View profile

How North Korean Hackers Emerged as One of the Biggest Threats to the Crypto Ecosystem? (#95 - 23 April 2022)

The Future of Money with Henri Arslanian
How North Korean Hackers Emerged as One of the Biggest Threats to the Crypto Ecosystem? (#95 - 23 April 2022)
By Henri Arslanian • Issue #90 • View online
Dear Friends, 
Last week we learned that North Korea’s Lazarus Group was behind the recent $540 million exploit of Ronin Bridge, one of the biggest attacks in crypto history. 
How did North Korea-linked groups emerge as one of the most sophisticated crypto and money laundering groups in this space? How big is the problem? I cover it all below.
Make sure to subscribe (and join the 50,000+ others who have done so) to receive your Future of Money newsletter in your inbox every week! 
If you enjoy this content, you will also love what I post on Twitter
(@HenriArslanian) and the library of videos on my YouTube channel.
Here we go!

Powered By ACX
How North Korean Hackers Emerged as One of the Biggest Threats to the Crypto Ecosystem?
A major development in the crypto ecosystem took place last week when the Office of Foreign Assets Control (OFAC) sanctioned a North Korean cybercriminal cartel known as Lazarus Group that was behind last month’s exploit of the Ronin Bridge. 
Source: U.S. Department of the Treasury
Source: U.S. Department of the Treasury
As we covered at the time, Ronin Bridge, which links the popular play-to-earn game Axie Infinity with the Ethereum mainnet, was exploited for over $540 million worth of ETH and USDC funds on March 23. But in the proceeding days, those funds ballooned to over $600 million in value. 
Source: Elliptic
Source: Elliptic
On April 14, OFAC added an ETH address to Lazarus Group’s entry. That same address was linked to the Ronin exploit, with stolen funds moving from Ronin to the wallet address controlled by Lazarus Group. 
The identification of the criminal actors behind one of the biggest hacks in crypto history underscores the growing threat that North Korean cybercriminals continue to pose to the digital assets ecosystem. 
For instance, Chainalysis’ 2022 Crypto Crime Report shows that North Korean hackers launched at least seven major attacks on crypto platforms last year, looting roughly $400 million worth of digital assets.
The attacks primarily targeted investment firms and centralized exchanges, with hackers using a combination of social engineering, malware, code exploits, and phishing schemes to drain funds from those platforms and into wallet addresses ultimately controlled by the North Korean government. 
Lazarus Group, in particular, has emerged as one of the most advanced hacking groups operating out of the country.
Led by North Korea’s intelligence agency, Lazarus Group gained mainstream notoriety for its role in two of the biggest cyberattacks of the last decade: the hack of Sony Pictures and the WannaCry ransomware attacks
According to Chainalysis, since 2018 the group has stolen and laundered on average $200 million worth of digital assets per year.
One of their biggest schemes was the 2020 exploit of centralized exchange KuCoin, in which $275 million in crypto funds was siphoned from the platform. The amount that was stolen from the KuCoin attack actually represented more than half the value of all stolen crypto assets in 2020. In this case, the hackers were able to pull off their heist after gaining access to the private keys to KuCoin’s hot wallets.  
The level and sophistication of these attacks continued into 2021, with Chainalysis identifying a 40% jump in total value stolen compared to the previous year. 
Source: Chainalysis
Source: Chainalysis
And if you focus on the dollar value of the stolen assets, you can see that Bitcoin now accounts for less than 25% of all stolen crypto assets by North Korean-linked groups.
In fact, last year Bitcoin represented only 20% of stolen funds. ETH, on the other hand, represented 58% of stolen funds, with other altcoins and ERC-20 tokens accounting for the remaining 22%.
Source: Chainalysis
Source: Chainalysis
The variety of stolen crypto assets ultimately reflects North Korea’s increasingly sophisticated approach to money laundering.
One of the best-known examples that illustrates this is the August 2021 hack of, in which bad actors gained access to several wallet addresses on the platform.
Large quantities of Bitcoin, ETH, and 67 different ERC-20 tokens were moved into these addresses, with the stolen ERC-20 tokens quickly swapped for more ETH at decentralized exchanges (DEXs), which conduct no KYC or AML checks. 
