North Korea’s hackers still have access to money they stole from Axie Infinity

Holds space while article actions load

North Korean hackers, who last month committed one of the biggest cryptocurrency thefts ever, are still laundering their catch more than a week after they were identified as the thieves.

Cybercriminals’ continued access to the money, more than $ 600 million stolen from the video game Axie Infinity, underscores the limits of law enforcement’s ability to stop the flow of illegal cryptocurrencies across the globe. Hackers are still moving their booty, most recently around $ 4.5 million worth of Ethereum currency on Friday, according to data from cryptocurrency tracking site Etherscan – eight days after the Treasury tried to freeze those assets by sanctioning the digital wallet the group used in its attack.

The gang, which the Treasury identified as the Lazarus Group, also known for hacking Sony Pictures in 2014, has so far laundered nearly $ 100 million – about 17 percent – of the stolen crypto, according to blockchain analysis firm Elliptic. They moved their move beyond the immediate reach of the US authorities by converting it to the cryptocurrency Ethereum, which unlike the cryptocurrency they stole, cannot be inhibited externally. Since then, the gang has been working to obscure the origins of the crypto primarily by sending installments of it through a program called Tornado Cash, a service known as a mixer that collects digital assets to hide their owners.

Among the best hacking nations, North Korea is the strangest

Authorities and major players in the crypto industry are struggling to keep up. Treasury sanctioned three addresses linked to the gang on Friday when Binance, a major international crypto exchange, announced it had frozen $ 5.8 million in crypto that hackers had transferred to its platform.

The cat-and-mouse game, which takes place between law enforcement and the North Korean hackers, is another example of how criminals have learned to target the weak points of the growing crypto-economy. They exploit faulty code in decentralized crypto-platforms, use tools to help them hide their tracks, such as converting assets to privacy-enhancing cryptocurrencies like Monero, and take advantage of spot-on coordination of law enforcement across international borders.

The North Korean case is also training a spotlight on a crypto industry that is eager to demonstrate its credibility to regulators, investors and customers, while maintaining the freewheel ethos of crypto. Some of the largest companies in the sector say they welcome public oversight and highlight their investment in internal compliance programs.

Still, a review by The Washington Post of cryptocurrencies sanctioned by the Treasury over the past year and a half found four wallets that remained free to trade months after being placed on the administration’s blacklist. The apparent lapses are due to deficient or incomplete compliance programs from Tether and the Center Consortium, a few companies involved in issuing so-called stack coins, a form of cryptocurrency whose value is linked to an external asset, typically the dollar.

“We are at a particularly important time: everyone is still learning what is possible and how attacks can occur, and the boundless nature of crypto makes it difficult to enforce standards globally,” said Chris DePow, a compliance official at Elliptic. “These are people who trade all over the world. Even if you enforce very well in one jurisdiction, if there are other jurisdictions with weaker enforcement, you will still end up with a problem.”

Digital thieves are on their way to a record year. They stole $ 1.3 billion in cryptocurrency in the first three months of the year after seizing $ 3.2 billion in 2021, according to blockchain data firm Chainalysis. Hackers got another one major robbery last Sunday, the digital assets worth about $ 76 million were stolen from a crypto project called Beanstalk, according to Etherscan data.

North Korean hackers linked $ 620 million to Axie Infinity crypto theft

As the success of cybercriminals increases, so does the urgency of the US authorities, who have come to see the attacks as threats to national security. The Lazarus group is, firstly, an important source of funding for North Korea’s nuclear and ballistic missile programs, according to UN investigators. And last spring, Russian hackers temporarily hampered the operation of a critical U.S. fuel pipeline and the world’s largest meat supplier, and only gave in after collecting ransoms of many millions of dollars in cryptocurrency. (Much of the Colonial Pipeline ransom was later recovered.)

The Russian invasion of Ukraine has sharpened politicians’ focus on the issue. Some lawmakers have worried that the Russian government and oligarchs could use crypto to evade the international sanctions that stifle their access to traditional financial channels.

