end of May containing the users and PII of the actual threat actors and skiddie is interesting because we're talking about less than half a million users with their PIIs and faulted passwords. So we're talking about emails, date of birth, again, stocked passwords and their activities.
But I think the most interesting part of it is that it was somehow scrubbed from another 100,000 users. So nobody [00:06:00] knows who cleaned it. Nobody knows why it was removed prior to the leak, but the fact that right now it was again, it was taken down and leaked and a lot of people are interested in the user names and the linked email address to it.
Matt Radolec: Now, two things I'd want you to expand on. First, you sound pretty heartbroken, man. Did they post your account online?
Dvir Sason: No. No comment.
Matt Radolec: And you said something there called skiddies. For some people in our audience who might not be as in the know, in the SEC research talk or the dark web talk as you are, what's a skiddie?
Dvir Sason: So a skiddie is usually what is called a script kiddie, a person that usually doesn't have any skill or knowledge in order to carry out sophisticated attack but usually it's relying on automations and available tools in order to perform some very basic type of activities such as bruitforce, credential stuffing, fraudulent activities, and in that sense they are not being looked [00:07:00] at as a real threat, as the real dogs so to speak, but usually just as a nuance, as something to be aware of.
Now, the fact that there are also levels that any type of user could have paid in order to get their rank up and to be able to to gain access to much more exclusive parts of the forum is one of the key incentives of this forum.
And the person behind it was actually 21 years old at the age of his arrest. So
Matt Radolec: Wow.
Dvir Sason: It's very interesting. Yeah he set this forum up when he was 14 years old, to be honest.
Matt Radolec: And one of our audience members, Nathan, wants to know, and no need to comment on it if you don't know, what is riseup.net featured right in the center of the screen. You'll see by a source who requested it to be attributed to white_peacock@riseup.net. And Nathan from our audience is curious, what is riseup.net?
Dvir Sason: So the person who actually leaked this database was using this acronym, white_peacock@riseup.net. It's a disposable email address.[00:08:00]
And they have this public internal distribution that he wanted to be contacted via this email. Nobody knows how he was able to gain this database, but again, it got leaked somehow and it's all over the internet.
Matt Radolec: Sure. Thanks for that. And I promise I won't look the usernames to see if Dvir is in there, in the list of customers.
One of the things we're always talking about when we talk about good news is sometimes the ability for throws to help others. And so I'd like to ask the audience a question, which is, if there's something strange in your neighborhood, who are you gonna call? Is it the university students that are launching their cybersecurity helpline available at 311?
Cuz college students is apparently the answer. Universities are establishing these cybersecurity clinics akin to legal clinics, often offered through a lot of law schools to train students as digital security consultants and assist vulnerable small businesses and nonprofit organizations.
An idea that was born out of the CSA advisory Committee, [00:09:00] the University of Texas at Austin is piloting a program to offer this kind of 911 sort of service as 311 to help victims of cyber attacks.
Similar programs are being adopted in Alabama, California, Indiana, and Massachusetts. And it's really all about working with local organizations to either implement a plan for cybersecurity or even provide some free assistance in the event of a cyber incident.
And they're actually measuring their success. You can tell they're serious when they have metrics on their ability to train students and equip them for the workforce, how many organizations that they've assisted, and what their long-term impact is on clients' cybersecurity.
Now this got me thinking though, and David, you were the one that kind of brought this angle out for me. This is kind of ripe for an inside job, don't you think?
David Gibson: I think that there are some risks here, that college students, I think they have been a vulnerable population. And Dvir, I know you've had some examples of that where they can be easy targets. But on [00:10:00] the other hand, we should also talk about some of the positive stuff there.
But before we go on to that, Dvir what are some of the risks that you've seen with college kids getting targeted?
Dvir Sason: That's a great question. We've seen for quite some time a campaign targeting college students to be potential money mulers. Usually it's a form that's being sent to them regarding what's your bank account type and what you do for a living and how much money do you make?
Usually in order to get that sort of information in order to understand whether that person is willing for this activity, for this fraudulent activity as a potential money muler or not. And
David Gibson: What's a money muler?
Matt Radolec: What's a money muler? Yeah.
Dvir Sason: So usually it's about setting up a company like a legal entity in order to be used for these sort of scams that are not directly linked to the actual criminal.
So we have this person, which is usually setting up bank accounts, legal entities, being paid by the criminals, but everything links back to him. He's [00:11:00] not aware of the criminal activities, just a potential puppet just being called upon when things get messy. So in that sense.
Matt Radolec: So they're like the one with the liability, but not actually the one kind of carrying out the crime per se?
