North Korean hackers still have access to the money they stole from Axie Infinity

Placeholder while loading article actions

The North Korean hackers who committed one of the biggest cryptocurrency thefts of all time last month are still laundering their loot more than a week after being identified as the thieves.

Cybercriminals’ continued access to money, over $600 million stolen from the Axie Infinity video game, underscores the limits of law enforcement’s ability to stop the flow of illicit cryptocurrency across the globe. Hackers continue to move their loot, most recently around $4.5 million of Ethereum currency on Friday, according to data from cryptocurrency tracking site Etherscan – eight days after the Treasury Department attempted to freeze these assets by sanctioning the digital wallet used by the group. his attack.

The gang, which the Treasury Department has identified as the Lazarus Group, also known for the 2014 Sony Pictures hack, has so far laundered nearly $100 million – about 17% – of the stolen crypto, according to to blockchain analytics company Elliptic. They moved their loot beyond the immediate reach of US authorities by converting it into the cryptocurrency Ethereum, which, unlike the cryptocurrency they stole, cannot be remotely hindered. Since then, the gang has worked to obscure the origins of crypto primarily by sending remittances through a program called Tornado Cash, a service known as a mixer that aggregates digital assets to hide their owners.

Among the top hacking nations, North Korea is the weirdest

Authorities and major players in the crypto industry are scrambling to keep up. Treasury sanctioned three other addresses associated with the gang on Friday, such as Binance, a large international crypto exchange, announcement it had frozen $5.8 million worth of crypto that hackers had transferred to its platform.

The cat-and-mouse game between law enforcement and North Korean hackers is another example of how criminals have learned to target weak spots in the growing crypto economy. They exploit faulty code in decentralized crypto platforms, use tools that help them cover their tracks such as converting assets into privacy-enhancing cryptocurrencies like Monero, and take advantage of the uneven coordination of law enforcement. order across international borders.

The North Korean case also shines a light on a crypto industry eager to demonstrate its reliability to regulators, investors, and customers, while maintaining the freewheeling spirit of crypto. Some of the biggest companies in the industry say they support government oversight and tout their investments in internal compliance programs.

Yet a Washington Post review of Treasury Department-sanctioned crypto accounts over the past year and a half found four wallets that remained free to transact months after being blacklisted by the Treasury. ‘administration. The apparent failures are due to faulty or incomplete compliance programs by Tether and Center Consortium, a pair of companies involved in issuing so-called stablecoins, a type of cryptocurrency whose value is tied to an external asset, usually the dollar.

“We are at a particularly important time: everyone is still learning what is possible and how attacks can occur, and the borderless nature of cryptography makes it difficult to apply standards at scale. globally,” said Chris DePow, chief compliance officer at Elliptic. “These are people who act all over the world. Even if you apply very well in one jurisdiction, if there are other jurisdictions with weaker application, you are still going to end up with a problem.

Digital Thieves are on course for a banner year. They stole $1.3 billion worth of cryptocurrency in the first three months of the year, after seizing $3.2 billion in 2021, according to blockchain data firm Chainalysis. The hackers managed another one major heist last Sunday, stealing around $76 million worth of digital assets from a crypto project called Beanstalk, according to data from Etherscan.

North Korean Hackers Linked to $620M Axie Infinity Crypto Heist

As the successes of cybercriminals increase, so does the urgency for US authorities, who have come to view the attacks as threats to national security. The Lazarus Group, for its part, is a major source of funding for North Korea’s nuclear and ballistic missile programs, according to United Nations investigators. And last spring, Russian hackers temporarily hampered the operations of a critical US fuel pipeline and the world’s largest meat supplier, only relenting after collecting multi-million dollar ransoms in cryptocurrency. . (Much of the Colonial Pipeline ransom was later recovered.)

The Russian invasion of Ukraine sharpened the attention of policy makers on the issue. Some lawmakers worry that the Russian government and oligarchs could use crypto to evade international sanctions stifling their access to traditional financial channels.

