A recent report by Chainalysis has indicated a significant reduction in losses attributed to digital asset scams in 2024, with a reported decline of 35% compared to the exceedingly high levels observed in 2023.
Ransomware attackers netted $813.55 million from victims in 2024, inflamed by a string of daring attacks by small and large-scale entities. Last year, bad actors pilfered $1.25 billion from unsuspecting victims, making 2024 the first drop in malware theft since 2022.
Analysts based the decline on several factors, citing heightened collaboration between law enforcement agencies and victims’ refusal to negotiate with the bad actors. The decline hit its strides in the second half of 2024, with threat actors pulling in nearly $500 million by June, underscored by the near $100 million payment to the Dark Angels syndicate and Akira.
After major syndicates LockBit and BlackCat collapsed, researchers saw no B-list players move up to take their place. Instead, bad actors operated in isolated and uncoordinated events. Most of the attacks in the second half of the year came from data leak sites, with the report noting a surge in the number of data leak sites from previous years under review.
“The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small to midsize market, which in turn are associated with more modest ransom demands,” said Lizzie Cookson, an executive at Coveware.
While the metrics appear to be in steep decline, Chainalysis’ report predicts an increase in activity as bad actors adopt new strategies in 2025.
“In response, many attackers shifted tactics, with new ransomware strains emerging rebranded, leaked, or purchased code, reflecting a more adaptive and agile threat environment,” read the report.
The report projects faster negotiation times by threat actors and previously unseen malware to circumnavigate existing cybersecurity offerings.
Despite the drop, bad actors still rely on centralized exchanges, bridges, and personal wallets to launder funds. However, 2024 marked a steep slump for mixers laundering stolen digital assets, with the services holding only a 15% market share.
Most ransomware gangs are holding their digital assets, opting not to cash out following recent streaks of heightened law enforcement action.
A changing landscape
An emerging technology landscape appears to give bad actors a broader arsenal in their attacks against digital asset holders. Several analysts have highlighted attacks involving AI and machine learning (ML) tools in malware, and cybersecurity teams are grappling with new threats.
State-backed groups are receiving support, while ransomware-as-a-service has been recording impressive ecosystem growth in recent years. Decentralized finance (DeFi) players are also exploring AI-based security countermeasures to stifle bad actors’ success rates, notching a string of positives.
Crypto ‘stealer’ on the loose
In other news, cybersecurity firm Kaspersky has released a report highlighting a malware campaign targeting digital asset wallet recovery phrases through mobile applications on Android and iOS devices.
According to the report, the malware targets sensitive details by scanning image galleries and sending gleaned data to remote servers. Dubbed SparkCat, researchers say the malware gained significant steam in 2024, evolving from a 2023 technique into its present form.
The malware relies on a compromised software development kit (SDK) in preselected mobile apps, using an optical character recognition (OCR) model to obtain wallet recovery phrases.
While the original technique affected mobile applications from unofficial app stores, Kaspersky researchers confirmed evidence of the malware on Google Play (NASDAQ: GOOGL) and Apple’s App Store (NASDAQ: AAPL). The malicious applications have been downloaded nearly 250,000 times, making it the first time a “stealer” has been spotted on the App Store.
Reports indicate that SparkCat gained attention in March 2024 by infecting the Asian-based food delivery app ComeCome.
SparkCat leaned on an “unidentified protocol” in Rust, a programming language uncommon among mobile apps. A common denominator between the malware’s Android and iOS versions is the reliance on Google’s ML Kit library for the OCR functionality, underscoring the mainstream use of artificial intelligence (AI) by malicious actors.
“OCR to scan is such a clever trick,” said Stephen Ajayi, technical lead at Hacken. “Imagine the combination of OCR and AI to automatically pick out sensitive information from images or screens.”
Apart from food delivery apps, researchers say the trojan is leaving a footprint on messaging and AI-themed applications. A key feature of the trojan’s success is “code obfuscation” employed by bad actors and the introduction of malicious updates after official app stores have approved an application.
“We detected a series of apps embedded with a malicious framework in the App Store,” read the report. “We cannot confirm with certainty whether the infection was a result of a supply chain attack or deliberate action by the developers.”
Malware attacks have become relatively common in the digital asset space, with state-backed bad actors in North Korea and Russian syndicates running riot in recent years.
In 2022, PennyWise raised concerns about the safety of Chromium, while Infamous Chisel left security agencies on high alert. The combined value of malware attacks on digital wallets has exceeded $1 billion since 2020, with several reports confirming declining metrics.
To protect themselves, Ajayi urged consumers to approach cautiously before granting application permissions while nudging digital wallet developers to improve guard rails for seed phrases.
Watch: Digital Asset Recovery takes token recovery seriously
title=”YouTube video player” frameborder=”0″ allow=”accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share” referrerpolicy=”strict-origin-when-cross-origin” allowfullscreen>