Dvir Sason: Exactly.
David Gibson: And so you've seen this kind of exploit happen, this sort of human exploit where they're like, okay, how vulnerable is this person? Let's use them as a wallet essentially to hold the money and they'll get a little piece of it. Did I get that right?
Dvir Sason: Yeah, that's correct. We've noticed a specific campaign. I can't get into too much of the details because this is still ongoing, but usually it's a form that they need to fill, like the potential money mulers regarding the information about themselves.
Matt Radolec: And another follow-up question, Dvir, from one of our audience members, Ryan, are the RaidForums only accessed via the dark web, or can you get to them, or could you have gotten to them via the public internet?
Dvir Sason: So specifically, RaidForums is inaccessible anymore, was taken over by the FBI and CISA. It's [00:12:00] very important to mention that because they two cover everything related to all the other domains and potential other names. It was accessible directly from any normal sort of browser. And now there are all sorts of contenders, which are trying to be the same thing, but it might be operated by law agencies and usually the actual places that these sort of criminal activities takes place as marketplaces or any sort of way to communicate between threat actors is in usually in much more closed type of environments.
We can talk about Discord, for example, with private servers or any sort of dark web private servers, or even as we've seen previously with other threat groups that were closed down, like such as Conti, they had their own message board servers to communicate amongst each other.
Which was exactly, yeah, not exactly. It was inaccessible by external users, but it had their own sort of ability to communicate among, amongst each other.
Matt Radolec: So let's MOVEit [00:13:00] into the Danger Zone. I know our audience is really excited to hear about that. Now we've learned a lot about MOVEit over the course of the last few weeks. And the question that's really been burning me though and David I'll direct this at you, is this gonna live up to the hype? When I saw the headline come out, MOVEit this new attack technique, this new exploit. The idea of just vivid images for me took me back to 2005. I like to move it when it aired in Madagascar for the first time. Now, apparently though, David, that's not actually the source of the song.
The song is from the nineties from another band, so it wasn't made for a children's movie.
David Gibson: Apparently it was in a band called Real to Real. It's a very important piece of information. I had to look that up cuz I'm actually more of a muppets moving right along kind of person. But it's good song too.
Matt Radolec: David and Dvir, I've just got one question for you. Do we like to move it, [00:14:00] do we like to move it?
David Gibson: I think we should keep moving it right along.
Matt Radolec: So Dvir, the reason we really brought you on, in terms of new threat actors or ransomware groups like CL0P that come out, you're always the person not just that we as a company turn to, but me personally turns to really get up the speed about these threats, particularly when it comes to explaining how they're operating their campaign.
So would you be able to tell our audience, what's going on? What is this MOVEit thing, where does it play in, how is the CL0P ransomware group leveraging it?
Tell us what you got.
Dvir Sason: Sure thing. So let's think of a potential scenario. We are working for specific company and we want to share documents with our third parties on a regular basis. There are all sorts of ways and methods to do so, like sharing links, using SharePoint and OneDrive and maintaining permissions.
But in another way, in another method, if we want to do it in scale, we need to have a much, so to speak, better solution than that. Something which is much more functional for [00:15:00] that. In that sense, there are all sorts of solutions related to file sharing between companies and as you can see on the left, we have Allecllion and SolarWinds, GoAnywhere and PaperCut, which I think the main thing to remember about them is that they were all being abused and exploited using a specific vulnerabilities.
Now, these sort of vulnerabilities and attacks were all originating from the same threat group, which has many sort of different names. I won't go into attribution, I won't go into the people behind it. But we're talking about the threat group, which is usually preferred to as FIN11. And the policies says that they were active and grouped all the way from 2014.
The name CL0P is related to the ransomware that they deploy when they compromise a victim. And the main objective is absolutely financial motivation. This is why they have the name fin and not like anything else.
Specifically in this [00:16:00] campaign, the MOVEit campaign and again, talking about the other campaigns, we need to understand that this sort of threat group is not the skiddies that we talked earlier about.
These are the real deal. They understand that there is a vulnerability going a product usually by reading a bulletin about the vendor that releases it, they study it, they reverse it, and they weaponize it all the way to be mass exploited in the wild. The thing about the solutions that we can see on the left is that all of these solutions were exploited in the same manner by CL0P, by FIN11 in the same way.
And we're talking about a very sophisticated type of exploitation and weaponization that usually it's not something that a single person can carry out, but this is type of a much larger group, a very highly professional group that can study this vulnerability, understand the steps in order to reproduce a fully working exploit, to fully automate it and to attack servers from around the world.
