North Korean hackers funneling stolen tokens through Russian exchanges

North Korea shows no sign of slowing its ‘crypto’ hacking operations and is increasing its use of Russian digital asset exchanges to launder its ill-gotten gains.

On September 12, the CoinEx exchange announced that its security systems had “detected anomalous withdrawals from several hot wallet addresses used to store CoinEx’s exchange assets.” CoinEx assured users that “your assets are secure and untouched” and any impacted customers “will receive 100% compensation for any loss due to this breach.”

Over the next few days, the scale of the hack became apparent. Over $54 million in various tokens (BTC, ETH, XRP, TRX and others) had been drained. CoinEx tracked the outflowing tokens to wallets on multiple blockchains (Ethereum, Binance’s BNB Chain and Arbitrum), including some of the same wallets linked to the September 4th hack that stole $41 million from Australia-focused online gambling site Stake.com.

On September 6, the Federal Bureau of Investigation (FBI) announced that Stake.com had been hacked by North Korea’s state-sponsored Lazarus Group. The FBI noted that Lazarus was responsible for (among countless other incidents) the $60 million theft from Alphapo/CoinsPaid in July and $100 million from Atomic Wallet in June.

While the Stake.com hack also involved multiple tokens across multiple chains, analysts have detected patterns in which Lazarus converts stolen tokens to Emin Gün Sirer’s Avalanche (AVAX) network before bridging them to BTC, relying on AVAX’s high liquidity to ensure quick conversions.

Lazarus are also big fans of coin mixing services like the Ethereum-based Tornado Cash. The U.S. Department of Justice cited North Korea’s use of Tornado Cash when it charged Tornado developers with money laundering and economic sanctions violations last month. Last November, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) accused Tornado Cash of indirectly helping to fund North Korea’s nuclear weapons program.

In August, Reuters revealed the contents of an unpublished United Nations report in which independent sanctions monitors said North Korea continues to “successfully target cyber cryptocurrency and other financial exchanges globally … Companies in the cryptocurrency, defense, energy and health sectors were targeted in particular” by Lazarus and its various offshoots, including Labyrinth Chollima.

But hackers working for the Reconnaissance General Bureau—North Korea’s foreign intelligence agency—are not just looking to steal financial assets. Data, be it corporate or personal, is also high on their target list. Which leads us to the current upheaval plaguing America’s casino sector.

Crapping out

This week saw both Caesars Entertainment and MGM Resorts reveal that they’d independently suffered ‘cybersecurity issues’ that qualified as ‘material events’ for their respective operations. Long story short: Caesars paid up and its systems are back online, while MGM has yet to pay and its systems remain impacted.

Caesars said its hack—which apparently started in late-August—resulted in the attackers accessing “our loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members.” CNBC reported that the hackers originally demanded $30 million but settled for $15 million, although it’s unclear exactly what guarantees Caesars got in exchange (or whether those guarantees are worth anything).

MGM experienced outages in its corporate email, restaurant reservation and hotel booking systems, while customers at MGM properties across the U.S. found their digital room keys didn’t work. Casino floor operations were temporarily impacted as slot machines weren’t processing ‘ticket-in, ticket-out’ payments but are now reportedly functioning as intended. Still, customers have good reason to fear their personal data may have been compromised.

Both casinos were apparently victimized by the same group, an outfit known as Scattered Spider (aka UNC3944 aka Roasted 0ktapus). Its members have been open about their role in the hacks, telling Reuters that they took six terabytes of data from the casino operators. However, a Scattered Spider member told TechCrunch it wasn’t involved with the Caesars attack, so who knows? (No honor among thieves, after all.)

Scattered Spider claims to have found an MGM employee on LinkedIn, then contacted MGM’s help desk using the employee’s personal details to access their company account. It’s an unfortunate reminder that even the most robust security systems can be compromised by phishing guileless individuals.

While Scattered Spider carried out the attacks, a group known as ALPHV aka BlackCat reportedly supplied the ransomware and infrastructure. ALPHV is a ransomware-as-a-service (RaaS) group that earns a commission off whatever ransom is paid by victims targeted by ALPHV clients. ALPHV is believed to have evolved out of REvil, a Russia-based ransomware group that Russian authorities claimed to have put out of action in late-2021, around the time that ALPHV was first observed.

While Caesars hasn’t indicated precisely how it paid its $15 million ransom, it seems almost certain that it was done via some type of digital asset (or a combination thereof), which would then have been transferred through a series of wallets and then either bridged to a different chain or sent to a coin mixer like Tornado Cash.

Authoritarian Tinder matches

Russia and North Korea have a well-earned reputation for recklessly unleashing malware, either for profit or to wreak havoc on their enemies’ infrastructure (or both). This week, as North Korea’s dictator Kim Jong-un traveled to Russia to meet President Vladimir Putin, it’s possible that weapons sales and technology transfers weren’t the only subjects being discussed.

Blockchain analysts Chainalysis released a report this week that examined the strengthening ties between Russia and North Korea, including the latter’s growing reliance on Russia-based digital asset exchanges to launder hacking proceeds.

Chainalysis says nearly $22 million in digital assets stolen from the Harmony Protocol—the June 2022 attack that the FBI has tied to Lazarus—was recently transferred to “a Russia-based exchange known for processing illicit transactions.” (Tellingly, that description hardly narrows it down.)

Chainalysis says North Korean entities have been using this unspecified exchange to launder money since 2021 but have historically funneled stolen assets through ‘mainstream’ exchanges (here’s looking at you, Binance). This recent Russian transfer marks “a significant escalation in the partnership between the cyber underworlds of these two nations.”

This shift will further complicate authorities’ efforts to track and recover stolen assets, given “Russia’s notoriously uncooperative stance toward international efforts by law enforcement.” With North Korea responsible for nearly 30% of stolen digital assets so far this year, a grim future awaits victims of digital asset theft.

Your choice: seed phrase or launch code?

It’s worth mentioning that North Korea’s criminal efforts could be at least partially thwarted by increased adoption of the concept of digital asset recovery. Honestly, what’s not to like about the ability to prove rightful ownership of stolen or otherwise inaccessible assets, then secure a court order instructing nodes to freeze and reissue these assets at the tip of the chain to their rightful owner, along with a clear history that allows all users to see these assets’ provenance?

Such a system was part of Bitcoin’s original design but was expunged when it clashed with the dogmatic beliefs of the BTC Core developers who seized control of Bitcoin and reduced this once-versatile technology to the hobbled ‘digital gold’ of BTC. Thankfully, not everyone chose to knuckle under and digital asset recovery is now possible on all blockchains, assuming there’s the will to implement it.

You can learn more about digital asset recovery here and remember, every token recovered is a huge middle finger at Dear Leader in Pyongyang. Fiscal sovereignty is important, but the only financial systems that work in post-apocalyptic nuclear wastelands aren’t the digital variety. And hey, not your keys, not your nukes.