So far they have not. “It’s hard to imagine it happening using crypto,” Finance Minister Janet Yellen said Thursday. But the department also signals that it is not taking chances. It leveled sanctions against Russian cryptocurrency firm Bitriver and 10 of its subsidiaries on Wednesday, declaring in a statement that the Biden administration “is committed to ensuring that no asset, no matter how complex, becomes a mechanism for the Putin regime to to offset the impact of sanctions. “

The crypto industry says it is complying with Russian sanctions as some policy makers sound the alarm

US authorities also continue to target Russian cybercriminals and the crypto platforms they rely on to enable their attacks. Earlier this month, US law enforcement announced the closure of the Russian-based Hydra Market, a dark web marketplace that allegedly sells hacked personal information, drugs and hacking services.

As part of the crackdown, the Treasury Department also sanctioned Garantex, a Russian cryptocurrency exchange that the department said had handled more than $ 100 million in illegal transactions, including $ 2.6 million linked to Hydra. The Ministry of Finance said the move was based on sanctions it adopted last year against two other Russian crypto exchanges, Suex and Chatex, all operating from the same office tower in Moscow’s financial district.

The designations mean that any crypto company that interacts with the US financial system should block transactions with the sanctioned entities, Elliptics’ DePow said. Still, The Post’s review found that neither Tether nor the Center Consortium have blocked all transactions involving sanctioned addresses.

Tether continues to allow transactions with cryptocurrencies allegedly owned by Chatex, where more than half of their business was tied to illegal or high-risk activities, including ransomware attacks, according to the Treasury Department. A Tether address received and then sent about $ 15,000 as late as April 19, according to a Post review of blockchain data from Etherscan. Another received, and then sent, nearly $ 42,000 in the last six months.

In a statement, Tether said it “maintains constant market surveillance to ensure that there are no irregular movements or measures that could be in breach of existing international sanctions.” Chatex did not respond to requests for comment.

Not all transactions involving sanctioned addresses are harmless: Sometimes, mainstream exchanges consolidate funds held in sanctioned accounts that no longer benefit the accused hackers who previously owned them. And sometimes the Treasury approves individual transactions with sanctioned accounts

Russia arrests 14 alleged members of REvil ransomware gang, including hacker, US says it has carried out Colonial Pipeline attacks

Separately, the Center Consortium – a joint venture between US crypto companies Coinbase and Circle, which issues USD Coin, the second largest stack coin – – failed to freeze three wallets belonging to Russian hackers until months after the Treasury sanctioned them. Two of the accounts blacklisted in September 2020 belong to Artem Lifshits and Anton Andreyev, employees of the Russian hacker group that spearheaded the country’s interference in the 2016 US presidential election. November to carry out ransomware attacks as part of REvil cybercrime gangs.

The center did not freeze those wallets until March 29, when a spokesman said the company conducted a review of sanctioned accounts and discovered that it “just had not captured those addresses.” The wallets did not trade during that time.

“We are constantly reviewing what we do to ensure that we are state of the art in our compliance,” the Center spokesman said. “Through that review, we identified three addresses that had been missed and we acted immediately.”

The Treasury Department is demanding that U.S. companies freeze sanctioned accounts as soon as they blacklist them and report that they have done so within 10 days, said John Smith, a former director of the department’s Office of Foreign Assets Control and now a partner at Morrison & Foerster. The department can apply harsh sanctions to offenders even if they did not know they were out of compliance, he said, though it tends to focus on more serious cases.

“They go after entities or individuals that they believe have knowingly or ruthlessly violated sanctions,” Smith said.

A spokesman for the Treasury Department did not respond to a request for comment.

Nor did Tornado when he was contacted through a founder. This mixer is how the person who stole $ 75 million from the Beanstalk project also laundered their revenue. It has upset investor AJ Pikul, who say he lost about $ 150,000 in the hack. “I’m not at all super happy with the ability to launder money through crypto, to be honest,” he told The Post via email.

“I feel like we’re in a digital arms race between the good and the bad,” he said.

Leave a Reply

Your email address will not be published.