As we go [00:17:00] back to the first scenario that we talked about, that we need to share files between companies, these sort of servers and solutions need to be on the external premise of the organizations for our collaborators to share data with us. So this also means that these solutions are usually exposed on the outskirts, on the boundaries, external boundaries of the organization, either via on-prem or the cloud. And this is what allows it to be remotely exploited so easily when the vulnerability going on.
Some organizations do take their time to patch and it's quite interesting because from what we've read regarding the potential scanning attempts, it's dated all the way to March.
So if we put the pieces together and the timeline we may understand that CL0P were waiting for a specific time in which the UK and US were both on a holiday. In the US it was a Memorial Day and the UK it was a bank holiday. And when these two dates collide, they were able to mass exploit servers in the wild [00:18:00] and steal data from these server while the actual people who were maintaining these server were out in vacation.
This is a very complex type of attack. Won't go into the details and bits and bytes, but it requires 12 different steps in order to be pieced together and orchestrated in order to fully compromise the server and have a web shell on it and have a remote administrative tool with a C2 channel back to their servers.
And from that moment that they were able to compromise the server, the ability for them to steal the data on it was super easy. They didn't even have to compromise the actual organization behind it. They could, but that was not the main objective. The main objective was to steal information and to perform what we call double extortion to say that if you're not gonna pay for that we're gonna leak your information. If you're not gonna pay for that we're definitely gonna leak you. And on top of that, you have a very limited time that you can pay unless we're gonna DDoS you, we're gonna DDoS your [00:19:00] entire infrastructure.
The main thing to remember that I said earlier regarding CL0P is that it's considered as the ransomware type of strain. But in this sort of campaign, we did not observe, according to any sort of available report, an analysis made by other vendors that the ransomware was actually being executed and impacting the victims. Again, the main objective was to scan and exploit in mass and in scale, and to steal as much information as possible in that very narrow period of time in order to gain the leverage of having these sort of secrets.
Matt Radolec: So Dvir, one thing we talked about a lot on some previous episodes of the show is how we've seen some of the ransomware groups distribute techniques that are APT grade, right? That there's almost been a shift of APT actors from purely carrying out the typical nation state type attacks to attacking organizations for financial gains.
Would you say that, just based on your experience, that we're talking about APT level [00:20:00] sophistication in an attack like this?
Dvir Sason: We could say that, it absolutely might be the case. Again, I'm not gonna go into attribution but in the level of complexity showed in this campaign, in the previous ones, the methodology is the same.
Is the target a high value product and solution that contains secrets to fully exploited and mass exploited in the fly. And again, achieving that sort of complexity and exploit level is not something that could be done in a very short type of manner. It requires skills, it requires labor, it requires people and a lot of knowledge into understanding exactly what was patched in the original software, how the patch looks like, comparing the difference between it, and to understand exactly how can they exploit a vulnerable version.
Matt Radolec: And there was a little bit more you wanted to share about MOVEit, right?
Dvir Sason: Correct. So that's the original bulletin that was made by Progress, the vendor itself of MOVEit. And again, we're talking about the bulletin. It doesn't go into technical details. It just says [00:21:00] we have a vulnerability. It doesn't have a CVSS code. And this is how it looks like. It's the ability for an unauthenticated attacker to gain access to the database. Again, that is it. Their ability to gain full access to the server and fully compromise it, it's their level of skill that how it shows, because it required a lot of amount of knowledge.
Matt Radolec: I just wanna make sure I'm clarifying this point for audience here. What you're saying is that it's likely, you suspect that the attackers read this bulletin and then dedicated time from experts such as yourself to craft an exploit in order to be able to carry out this supply chain attack for lack of a better word, right?
Dvir Sason: That is correct. By targeting these sort of solutions, by targeting file sharing solutions as we've seen previously, and by reading the specific bulletins, they are able to deduct and to weaponize it in that sense.
We can see that the type of servers that were [00:22:00] still vulnerable from around the world according to just a basic query , and we can see that the main the sheer part of the vulnerable servers is originating from the US, which means that vulnerable servers still exists out there, and victims didn't apply patches yet either due to trying to delay or waiting for the patch management procedure to begin with, or even because there was no CVSS score yet in that sort of bulletin. Potential victims not necessarily aware of the potential ramification of not patching the server.
Matt Radolec: And there was one other thing you wanted to share, a little bit around like the notes that got left behind.
Dvir Sason: So yeah the notes of CL0P that was left behind is very generic usually being used around any sort of campaign that they're using. It's pushing to the victims to be contacting them in the sense of yeah, we stole your data, you should contact us immediately because you don't want us to leak you. And it's again, it's [00:23:00] very pushy. It's very intimidating.
