Payment Card Fraud and Cryptocurrency Attacks Saw Significant Increase Last Quarter

The financials sector saw an increase in incident volume in the third quarter of 2017, and much of that increase revolved around cyber-attacks targeting various cryptocurrency platforms, as well as payment card breaches in the consumer goods sector that led to increased fraud activity on cybercriminal markets.

The financial sector (blue) saw above average risk scores for incident volume, effect impact, and targeted asset in Q3 when compared to all sectors (black).

Key takeaways from SurfWatch Labs’ threat intelligence findings for the period include:

  • Banks remained as the top trending group associated with cybercrime in the financials sector, accounting for nearly one quarter (24.4%) of the negative cyber events collected by SurfWatch Labs; however, that percentage was down from 38.1% in the first half 2017 and 35.8% across all of 2016.
  • That drop was largely attributed to increased activity in the specialty financials group, which saw its percentage of threat intelligence jump from 7.4% in the first half of 2017 to 19.4% in Q3 as malicious actors increasingly targeted cryptocurrency platforms.
  • Payment cards were the dark web target category to see the most significant increase, accounting for 14.6% of the financials sector’s dark web threat intelligence – a rise from 7.1% in the first half of 2017.
The financials sector saw an increase in the amount of threat intelligence collected by SurfWatch Labs beginning in July, and that increased volume continued throughout Q3 2017.

Malicious Actors Increasingly Targeting Cryptocurrency

Cybercrime incidents related to the banking group remained the most widespread in SurfWatch Labs’ Q3 threat intelligence data. However, when excluding our dark web data, many of the most noteable cyber-attacks – including all five of the top trending incidents for the period – occurred at cryptocurrency organizations in the specialty financials group.

Specialty financials accounted for 19.4% of the cybercrime threat intelligence collected by SurfWatch Labs during Q3, a significant increase from the 7.4% during the first half of 2017.

Several of the top trending cyber-attacks in Q3 revolved around the hijacking of Ethereum Initial Coin Offerings (ICO) in order to steal cryptocurrency. Notable attacks include:

    • In July, Coindash said that an actor gained access to its website during the company’s ICO and changed the text on the site to a fraudulent Ether wallet address – resulting in $10 million worth of Ether being stolen from investors.
    • Veritaseum also reported in July that it had $8.4 million worth of tokens stolen during its ICO as a result of a “very sophisticated” attack, which may have involved at least one corporate partner dropping the ball, according to the company’s founder.
    • In August, Enigma Catalyst said that investors were scammed out of approximately $500,000 of Ether when malicious actors hijacked the company’s website, mailing lists, and Slack accounts and subsequently offered a fake pre-sale to investors ahead of the company’s upcoming ICO.

In addition, there were a variety of other cryptocurrency-related attacks during the period. For example, a bug was found in the multi-signature wallet code used as part of Parity Wallet software, which led to wallets being exploited and reports of approximately $34 million worth of Ether being stolen before white hat hackers intervened to prevent an additional $85 million in theft. In addition, a malicious actor was also able to trick the hosting provider of the open source Classic Ether Wallet into hijacking the Classic Ether Wallet domain, resulting in potential theft as transactions were made on the site.

As cryptocurrencies continue to gain legitimacy and value, it is likely that malicious actors will continue to shift towards targeting them in both the near and long term. For example, one group is tracking over 150 active Ethereum scams heading into the fourth quarter of the year.  Exploiting the popularity of cryptocurrencies has proven to be highly profitable for both cybercriminals and state actors, such as North Korea.

Fraud Activity Increases on the Dark Web

SurfWatch Labs also observed an increase in the amount of fraud-related activity in Q3, with fraud accounting for 43.6% of financials dark web threat intelligence – a significant jump from previous periods. In the first half of 2017, fraud accounted for 24.4% of collected dark web intelligence, and during 2016 it accounted for 24%.

SurfWatch Labs collected a much larger percentage of fraud-related threat intelligence in Q3 2017 than during any other recent period.

Digging deeper into the data, it is clear that point-of-sale (POS) and other payment card breaches helped to drive a significant portion of fraud activity in Q3. In the first half of 2017, the target tag of “payment cards” appeared in only 8.3% of the dark web threat intelligence collected by SurfWatch Labs. In Q3 that number rose to 14.5%.