So far they haven’t. “It’s hard to imagine that happening using crypto,” Treasury Secretary Janet Yellen said Thursday. But the ministry also signals that it is not taking any risks. He imposed sanctions on Russian crypto-mining firm Bitriver and 10 of its subsidiaries on Wednesday, saying in a statement that the Biden administration is “committed to ensuring that no asset, no matter how complex, becomes a mechanism for Putin’s regime to offset the impact of the sanctions.”

Crypto Industry Says It’s Complying With Russian Sanctions, As Some Policymakers Sound The Alarm

US authorities also continue to target Russian cybercriminals and the crypto platforms they rely on to enable their attacks. Earlier this month, US law enforcement announcement the closure of Russia’s Hydra Market, a dark net marketplace that allegedly sells hacked personal information, drugs and hacking services.

As part of the crackdown, the Treasury also sanctioned Garantex, a Russian crypto exchange that the department said had handled more than $100 million in illegal transactions, including $2.6 million associated with Hydra. The Treasury said the move was based on sanctions it enacted last year against two other Russian crypto exchanges, Suex and Chatex, which all operated from the same office tower in Moscow’s financial district. .

The designations mean that any crypto company interacting with the US financial system should block transactions with sanctioned entities, Elliptic’s DePow said. Yet The Post’s review found that neither Tether nor Center Consortium blocked all transactions involving sanctioned addresses.

Tether continues to allow transactions with crypto accounts believed to be owned by Chatex, more than half of whose activity was related to illicit or high-risk activities, including ransomware attacks, according to the Treasury. A Tether address received and then sent around $15,000 as recently as April 19, according to a Post review of Etherscan blockchain data. Another received, then sent, nearly $42,000 in the past six months.

In a statement, Tether said it “conducts constant market monitoring to ensure that there are no irregular movements or actions that could contravene applicable international sanctions.” Chatex did not respond to requests for comment.

Not all transactions involving sanctioned addresses are bad: sometimes traditional exchanges pool funds held in sanctioned accounts that no longer benefit the accused hackers who previously owned them. And sometimes the Treasury approves individual transactions with sanctioned accounts

Russia arrests 14 suspected members of the REvil ransomware gang, including an American hacker who allegedly carried out an attack on the colonial pipeline

Separately, Center Consortium – a joint venture between US crypto firms Coinbase and Circle that issues USD Coin, the second-largest stablecoin – failed to freeze three wallets belonging to Russian hackers for up to months. after the Treasury sanctioned them. Two of the accounts, blacklisted in September 2020, belong to Artem Lifshits and Anton Andreyev, employees of the Russian hacking group that led the country’s interference in the 2016 US presidential election. A third was associated with Yevgeniy Polyanin , which the Treasury sanctioned in November for carrying out ransomware attacks as part of the REvil cybercriminal gang.

Center only froze those wallets on March 29, when a spokesperson said the company conducted a review of the sanctioned accounts and found it “just didn’t catch those addresses.” The wallets did not make any transactions during this period.

“We are constantly reviewing what we are doing to ensure we are at the cutting edge of compliance,” the Center spokesperson said. “Through this review, we identified three addresses that had been missed and acted immediately.”

The Treasury requires U.S. companies to freeze sanctioned accounts as soon as it blacklists them and reports they have done so within 10 days, said John Smith, former director of the department’s Office of Foreign Assets Control. and now a partner at Morrison & Foerster. The department can apply harsh penalties to violators even if they didn’t know they weren’t compliant, he said, though it tends to focus on more serious cases.

“They pursue entities or individuals who they believe have intentionally or recklessly violated the sanctions,” Smith said.

A Treasury spokesman did not respond to a request for comment.

Neither did Tornado, when approached through a Founder. This mixer is how whoever stole $75 million from the Beanstalk project also laundered their product. This upset investor AJ Pikul, who said he lost around $150,000 in the hack. “I’m not very happy at all about being able to launder money via crypto, to be honest,” he told The Post via email.

“I feel like we’re in a digital arms race between the good guys and the bad guys,” he said.

Comments are closed.