In that sense we do have a metaphor for referring to ransom groups. And we need to refer to them as seagulls. When you stand at the beach and you're holding a big sandwich and there are seagulls waiting for you to take a bite, you can't just feed them. You need to hold onto your sandwich because once you let them bite, they will just come back and eat your whole sandwich.
In that sense, as a personal opinion I would advise and recommend not to feed the seagulls, not feed, and not pay the ransomware the ransom to these ransom groups.
Matt Radolec: Yeah, and I think that's a hot topic probably worth an entire episode to debate on Dvir is, whether or not an organization should pay the ransom and the pros and the cons of doing so.
The other thing I, David and you and I are always really passionate about this, when we see these ransomware groups really start to look like a business, right? They've got their seven step plan. They've got a warranty. Call today, act now. They're creating their sense of urgency. They've got a signature line.
They even throw something in the bottom that says, Hey, if [00:24:00]you're a government entity, don't worry we already deleted your data. You weren't the person we had intended to target. Do you predict, David, there's gonna be more of this kind of, I don't wanna call it white glove ransomware, but this productization, this branding associated with ransomware?
David Gibson: Clearly it's a pretty efficient operation. And we've seen it now multiple times with these different campaigns where, they're reading the exploit, you know, they're reading the notices, reverse engineering the exploits and then weaponizing them in a way that's certainly not haphazard.
So it, it's almost as if okay we probably have a queue of Vulnerabilities to check out. And when we see a juicy one, we get that into a queue, and then we run our playbook. As long as there are lots of data that people rely on and that we depend on it, there's no reason to think that attackers won't continue to try to exploit our dependence.
Matt Radolec: Now not just to give CL0P all of the show here today, Dvir, there was something you wanted to tell us about AlphaV aka BlackCat as well.
Dvir Sason: That's correct. This is [00:25:00] from an interaction between a victim to AlphaV in which you can see that the negotiations, AlphaV is coming very strong and hard to be honest, pushing the victim into, actually intimidating the victim.
Talking about how much time do they left in order to pay the ransom. And you can read all about us, about our about our reputation and what we stand for. And all of a sudden, at the end of the conversation, at the end of the negotiations, the victim says you can go ahead and leak all of our information that will allow us to further restore our data.
And our top management is saying, we won't pay you half a million, at the top we're gonna pay you 50 k. That's all take it or leave it.
So AlphaV is trying to muscle up and say that's gonna cost you, we're gonna DDoS you and that is it. So in that sense, I think it was very interesting to see this sort of negotiations because usually it's not something that get exported, it's not something that get revealed.
At the end these are the things that usually[00:26:00] are being talked about in a very tightly manner, and nobody talks about the negotiations. In that sense the victim was taking a stand, which is very uncommon in that sense.
Matt Radolec: Yeah. Just saying post the data online.
Dvir Sason: Yeah, exactly. And they did. It was from April and yeah, either the victim was able to indeed restore their data or we can probably assume that the data was not sensitive enough for them to be worried about in that sense.
Matt Radolec: And one of our audience members Dvir asked you a question from Jose, how reliable is the statement at the bottom? That the ransomware group has erased the data from governments and police departments? I think I'll take a stab at it. I don't, I think it's just basically saying they're not gonna ask for the ransom, whether or not they've deleted or not I'm unsure of. I have a feeling that maybe they're selling that data to someone else who has no interest in sharing it.
Dvir Sason: Correct.
Matt Radolec: So let's jump on in to [00:27:00] our next segment on Vulnerable Vulnerabilities. Now, first and foremost, and Dvir, I guess there's a reason that we had you today. It sounds like your team, Varonis Threat Labs, is finding some Vulnerable Vulnerabilities of their own. You wanna talk to us a little bit about Imposter Syndrome, this UI bug and Visual Studio?
Dvir Sason: Yeah, sure thing. Our team likes to do all sorts of shenanigans and finding all sorts of vulnerabilities so we can report it in a very responsible manner to the vendors, making sure that no one else is able to exploit it.
We've reported several vulnerabilities in the past for Microsoft and I think this is the third one in the past 10 months I believe. And it's quite interesting. It was a very, we thought about it as something very basic, which we felt that maybe it shouldn't be reported to Microsoft, maybe it's really that obvious that it's, again it's not not something worth reporting. And when we reported to Microsoft and we said [00:28:00] Hey, we are able to take this action, Microsoft immediately responded saying that this is something that should be fixed and got the highest priority and indeed they also rewarded the researcher with a bounty.
