North Korean hackers are still getting the money they stole from Axie Infinity
The gang, identified by the Treasury as the Lazarus Group, also known as the 2014 Sony Pictures hack, laundered nearly $100 million — about 17 percent — of stolen cryptocurrency, according to blockchain analytics firm Elliptic. They moved what they had beyond the reach of the US authorities by converting it into cryptocurrency Ethereum, which unlike the cryptocurrency they stole their work cannot be hindered remotely. Since then, the gang has worked to hide crypto assets primarily by sending installments of it through a program called Tornado Cash, a service known as a mixer that collects digital assets to hide their owners.
Authorities and major players in the crypto industry are scrambling to keep up. The Treasury Department sanctioned three other addresses linked to the gang on Friday, such as Binance, a major international crypto exchange, announce It has frozen $5.8 million in cryptocurrency that hackers transferred to its platform.
The cat-and-mouse game unfolding between law enforcement and North Korean hackers is another example of how criminals have learned to target growing vulnerabilities in the crypto economy. They exploit faulty code in decentralized crypto platforms, use tools that help them hide their tracks such as converting assets into privacy-enhancing cryptocurrencies like Monero, and take advantage of intermittent coordination of law enforcement across international borders.
The North Korea case also shines a spotlight on the crypto industry that is keen to show its credibility to regulators, investors, and clients, while still staying true to the spirit of cryptocurrency freedom. Some of the largest companies in the sector say they welcome government oversight and are promoting their investments in internal compliance programmes.
However, a review by The Washington Post of crypto accounts enforced by the US Treasury over the past year and a half found that four wallets are still available for trading months after they were placed on the administration’s blacklist. The apparent vulnerabilities are due to defective or incomplete compliance programs by the Tether and Center Consortium, a pair of companies involved in the issuance of so-called stablecoins, a type of cryptocurrency whose value is tied to an external asset, usually the dollar.
“We are at a particularly important moment: everyone is still learning what is possible and how attacks can happen, and the borderless nature of encryption makes it difficult to apply standards globally,” said Chris Debo, Elliptic’s Chief Compliance Officer. “These are people who act all over the world. Even if you apply very well in one jurisdiction, if there are other jurisdictions with weaker application, you will still have a problem.”
Digital thieves are on their way to a record year. They stole $1.3 billion worth of cryptocurrency in the first three months of the year, after seizing $3.2 billion in 2021, according to blockchain data firm Chainalysis. Another pirate recovered grand theft Last Sunday, about $76 million in digital assets were stolen from a crypto project called Beanstalk, according to Etherscan data.
As the successes of cybercriminals mount, so does the urgency of the US authorities, who have come to view the attacks as threats to national security. The Lazarus Group, for example, is an important source of funding for North Korea’s nuclear and ballistic missile programs, according to UN investigators. Last spring, Russian hackers temporarily disrupted the operations of an important US fuel pipeline and the world’s largest meat supplier, only softening after a ransom of millions of dollars in cryptocurrency was collected. (Much of the colony pipeline ransom was later recovered.)
The Russian invasion of Ukraine increased the focus of policy makers on this issue. Some lawmakers have expressed concern that the Russian government and oligarchs may use cryptocurrency to evade international sanctions that are stifling their access to traditional financial channels.
So far, they haven’t. “It’s hard to imagine that happening with cryptocurrency,” Treasury Secretary Janet Yellen said Thursday. But the section also notes that he does not take risks. It imposed sanctions on Russian mining company Bitriver and 10 of its subsidiaries on Wednesday, explaining in a statement that the Biden administration “is committed to ensuring that no asset, no matter how complex, becomes a mechanism for the Putin regime to offset the impact of the sanctions.”
US authorities also continue to target Russian cybercriminals and the encryption platforms they rely on to enable their attacks. Earlier this month, US law enforcement announced the closure of Russia’s Hydra Market, a darknet market that allegedly sells hacked personal information, drugs and hacking services.
As part of the campaign, the Treasury Department also imposed sanctions against Garantex, a Russian crypto exchange that the department said has processed more than $100 million in illegal transactions, including $2.6 million linked to Hydra. The Treasury said the move builds on sanctions it imposed last year against two other Russian cryptocurrency exchanges, Suex and Chatex, which all operate out of the same office tower in the Moscow financial district.
Elliptic’s DePow said the appointments mean that any crypto company that interacts with the US financial system must block transactions with sanctioned entities. However, The Post’s review found that neither Tether nor the Center Consortium blocked all transactions involving sanctioned addresses.
Tether continues to allow transactions with crypto accounts allegedly belonging to Chatex, more than half of its business has been related to illegal or high-risk activities, including ransomware attacks, according to the Treasury. One Tether address received and then sent about $15,000 as recently as April 19, according to a Post review of Etherscan’s blockchain data. Another received, then sent, nearly $42,000 in the past six months.
In a statement, Tether said it was “constantly monitoring the market to ensure there are no irregular movements or actions that may conflict with applicable international sanctions.” Chatex did not respond to requests for comment.
Not all transactions with sanctioned addresses are outrageous: sometimes mainstream exchanges consolidate existing funds into sanctioned accounts that no longer benefit the accused hackers who previously owned them. Sometimes the Treasury approves individual transactions with sanctioned accounts
Separately, the Center Consortium – a joint venture between US crypto firms Coinbase and Circle that issues USD Coin, the second largest stablecoin – failed to freeze three Russian hackers’ wallets until months after the Treasury imposed sanctions on them. Two of the accounts, blacklisted in September 2020, belong to Artem Lifshits and Anton Andreyev, two employees of the Russian hacking group that led the country’s intervention in the 2016 US presidential election. The third was linked to Yevgeny Polyanin, whose Treasury Department imposed sanctions in November for perpetrating ransomware attacks as part of the REvil gang of cybercriminals.
The center did not freeze those wallets until March 29, when a company spokesperson said the company conducted an audit of the sanctioned accounts and discovered it had “not just picked up these addresses.” The wallets did not deal during that time.
“We are constantly reviewing what we are doing to ensure that we are state-of-the-art in our compliance,” a center spokesperson said. “Through this review, we identified three titles that were not missed, and took action immediately.”
John Smith, a former director of the department’s Office of Foreign Assets Control and now a partner at Morrison & Foerster, said the Treasury Department requires US companies to freeze sanctioned accounts once they are blacklisted and report doing so within 10 days. He said the administration can apply stiff penalties to violators even if they don’t know they are out of compliance, although it tends to focus on the more egregious issues.
“They go after entities or individuals they believe have intentionally or recklessly violated sanctions,” Smith said.
A Treasury Department spokesman did not respond to a request for comment.
Nor did Tornado when contacted through a founder. This mixer is how whoever stole $75 million from the Beanstalk project also laundered its proceeds. This upset investor AJ Pikul, who Says He lost about $150,000 in the hack. “I am not very happy about being able to launder money through cryptocurrency at all,” he told The Post via email.
“I feel like we’re in a digital arms race between the good guys and the bad guys,” he said.
Leave a Comment