Some of the notable payment card breaches announced during Q3 include:


  • The fast food chain Sonic has been tied to at least a portion of five million fresh payment cards being sold on a cybercriminal market.
  • Whole Foods announced a POS breach involving its taprooms and restaurants.
  • Avanti announced a POS breach affecting an undisclosed number of the company’s self-serve snack kiosks.
  • Equifax’s massive breach included more than 200,000 payment cards.
  • B&B Theaters announced it was investigating a payment card breach that may date all the way back to 2015.
  • Sabre announced a breach affecting its SynXis Central Reservations system back in May, and affected hotels continued to issue breach notification letters throughout Q3.
  • Third-party vendor Aptos continues to be tied to payment card breaches at online retailers.

Other payment card breach notifications and investigations have continued to be announced in the days since Q3 ended, including a POS breach at Hyatt Hotels and Irish retailer Musgrave warning SuperValu, Centra, and Mace customers to be on the lookout for fraud. In addition, Flexshopper announced it exposed payment card information, and Tommie Cooper and Cricut announced they discovered malware on their website checkout pages.

Numerous organizations also warned of payment cards phishing scams during the period – including Netflix, Uber, E-ZPass, Newcastle University, and more. A number of other data breaches and leaks involved partial payment card information.


The financials sector continues to be the target of a wide range of attacks due to the nature of the data organizations hold and the services they provide. As we noted in our Fraud and the Dark Web whitepaper, the number of avenues through which malicious actors can carry out fraud has increased along with the number of digital accounts tied to financial information. However, Q3 saw an increase in more traditional payment card fraud activity on the dark web – likely resulting from several large one-off POS breaches, as well as issues at vendors that have spread through the supply chain to affect both in-person and online purchases.

On the flip side, the number of cryptocurrency related breaches, particularly those tied to Ethereum, have highlighted a shift that may have legs – particularly since there is less regulation and, in some cases, less security to circumvent in order to pull off multi-million dollar heists. For example, it was reported that at least one Slack account with administrative privileges at Enigma used a previously leaked password and didn’t require two-factor authentication. Likewise, the incident involving Classic Ether Wallet began by simply socially engineering a third party over the phone by impersonating the site’s owner. Malicious actors are quick to copy the successful techniques of their peers, and we will likely see similar attempts against cryptocurrency organizations in the future.

Weekly Cyber Risk Roundup: Another Ethereum Heist and FBI Warns Against Kaspersky Lab

Cryptocurrency theft was the week’s top trending cybercrime story as malicious actors were able to capitalize yet again on an upcoming Ethereum initial coin offering (ICO) to steal approximately $500,000 worth of Ether — this time from investors in the cryptocurrency platform Enigma.


Enigma said that malicious actors managed to compromise the domain, its Slack channel, and certain email lists. The actors then posted messages via the compromised channels claiming that the platform was offering a “pre-sale” of tokens ahead of next month’s official ICO.

Enigma CEO Guy Zyskind said the attack “joins a long list of other similar attacks plaguing the crypto-community.” For example, just last month there were three different multi-million dollar Ethereum heists: $34 million was stolen due to a bug in the code of the Parity Ethereum client and $10 million and $8.4 million were stolen during the ICOs of Coindash and Veritaseum.

“We want to make sure that no one in our community that was a victim to this well-coordinated phishing attack is financially hurt,” Zyskind said in a blog post. “We will restore funds to everyone that lost money in this recent scam attempt after our token sale concludes.”

With four large Ethereum thefts over just the past month, it is clear that malicious actors have found a new — and relatively simple — way to capitalize on the excitement of Ethereum investors. Similar attacks will likely occur in the future as malicious actors play copycat and attempt to capitalize on other ICOs for a quick payday.


Other trending cybercrime events from the week include:

