In a blog post published yesterday (September 8, 2022), blockchain forensics firm, Chainalysis, first noted:
One of the most troubling trends in crypto crime right now is the stunning rise in funds stolen from DeFi protocols, and in particular cross-chain bridges. Much of the value stolen from DeFi protocols can be attributed to bad actors affiliated with North Korea, especially elite hacking units like Lazarus Group. We estimate that so far in 2022, North Korea-linked groups have stolen approximately $1 billion of cryptocurrency from DeFi protocols.
[Plante, E. $30 Million Seized: How the Cryptocurrency Community Is Making It Difficult for North Korean Hackers To Profit. (Accessed September 9, 2022)].
However, Erin Plante, Senior Director of Investigations and Special Programs at Chainalysis, went on to announce:
With the help of law enforcement and leading organizations in the cryptocurrency industry, more than $30 million worth of cryptocurrency stolen by North Korean-linked hackers has been seized. This marks the first time ever that cryptocurrency stolen by a North Korean hacking group has been seized, and we’re confident it won’t be the last.
[Id].
"The $30 million recovery of funds is one of the largest recoveries of funds from North Korea’s Lazarus hacking group, Chainlysis announced in a blog post. The funds represent only 10% of the $620M million stolen from Ronin bridge, based on today’s prices. The hack originally occurred in late March. Since the heist was performed, the U.S. Treasury and FBI have been working together to recover funds from the criminals, and the recovery news flags off the aggressive recovery efforts undertaken in a short period of time" [Bahati, R. $30M Recovered From Axie Infinity (AXS) Ronin Bridge Hack. (Accessed September 9, 2022)].
According to Chainalysis, Lazarus Group, the North-Korea linked entity behind the attacks, first used sophisticated money-laundering techniques such as sending stolen Ether (ETH) to crypto-mixer Tornado Cash, swapping it for Bitcoin (BTC), sending the Bitcoin to Tornado Cash, and then cashing out at exchanges. However, the group recently moved away from such techniques after the U.S. Department of Treasury imposed sanctions on Tornado Cash wallet addresses. Chainalysis explains that in response, Lazarus Group hackers switched to, perhaps ironically, laundering the stolen crypto via cross-chain bridges on legitimate decentralized finance platforms.
[Sun, Z. Law enforcement recovers $30 million from Ronin Bridge hack with the help of Chainalysis. (Accessed September 9, 2022)].
More specifically, Chainalysis details these actions as follows:
The attack began when the Lazarus Group gained access to five of the nine private keys held by transaction validators for Ronin Network’s cross-chain bridge. They used this majority to approve two transactions, both withdrawals: one for 173,600 ether (ETH) and the other for 25.5 million USD Coin (USDC). They then initiated their laundering process – and Chainalysis began tracing the funds. The laundering of these funds has leveraged over 12,000 different crypto addresses to-date, which demonstrates the hackers’ highly sophisticated laundering capabilities.
[Plante, supra].
Basically the North Korean hackers follow five steps in DeFi laundering:
- Stolen Ether sent to intermediary wallets
- Ether mixed in batches using Tornado Cash
- Ether swapped for bitcoin
- Bitcoin mixed in batches
- Bitcoin deposited to crypto-to-fiat services for cashout
[Id].
Chainalysis reports that the Lazarus Group replicated the above steps with large portions of the Ronin Bridge hack. Chainalysis further supplies us with a chart to visualize the above:
However, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) recently sanctioned Tornado Cash for its role in laundering over $455 million worth of cryptocurrency stolen from Axie Infinity. Since then, Lazarus Group has moved away from the popular Ethereum mixer, instead leveraging DeFi services to chain hop, or switch between several different kinds of cryptocurrencies in a single transaction. Bridges serve an important function to move digital assets between chains and most usage of these platforms is completely legitimate. Lazarus appears to be using bridges in an attempt to obscure source of funds. With Chainalysis tools these cross chain funds movements are easily traced.
[Id].
The Chainalysis blog ends with:
Cryptocurrency’s transparency is instrumental to investigating hacks like the one suffered by Axie Infinity. Investigators with the right tools can follow the money to understand and disrupt a cybercrime organization’s laundering activities [...] [T]hese seizures would not have been possible without collaboration across the public and private sectors. Much of the funds stolen from Axie Infinity remain unspent in cryptocurrency wallets under the hackers’ control. We look forward to continuing to work with the cryptocurrency ecosystem to prevent them and other illicit actors from cashing out their funds.
[Id].
"The director of investigations says that the rapid growth in money theft from DeFi protocols, especially cross-chain bridges, is one of the most alarming developments in cryptocurrency crime at the moment" [Jyothsna. U.S Authorities Recovered the Hacked Cryptocurrency?. (Accessed September 9, 2022)].
"It is also estimated that North Korean criminal groups have so far taken off with $1 billion of cryptocurrency from DeFi protocols in 2022 alone. North Korea’s Lazarus Group has long resorted to illicit activities to gin up badly the needed cash. It gained popularity when it stole from Sony Pictures Entertainment and recently used Tornado Cash, which has been sanctioned by the US authorities" [Bahati, supra].