Talking about the vulnerability itself, it was the ability for a threat actor to a potential attacker to mimic and spoof a visual studio extension that would look exactly as an original one as assigned by one of the vendors, one of the companies simply by adding new lines to defy the manifest of that extension and just writing signed by this.
Our ability to spoof the signature for an extension and to further implement all sorts of fatals in that sense proved to be as a good use case for what we're trying to achieve. We try to show in demo that developers might be targeted just as any other ordinary user, specifically due to the fact that they're able and indeed working on Secrets and PII, [00:29:00] sorry, on IP of the company as part of their development lifecycle.
And the ability to compromise the developer is not a trivial thing because again, we're talking about using phishing emails with attachments or pushing a victim to download a malicious extension and that's so compromising the victim and by making sure that they're infected with this spoofed extension.
Matt Radolec: And that's all getting tracked as CBE 202328299.
Now, that's not the only Vulnerable Vulnerability that's got people talking. Let's hear from, I don't know if I would call you Mr. DDoS or Dr. DDoS himself, but David, you know you're always passionate about talking about denial of service attacks and distributed denial of service attacks. So talk to us about this hactivism led impact to Outlook.
David Gibson: It's interesting the Outlook webmail has had some impact from a DDoS attack that Anonymous Sudan has taken credit for.[00:30:00]
This isn't the only Microsoft property that's had trouble. Azure has been hit. OneDrive has been hit. If you look at it and it's the same group. They're actively trying to patch and respond to this DDoS attack. They've said, no, we got it we got it, but then we don't got it. So Outlook not so good so far.
The thing that I thought was interesting about this attack is, I did some research, was how little there was out there just technically, you know what, when I'm looking at DDoS attacks, I'm usually expecting something that's exploiting UDP or ICMP, some of these protocols that are easy to spoof and create walls of traffic that are hard to miss.
In this attack it seems like there's very little UDP surface area. You know, There are a few ports out there on these services. There's some load balancers that have been mentioned in a couple of places, but more details to come. Obviously it's no small feat to d o a massive DDoS attack on this pretty, [00:31:00] pretty, highly used service.
Matt Radolec: So I think the last story that we want to share it really Lazarus group is added again, this time stealing 35 million crypto. Now though this is a fairly small amount of crypto, this theft does bump them over 1 billion dollars in money stolen from crypto wallets.
Lazarus Group, a North Korean Hacker Group, is being blamed by Blockchain Analytics Group Elliptic for stealing 35 million in crypto from Atomic Wallet. Afterwards it was observed that they used the Sinbad mixer and in this block like chain of events that we've seen before where the Lazarus group will go after somebody like Atomic Wallet, or in the past it was Ronan and Horizon Bridge, one crypto researcher, ZachXBT is basically calling the Kettle Lazarus group, right?
It's if it walks like a Lazarus group and washes their coins and launders their coins like Lazarus Group, it probably is one.
Now, for those of you that haven't heard of this before, Atomic Wallet is a decentralized wallet service. It's got [00:32:00] around 5 million users. And what this story poses to me is it seems like if you're going to use you know, these, we'll call 'em alternative wallets right, as opposed to maybe some of the mainstream cryptocurrency banks that maybe has certain anonymization features that you desire, making it arguably harder to track your transactions. Although I thought that wasn't possible but every time we see a breach involving a crypto wallet or the feds, it seems like they've got it all figured out how to track crypto coins, even ones that going through a mixer. Are these alternative kind of pro anonymous wallets, are they safe? Is this the right place for you to store your cryptocurrency?
David Gibson: That's a very good question, Matt. Which one is safe? And is crypto-
Matt Radolec: Yeah, are any of them safe or I think that even begs the question, is crypto at all something that you wanna play in when you've got groups like this out there and emptying out wallets of millions of users, and almost, again, a billion dollars in the last two years of stolen coins and laundered coins?
David Gibson: I think really there's a bunch of [00:33:00] risk vectors with any place you store money. And with cryptocurrency, I think people that are putting money there tend to have a bigger risk appetite in general than folks that don't. So whether that there's a bigger risk reward here, tough to say.
Matt Radolec: I do always wanna say, you know, the show is made possible by you, our audience. In addition to that big shout out to our guest star today, Dvir. Dvir, I hope you join us on the show again sometime. I think our audience really loved having you here. I know I personally did. Thanks so much for coming and joining us.
Dvir Sason: Oh, it was a pleasure. Thank you. Thank you for having me.
Matt Radolec: Thank you to our audience for tuning into another episode of State of Cybercrime, and we hope to see you guys again next time.