  • Hacktivist and political leaks: Web hosting provider DreamHost had its services disrupted by a DDoS attack on Wednesday. It’s unclear who orchestrated the attack, but DreamHost was recently involved in several politically-charged news stories. The Anonymous-affiliated group AnonOps leaked the private cell phone numbers and email addresses of 22 Republican congressmen in an effort to get individuals to urge their members of Congress to condemn President Trump’s recent statements surrounding Charlottesville and push for his impeachment. The hacking group known as “Fancy Bear” released information related to doping in FIFA, including email exchanges between FIFA and representatives of anti-doping agencies, files showing the number of players using illegal substances, and therapeutic use exemption data, which gives athletes medical permission to take banned substances.
  • Healthcare-related breaches: A hacker claiming to represent Anonymous said he gained access to a database of NHS patient data managed by SwiftQueue and downloaded over 11 million records, but SwiftQueue said that its database only contains records for 1.2 million individuals and that its initial investigation suggests only 32,501 “lines of administrative data” have been accessed. MJHS Home Care is notifying patients that an employee email account was compromised due to a phishing incident and that patient information may have been exposed. The Institute for Women’s Health in Texas is notifying patients of the discovery of a keylogger on its network. Salina Family Healthcare Center is notifying patients that their personal information may have been compromised due to a June 18 ransomware infection. St. Mark’s Surgical Center is notifying patients of a April 13 ransomware infection that may have compromised their personal information.
  • Carbon Black says bug affected 10 customers: Cybersecurity company Carbon Black said that 10 of its customers were potentially impacted by a corner-case bug that may have resulted in some miscategorized files being uploaded to a third-party, cloud-based scanner. The bug was introduced in Cb Response sensor versions 5.2.7+ and 6.0.4+ from April 2017 or later, the company said, and required a series of other conditions in order to be triggered.
  • Other notable incidents: A database that appears to be associated with the online group hotel room booking service Groupize was found exposed on the Internet. The researchers who discovered the exposed database said it contained many hotel documents, including service agreements, earnings, and details about commissions, which allowed them to see “exactly how the discount hotel business model works in detail.” The City of Oceanside, California, has suspended its online utility bill payment system over concerns that the system may have been breached after multiple users reported that they received unauthorized charges on their payment cards. The hacking group OurMine hijacked the Twitter and Facebook accounts of Sony’s PlayStation Network (PSN) and claims to have a stolen PSN database; however, media outlets reported that there does not appear to be any evidence as of yet supporting the claims of a breached PSN database.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2017-08-25_RiskScoresIn July, the U.S. government removed the Russia-based Kaspersky Lab from two lists of approved government vendors, and recently it was revealed the the FBI has been warning private organizations to stop using Kaspersky products as well.

The FBI has been briefing private companies on the threat since the beginning of the year, citing intelligence that claims to show the company is an unacceptable threat to national security, officials told CyberScoop. The FBI has prioritized briefing organizations in the energy sector and those that use ICS and SCADA systems, as well as large tech companies.

The officials claim that Kaspersky has deep and active relationships with Russian intelligence and have highlighted multiple specific accusations of wrongdoing, sources told CyberScoop.

Kaspersky denied the allegations, with a representative saying that the company is “caught in the middle of a geopolitical fight” and “has never helped, nor will help, any government in the world with its cyber-espionage or offensive cyber efforts.”

CyberScoop reported that organizations using ICS and SCADA systems have been relatively cooperative and that some have already moved forward and signed deals with Kaspersky competitors. However, those in the tech space don’t have the same sense of urgency and have been less receptive to the FBI’s recommendations.

In addition, Reuters reported that a defense spending policy bill from the Senate Armed Services Committee was recently amended to prohibit the U.S. Defense Department from using Kaspersky software platforms because the company “might be vulnerable to Russian government influence.”

Weekly Cyber Risk Roundup: Three Ethereum Heists and NotPetya Fallout Continues

The cryptocurrency Ethereum made numerous headlines this past week due to three separate multi-million dollar thefts: one due to a bug in the code of the Parity Ethereum client, one caused by a website hack that redirected funds meant for the Initial Coin Offering (ICO) of Coindash, and one tied to a hacker managing to steal VERI tokens during the ICO of Veritaseum.


The largest theft involved a bug found in the multi-signature wallet code used as part of Parity Wallet software, which led to 3 wallets being exploited and reports of more than 150,000 ETH (approximately $34 million) being stolen. As Parity noted, a total of 596 multi-sig wallets were vulnerable, but the vast majority of the funds in those wallets were commandeered by a group known as the White Hat Group in order to prevent the theft of an additional 377,000 ETH (approximately $85 million).

That theft followed an announcement from Coindash that an actor had managed to gain access to its official website during the company’s ICO and changed the text on the site to an ether wallet address likely controlled by the attacker — resulting in investors sending $10 million worth of Ether to the fraudulent address. The company’s developers said that “all CoinDash investors will get their tokens”; however, Coin Desk reported that individuals who made transactions after the website was shut down will not be compensated.

Finally, Veritaseum confirmed that a malicious actor stole $8.4 million worth of VERI tokens from the platform’s ICO on July 23. The attackers immediately resold the tokens during the “very sophisticated” attack. Not much was disclosed about the attack, but “there is at least one corporate partner that may have dropped the ball and be liable,” the company’s founder said.