Source: Chainalysis
Source: Chainalysis
The ETH was then sent to a mixer and swapped for Bitcoin. 
Source: Chainalysis
Source: Chainalysis
After being sent to another mixer, the stolen Bitcoin was sent to centralized exchanges based in Asia that provide fiat off-ramps for the criminals to cash out. 
Source: Chainalysis
Source: Chainalysis
As Chainalysis and Elliptic both show, mixing has become central to North Korea’s money laundering strategy, with over 65% of stolen crypto assets laundered through such mixers last year alone. 
Source: Chainalysis
Source: Chainalysis
In the case of last month’s Ronin Bridge exploit, the smart contract-based mixer Tornado Cash played an integral role, mixing over $80 million of the $107 million stolen ETH.
Source: Elliptic
Source: Elliptic
Mixers like Tornado Cash are able to pool and scramble assets from thousands of different addresses, making the origins of these funds difficult to identify for investigators and, thus, a very attractive tool for criminal actors to employ. 
Meanwhile, in their 2022 Crypto Crime Report, Chainalysis identified $170 million worth of unlaundered crypto holdings held by North Korean cybercriminal groups, representing the stolen funds from 49 different hacks that occurred over a five-year period from 2017 through 2021.
$55 million worth of unlaundered funds from 2016 also continues to sit in government-controlled wallets. 
Source: Chainalysis
Source: Chainalysis
Why these funds continue to remain unlaundered is anyone’s guess, but it could be a concerted “lay low” strategy adopted by the North Korean government.
But regardless of why, these trends suggest that these hacks are systematic, deliberate, and sophisticated in nature, not just some reckless hacks where criminals are quick to try and cash out. 
And what is especially troubling at the macro level is that, according to a report from the UN Security Council, the revenue generated from attacks on the crypto ecosystem ultimately flows into North Korea’s nuclear weapons program. 
But fortunately, as we’ve seen in two high-profile cases from earlier this year, investigators are growing increasingly sophisticated themselves in working with blockchain’s traceability tools to identify these actors.
And in the case of the alleged suspect behind the 2016 hack of The DAO, even previously impossible-to-decipher technology like mixers is now being “de-mixed” by authorities to unmask the true source of stolen funds. 
So it will be very interesting to see how these bad actors will respond to the growing maturation of investigators and forensics groups operating in this space moving forward. 
Definitely a development to follow.
Powered by ACX
ACX is the world’s first specialized crypto customer support, compliance support and community management outsourced provider.
ACX enables crypto platforms to offer 24/7 crypto specialized customer support to their clients in multiple languages (e.g. English, Russian, Turkish, Arabic, Spanish, French) leveraging dedicated staff that is 100% advanced crypto trained and multilingual.
Looking at scaling your customer support function whilst reducing costs? Looking at conducting large-scale KYC/account remediations? Looking at improving your community management?
Join My Telegram Channel!
If you like my content then be sure to join my Telegram channel - Arslanian Academy - in which I share important stories from around the crypto industry whilst providing my perspective on key industry developments and their impact on the broader ecosystem. 
This Telegram group is a great resource for anyone interested in broadening their understanding of Bitcoin, Ethereum, DeFi, stablecoins, CBDCs, NFTs, the metaverse, Web 3.0, and institutional adoption of crypto assets.
Enjoyed this content? Make sure to subscribe or share it with a friend! A new Future of Money newsletter will be in your inbox each week!
See you all next week!! 
Henri Arslanian
*Please note that this newsletter reflects Henri’s personal views and not those of any organisation he is involved with. This newsletter is for educational purposes only and none of its content should be construed as investment or financial advice of any kind. 
Did you enjoy this issue?
Henri Arslanian

Future of Finance and Money - PwC Global Crypto Leader, Best Selling Author, Keynote Speaker, University Professor, Host of Crypto Capsule™ - Views are my own

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue