A bid by cybercriminals to launder $100 million in a crypto heist on June 23 bears the hallmarks of North Korean hacking operations, blockchain experts say, potentially marking the latest in a series of digital currency thefts that US officials fear could fund Pyongyang’s missile programs.
North Korean hackers have already stolen hundreds of millions in crypto this year, US officials say, targeting a largely unregulated sector with sometimes lax cybersecurity. Last week stealing from the crypto project known as Harmony This will be the eighth such incident this year, and the total amount stolen will be about $1 billion, according to analytics company Chainalysis Inc.
Hackers linked to Pyongyang have for years balanced traditional espionage operations with financially motivated cybercrime designed to support the regime, said Luke McNamara, principal analyst at the cybersecurity firm.
Recent efforts have previously focused on banks or financial infrastructure. But hackers are increasingly turning their attention to crypto exchanges and, even more recently, to decentralized finance projects, Mr. McNamara said. “DeFi” aims to displace traditional lenders or brokerage firms by enabling peer-to-peer transactions through distributed public ledgers known as blockchains.
“They are incredibly creative. They are adaptive,” Mr McNamara said. “They will find new ways to target this ecosystem.” Mandiant did not identify who was behind the cyberattack on Harmony.
Harmony did not respond to requests for comment.
US officials have pushed for tighter crypto regulations in recent months and imposed a series of sanctions designed to slow or stop stolen aid funds from North Korea. But cybersecurity and blockchain experts warn that Pyongyang may continue to cash in on at least some of its thefts through a money-laundering strategy that relies on digital tools with limited oversight.
The concern is that “the money could be used to fund nuclear weapons and ballistic missile programs,” said Jim Gentile, a sanctions investigator at the US Treasury Department, speaking at a New York crypto conference in May. The United Nations has also warned that Pyongyang could use stolen cryptocurrencies to fund such initiatives.
Phone calls to the North Korean embassy in London went unanswered on Thursday. The US Department of Justice on Thursday declined to comment on the Harmony hack.
In April, the Treasury Department, the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation warned of North Korea’s support for a campaign targeting such crypto firms.
“The FBI, in coordination with the Treasury Department and other US government partners, will continue to expose and combat North Korea’s use of illicit activities, including cybercrime and cryptocurrency theft, to generate revenue for the regime,” the FBI said at the time, citing the Korean People’s Democratic Republic.
In the Harmony incident, hackers targeted the crypto project’s bridge, a piece of software that allows users to transfer cryptocurrency across different blockchains. Two days after the breach, Harmony publicly offered the attackers $1 million for a refund, an offer it has since sweetened.
However, this week cybercriminals began a series of transactions that blockchain analysts believe are consistent with North Korean money laundering methods. Individuals with access to Harmony’s crypto methodically sent 100 ethers worth about $100,000 each to Tornado Cash, a commingling service that combines various crypto deposits to help hide their sources.
“The attack vector and the high speed of the structured payments to the mixer are similar to previous attacks” attributed to Pyongyang, Chainalysis said on
Elliptic Enterprises Ltd., another blockchain analytics firm, said in a blog post on Wednesday that there were “strong indications” that hackers linked to North Korea were behind the incident. Along with Tornado Cash’s fast deposits and focus on a decentralized finance project, Elliptic cited Harmony’s disclosure that hackers gained access to its bridge by compromising its security keys.
In March, North Korean hackers were similarly suspected part of the bridge software is broken used in the popular online game “Axie Infinity”. Following the theft of users’ crypto worth around $540 million at the time, people who had access to the funds funneled a significant portion of the accounts into Tornado Cash. The FBI attributed the theft to groups linked to North Korea.
Tornado Cash calls itself a privacy program that technically does not hold user deposits as they are commingled with other funds.
“Tornado Cash has been a very reliable tool for North Korean hackers and money launderers, as well as many other criminals,” said Jason Bartlett, who studies North Korean money laundering as a research fellow at the Center for a New American Security, a think tank. .
Tornado Cash did not respond to requests for comment. The tool’s website states that its “original developers have no control over it and do not operate the servers.” Like many other decentralized finance projects, Tornado Cash is overseen by a loosely connected online community of people who own tokens that give them the ability to vote on changes in governance.
The commingling of services that can be used for legitimate purposes makes tracking stolen funds more difficult but not impossible, said Ari Radbord, a former Treasury official who is now head of legal and government affairs at TRM Labs Inc., a blockchain analytics firm.
In a blog post on Wednesday, Elliptic said it had decrypted Harmony funds sent to Tornado Cash, allowing customers to check the transactions for potential links to the stolen crypto.
Harmony said on Twitter and its blog on Wednesday that it had launched a “global hunt” for the attackers, notifying crypto exchanges, calling law enforcement and enlisting blockchain analysts such as Chainalysis. Harmony also raised its previous reward proposal.
“Actor’s associates: there is no honor among thieves,” said Harmony. “We are offering you $10 million for information leading to the recovery of the stolen funds.”
Deadline: July 4.
Write David Uberti on firstname.lastname@example.org
Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8