Other trending cybercrime events from the week include:

  • More information exposed due to errors: Dow Jones & Company confirmed that at least 2.2 million customers had their data exposed due to an Amazon Web Services S3 bucket that was configured to allow any AWS “Authenticated Users” to download the data. In addition, the leak contained the details of 1.6 million entries in a suite of databases known as Dow Jones Risk and Compliance, a set of subscription-only corporate intelligence programs used largely by financial institutions for compliance with anti-money laundering regulations. Security researchers discovered an insecure database owned by the data services company DM Print that had 31,000 records, including administrative credentials for the database. With that information, anyone could access highly sensitive health information such as names, date of births, NIN numbers, addresses, investment data, and more. Travel company Flight Centre said that the personal information and customer passports “relating to some leisure customers in Australia was accidentally made available to a small number of potential third party suppliers for a short period of time.”
  • Insider breaches: An employee at Bupa copied and removed insurance information relating to 108,000 international insurance plans affecting 547,000 customers. The company said the data included names, dates of birth, nationalities, and some contact and administrative information. Detroit Medical Center is notifying 1,529 patients of a breach at a contracted staffing agency where an employee provided their information to unauthorized individuals. The breach occurred between March 2015 and May 2016. The Nova Scotia Health Authority said that 337 patients had their personal health information accessed inappropriately in two separate incidents involving six employees.
  • More energy sector warnings: The UK’s National Cyber Security Centre (NCSC) warned that state-sponsored actors are targeting the country’s energy sector and that  “a number of Industrial Control System engineering and services organisations” have likely been compromised. The warnings followed similar alerts from U.S. agencies about hackers successfully targeting U.S. energy companies. While other sectors have been targeted, the focus of the attacks are engineering, industrial control, and water sector companies, the NCSC said.
  • Other notable incidents: Domain name registrar Gandi said that an unauthorized connection that occurred at one of the technical providers it uses to manage a number of geographic TLDs led to 751 domains having their traffic forwarded to a malicious site exploiting security flaws in several browsers. There were 22 breach incidents in the Veterans Administration’s monthly reports to Congress between May 2016 and June 7, 2017, and only one of those breaches received any media coverage at the time, according to data obtained via a Freedom of Information Act request by A dark web vendor going by the name “dnu2k” is selling data tied to,, and other “freshly hacked emails.” The latest dump of CIA documents from WikiLeaks involves contractor Raytheon Blackbird Technologies providing “Proof-of-Concept ideas and assessments for malware attack vectors” to the agency.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week


The picture of the damage cause by the NotPetya global outbreak in late June continues to crystallize as more companies reveal the details and fallout of their infections.

For starters, FedEx said that some of the damage caused by the NotPetya attack may be permanent, particularly when it comes to TNT Express B.V., which FedEx acquired in May 2016. Some of TNTs customers were “still experiencing widespread service and invoicing delays” nearly three weeks after the NotPetya infection, according to SEC documents filed by FedEx.

“We cannot yet estimate how long it will take to restore the systems that were impacted, and it is reasonably possible that TNT will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted by the virus,” FedEx wrote in its filing. That filing listed more a dozen types of costs and damages potentially resulting from the incident — ranging from operational disruption to remediation to permanent customer loss to litigation.

In addition, the France-based Compagnie de Saint Gobain SA said that a preliminary assessment of the NotPetya infection estimated the incident would cost the company approximately 1% of first half sales. That equates to approximately €200 million as a result of the attack, The Street reported.  

Earlier this month, The Guardian reported that Reckitt Benckiser, a British consumer goods company, may lose around €100 million due to NotPetya. In addition, Mondelez, the maker of Oreo cookies, said that the attack had disrupted shipping and invoicing during the last four days of the second quarter and that in a few markets the company had “permanently lost some of that revenue due to holiday feature timing.”

NotPetya may not have generated nearly as much extortion money as other ransomware — if that was even its intention to begin with — however, the global attack has proven quite impactful for numerous organizations so far. The second half of 2017 will likely see the total costs of the attack become more clear as other organizations reveal more details about how NotPetya affected their operations — and how the fallout from the attack has impacted the year’s financial projections.

Weekly Cyber Risk Roundup: Cryptocurrency Wallets Emptied and a Dozen Power Plants Breached

Cryptocurrency theft was among the week’s top trending cybercrime practices due to users at both South Korean cryptocurrency exchange Bithumb and Classic Ether Wallet reporting that their digital currency wallets were emptied due to cyber-attacks.


