Naked Security Naked Security

News in brief: US indicts Russian BTC-e ‘mastermind’; Blu still phoning home; bug bounty offers $250k

Your daily round-up of some of the other stories in the news

Your daily round-up of some of the other stories in the news

Russian man charged with laundering $4bn via BTC-e

A Russian man arrested in Greece has been indicted by a grand jury in California with 17 counts of laundering up to $4bn via the BTC-e Bitcoin exchange.

Alexander Vinnik, 37, is alleged to have been a central figure in BTC-e, a favourite exchange of the criminals who have apparently used it to process up to 95% of all ransomware payments, according to research by Google published earlier this week. US officials said on Wednesday that “BTC-e was noted for its role in numerous ransomware and other cybercriminal activity; its takedown is a significant accomplishment and should serve as a reminder of our global reach in combating transnational cybercrime.”

The Department of Justice alleges that Vinnik was “the owner and operator of multiple BTC-e accounts, including administrator accounts, and also a primary beneficial owner of BTC-e’s managing shell company”, and added that “numerous withdrawals from BTC-e administrator accounts went directly to Vinnik’s personal bank accounts”.

Vinnik is also alleged to have received funds from the hack of Mt. Gox, the Bitcoin exchange that collapsed in 2014. Says the Department of Justice: “Vinnik [allegedly] obtained funds from the hack of Mt. Gox and laundered those funds through various online exchanges, including his own BTC-e … by moving funds through BTC-e, Vinnik sought to conceal and disguise his connection with the proceeds from the hacking of Mt. Gox.”

Blu devices still phoning home

Remember the Blu phones that we reported last year were phoning home thanks to a backdoor and shipping your text messages and call logs every 72 hours back to base in China?

At the time, Shanghai Adups Technology, which makes the software, said it was “a mistake” and the devices with this backdoor installed weren’t meant for the US market.

Eight months later, they haven’t rectified that “mistake”, according to researchers at Kryptowire, which found the backdoor last year.

Speaking at Black Hat in Las Vegas, researcher Ryan Johnson said that the backdoor is still in place and the company is being even more secretive about it. “They replaced them with nicer versions. I have captured the network traffic of them using the command and control channel when they did it.”

Adups said that the issues were resolved last year and that the issues “are not existing any more”.

Microsoft offers bug payouts of $250,000

Bughunters, it’s time to turn your attention to Microsoft: the Redmond giant has just announced its bounty program and payments could be up to $250,000 if you find a serious vulnerability in Microsoft’s Hyper-V.

Previous bug bounty programs from Microsoft only focused on specific areas chosen by the company, but the latest program extends it to the whole platform, with increased payments to get white hats to focus on its preferred areas – hence the potentially chunky payment if you spot a bug in Hyper-V.

Announcing the program on Wednesday, Microsoft said in a blog post: “Security is always changing and we prioritize different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities.”

As well as Hyper-V, Microsoft is encouraging bug-hunters to focus on Mitigation Bypass and Bounty for Defense Terms, with payments for vulnerabilities there rising to $200,000.

Catch up with all of today’s stories on Naked Security