Bithumb reported that one of its employees personal computers had been hacked in February 2017 and that the personal details of 31,800 Bithumb website users (about 3 percent of total users) had been compromised as a result. The stolen data included users’ names, mobile phone numbers, and email addresses. The exchange said there was no direct access to funds stored on the exchange; however, it appears the attackers were able to use the contact information to carry out phishing attacks against Bithumb users in order to obtain the one-time passwords needed to gain access those users’ funds.

One user reported losing as much as 1.2 billion won ($1.04 million) in the attack. Bithumb said shortly after the attack that it would pay up to 100,000 won ($87) to victims. Additional compensation will be available once individual losses are verified, the company said, but it is unclear if victims will be fully reimbursed.

Users of the Classic Ether Wallet also reported having their wallets emptied earlier this month. That theft appears to be due to a malicious actor managing to socially engineer the service’s German hosting provider 1&1 into handing over access to the domain. The actor then switched the site’s settings to direct the funds to his or her own malicious server. Multiple users who visited and provided their private key while the site was in control of the fraudsters reported that they had their account emptied. Exact losses due to the incident is unclear, but some media outlets reported it could be nearly $300,000 worth of Ethereum Classic cryptocurrency.


Other trending cybercrime events from the week include:

  • Large databases exposed: Two databases containing the personal information of 3 million WWE fans were exposed to the Internet without requiring a username and password. The data included names, email and physical address, educational background, earnings, and ethnicity. UK car insurance company AA exposed the sensitive information of over 100,000 customers due to insecure database backups related to AA’s online store and never informed those customers of a breach, Motherboard reported. The database obtained by Motherboard included 117,000 unique email addresses, names, physical and IP addresses, details of purchases, and payment card information such as the last four digits of the card and its expiration date.
  • Insiders lead to extortion, theft: A former Dentons litigation associate in Los Angeles has been charged with extortion over allegedly demanding that his former law firm pay him $210,000 and give him a piece of artwork or else he would leak sensitive data to the Above the Law blog. According to court documents, the man accessed confidential information when one of the firm’s partners gave him access to his email while working a case. A crime analyst with the Smyrna Police Department was charged with 31 counts of computer theft over the alleged theft of information without authorization, including the driver’s licenses and mobile data of 28 victims.
  • Sabre confirms breach affecting multiple companies: Sabre said its investigation into a previously disclosed breach found that an unauthorized party was able to use compromised account credentials to gain access to payment card information and certain reservation information for a subset of hotel reservations processed through the SHS SynXis Central Reservations system. The breach occurred over a seven-month period from August 2016 to March 2017. Sabre said it notified partners and customers that use the reservations system, as well as some travel management companies and travel agencies that booked travelers that may have been affected. Sabre did not disclose the total number of individuals affected by the breach.
  • Other notable incidents: A Georgia men pleaded guilty to charges related to a BEC scam that defrauded Sedgwick County out of $566,000. Anonymous Bulgaria has leaked files from the Azerbaijan Embassy in Bulgaria that claim Silk Ways Airlines has carried tens of tons of heavy weapons and ammunition headed to terrorists under the cover of 350 diplomatic flights. Cove Family & Sports Medicine said that a ransomware infection encrypted medical records as well as a portion of its backup records. Walnut Place said that while it was investigating a previous ransomware infection it was affected by a second ransomware incident. Medicaid members in Indiana are being warned that their patient information was potentially accessible between February and May of 2017. Wooster-Ashland Regional Council of Governments said that its computer network as breached on May 26 and more than 200,000 records were compromised. The Simcoe County District School Board is warning parents of a potential privacy breach at Collingwood Collegiate Institute involving their email addresses and phone numbers.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2017-07-07_RiskScoresRussian state-sponsored hackers are responsible for recent cyber-intrusions into the business systems of U.S. nuclear power plants and other energy companies, government officials said. It is the first time Russian government hackers are known to have compromised the networks of U.S. nuclear plants, the officials added.

The statements followed a joint alert from the FBI and Homeland Security at the end of June that warned APT actors were targeting employees in the energy sector with phishing messages and watering hole attacks designed to harvest credentials that could be used to gain access to victims’ networks. The attackers were observed sending highly targeted messages to senior industrial control engineers containing fake resumes for control engineering jobs, as well as compromising websites commonly visited by their target victims and deploying man-in-the-middle attacks.

There is no evidence of any breaches or disruptions of the cores systems controlling operations at the plants, The Washington Post reported. Instead, the focus appears to be on systems dealing with business and administrative tasks, such as personnel. The New York Times reported that the joint DHS and FBI report concluded that the hackers appeared determined to map out computer networks — potentially with a goal of carrying out more destructive attacks in the future. Bloomberg reported that at least a dozen power plants had their networks breached by the APT actors, including the Wolf Creek nuclear facility in Kansas.

“There was absolutely no operational impact to Wolf Creek,” a spokeswoman for the nuclear plant said. “The reason that is true is because the operational computer systems are completely separate from the corporate network.”

However, as we’ve seen in attacks just this week, potentially compromised personnel and business data could be leveraged in future targeted phishing messages to gain more information or access — or to find a weak point or an individual that may be leveraged for future attacks.

AlphaBay to Begin Accepting Ethereum as the Bitcoin Alternative Grows More Popular

Beginning next month, malicious actors using the dark web marketplace AlphaBay will be able to buy and sell their goods using the growing cryptocurrency platform Ethereum. Ethereum will become the third payment option available on the market, joining the longstanding cryptocurrency king bitcoin as well as the privacy-focused Monero, which was adopted by AlphaBay last September.

The announcement is good news for fans of Ethereum, whose Ether cryptocurrency has seen a continued surge of growth in 2017 and is the second most popular cryptocurrency after bitcoin.

AlphaBay will begin accepting Ethereum deposits and withdrawals on May 1, an administrator announced on the site’s forum in March.

Bitcoin is by far the most well-known cryptocurrency, and it has been widely adopted by malicious actors and dark web markets as a convenient and semi-anonymous form of digital payment. In fact, cryptocurrencies like bitcoin, dark web markets like AlphaBay, and extortion payments like ransomware are interconnected in that the growth of one has helped spur the growth of the others.

However, bitcoin is currently experiencing growing pains, and Ethereum has emerged over the past year as its main rival. Ethereum’s proponents claim that is it is a more versatile and scalable cryptocurrency. In fact, the idea of Ethereum goes beyond just currency, which is why it and other blockchain companies have been described as bitcoin 2.0. If bitcoin was about creating a decentralized payment system, Ethereum is about using that same concept to radically re-architect everything on the web — as Ethereum creator Vitalik Buterin describes it.

Fortune magazine explained in a September 2016 profile:

Ethereum’s power lies in its ability to automate complex relationships encoded in so-called smart contracts. The contracts function like software programs that encapsulate business logic — rules about money transfers, equity stake transfers, and other types of binding obligations — based on predetermined conditions. Ethereum also has a built-in programming language, called Solidity, which lets anyone build apps easily on top of it.

There’s ongoing debate over just how secure other cryptocurrencies are compared to bitcoin. For example, in June 2016 a hacker was able to exploit a flaw in the smart contract used by The DAO, a crowdsourced venture capital platform based on the Ethereum blockchain, in order to steal more than $50 million worth of Ether.

A controversial solution to address the theft was proposed, known as a “hard fork.” Cryptocurrencies use the concept of a blockchain, which is essentially a decentralized and agreed upon ledger of all the transactions that have occurred. The hard fork would change the agreed upon rules and create a new path forward for the currency — one that would invalidate the theft. However, some Ethereum users argued that the idea of hard fork went against the very principles of a decentralized network that was designed to combat a single authority. Those that eventually rejected the fork are now on a parallel version of the blockchain, Ethereum Classic, while the rest of the community moves forward on the other fork as Ethereum.

Despite the troubles, Ethereum continues to thrive. The concept of disrupting existing business models with decentralized blockchains has gained Ethereum interest not just from dark web markets, but from legitimate companies. In February it was announced that 30 organizations — including JPMorgan Chase, Microsoft, and Intel — would team up under the Enterprise Ethereum Alliance to enhance the privacy, security, and scalability of the Ethereum blockchain.

Ethereum’s Value: Past 90 Days

Ethereum’s market cap has grown significantly on the heels of recent announcements, according to CoinMarketCap.

All of that news has helped to more than quadruple the market cap of Ethereum in 2017, from less a billion in January 2017 to around $4 billion on April 6.

It’s still nearly a month before the option goes live, so it is unclear how many security-obsessed cybercriminals on the dark web will actually use the payment option — or if they will stick with bitcoin. Nevertheless, being adopted by AlphaBay, which is by far the most popular dark web market according to SurfWatch Labs’ data, could potentially be a huge boost for Ethereum.