System Security of Crypto Coins & The Hacking Incidents
It is an excerpt that evaluates the system security of crypto coins and the hacking incidents. (Chainalysis 2020 Crypto Crime Report)
More cryptocurrencies have been hacked in 2019 and all other years. But none of the 11 attacks this year came close to the scale of major robberies like last year’s $ 534 million Coincheck hack or $ 473 million Mt. Therefore, despite the increasing number of attacks, the total amount stolen from exchanges sharply fell to $ 283 million worth of cryptocurrency.
Currencies included: ADA, BCH, BTC, ETH, EOS, LTC, NANO, NEM, USDT, XRP and others (The value for the total USD stolen by years and the number of attacks).
Let us explain how we reached the final number of 2019 exchange attacks, given that other sources in the media and elsewhere may report different numbers:
- We enumerated attacks involving exploitation of technical vulnerabilities as well as attacks carried out by social engineering or other forms of deception.
- We counted attacks that only allowed bad actors to access funds from exchanges, not payment processors, wallet providers, investment platforms or other types of services.
- We did not take into account the situations of users exploiting a trade error, such as exit scams or pricing inconsistency that almost allowed a Synthetix user to exceed $ 1 billion in erroneous trades.
- We only included attacks where the amount stolen was measured and publicly approved by multiple sources. This means that we do not include cases where exchanges’ user data is compromised but no cryptocurrency is stolen. We have also excluded attacks that have been specifically reported to us, but we are confident that including them will not significantly distort the data we analyze here.
Under these restrictions, almost all of the attacks we didn’t include were on smaller exchanges for relatively low amounts of cryptocurrency. Therefore, our total quantity estimates in swap attacks are probably a lower limit, but we believe it is not far from the true total.
2019 Change Attacks Measured
As there were no more than $ 105 million hacks stolen from Coinbene, the average and median amount stolen per hack dropped significantly in 2019 after raising each of the previous three years. Only 54% of the attacks we observed in 2019 earned more than $ 10 million compared to all hacks in 2018. While the increase in the number of individual attacks is alarming, data show that exchanges are getting better at limiting damage.
Where do the funds go after the attacks?
Using blockchain analysis, we can analyze the movements of funds stolen in hacks to get an idea of how hackers liquidate funds.
Most of the funds stolen in currency attacks are sent to other exchanges, where they are probably cashed out. However, a significant portion of the funds have not been spent, sometimes for years. In such cases, there may still be an opportunity for law enforcement to confiscate stolen funds. And as we will discover later, a small but significant portion of all stolen funds (and increasingly in 2019) are being passed through third-party mixers or CoinJoin wallets to hide their illegal origin. However, the mixed funds in the above table are categorized according to their ultimate goal after the mixing takes place.
Hackers are responding to the security measures of the exchanges.
Exchanges have taken steps to better protect clients’ funds from attacks, and the sharp declines in the amount lost per hack show they have been successful. Many exchanges now hold a lower percentage of funds on less secure hot wallets, require more withdrawal powers, and monitor transactions more closely for suspicious activity to catch hacks earlier.
But at the same time, the most prolific hackers have become more sophisticated both in how they perform the hacking and then launder their stolen funds. While this is not a positive development, it shows that the measures adopted by the exchanges are effective enough to force hackers to adapt in the first place. And as we’ll show you, there are concrete steps that change and law enforcement can take to counter hackers’ new tactics.
Let’s examine some of the new tactics that stock market hackers have adopted by analyzing the activities of a high-profile cybercriminal organization.
How did the Lazarus Group get more advanced in 2019?
Lazarus Group is a notorious cybercrime organization affiliated with the North Korean government. Considered an advanced and persistent threat by cybersecurity experts, Lazarus is believed to be behind a series of cryptocurrency exchange attacks alongside Sony Pictures and 2017 WannaCry ransomware attacks in 2014. When we examine the hacking activities of the Lazarus Group in last year’s Crypto Crime Report, we can reveal that it is the organization we call “Beta Group”.
In 2019, the Lazarus Group made three major changes in its hacking and money laundering strategies:
- More complex phishing tricks. The Lazarus Group has relied on social engineering to attack exchanges in the past, and often tricked employees into downloading malware that gave Lazarus access to users’ funds. But in a swap attack last year, Lazarus took this strategy one step further and implemented one of the most elaborate phishing plans we’ve seen to gain access to users’ funds.
- Increased use of mixers and CoinJoin wallets. In 2019, hackers mostly sent funds stolen from exchanges via mixers, or more specifically Lazarus Group, CoinJoin wallets. Mixers obscure the path of funds by aggregating the cryptocurrency of multiple users and giving each one a minus 1-3% service fee equal to what they initially put from the pool. Everyone results in a “mix” of funds that everyone else has put in, making it difficult for inputs to link users’ transactions to an output. Many criminals use scramblers to hide the source of the illegal cryptocurrency before moving it to other services. CoinJoin wallets such as Wasabi Wallet (called the basic CoinJoin protocol),
- Faster clearance. We’ve also seen hackers like Lazarus move their funds to exchanges and other services to liquidate in less than 2018. This trend could indicate that hackers in 2019 are improving their money laundering abilities or prioritizing faster access.
Let’s look at examples of how Lazarus uses these new tactics.
How did the Lazarus Group use a fake company as a phishing bait?
In March 2019, hackers breached the Singapore-based DragonEx exchange by buying various cryptocurrencies worth roughly $ 7 million, including Bitcoin, Ripple, and Litecoin. DragonEx responded quickly, announced that it was hacked on various social media platforms, and published a list of 20 wallet addresses to which their funds were transferred. This allowed other exchanges to mark these wallets and freeze the accounts associated with them, making it difficult for attackers to move funds. DragonEx also quickly contacted Chainalysis and asked for our assistance as well as legal authorities.
While the DragonEx hack was relatively small, the lengths the Lazarus Group took to infiltrate the exchange’s systems in a complex phishing attack was considerable. Lazarus has set up a fake company that claims to offer an automated cryptocurrency trading bot called Worldbit-bot, complete with a slick website and social media presence for fake employees.
Lazarus went so far as to develop a software product that looks like the trading bot they claim to be selling. The key difference, of course, was that the program contained malware that gave hackers access to anybody who downloaded it. The Lazarus Group hackers offered DragonEx employees a free trial version of the software and eventually persuaded someone to download it to a computer containing the private keys of their exchange wallets. From there, the hackers managed to deal with millions.
While most phishing attempts are based on an email or a small-scale website, Lazarus Group’s fictional Worldbit bot company is at another level of complexity. It reveals the time and resources at Lazarus’ disposal, as well as in-depth knowledge of the cryptocurrency ecosystem necessary to successfully imitate legitimate participants.
Increased mixer usage and faster withdrawals highlight changes in Lazarus’ money laundering strategy.
When we analyzed the 2018 post-hacking money laundering for last year’s Crypto Crime Report, we found that the Lazarus Group, like other leading hacking groups, did not use advanced money laundering techniques such as mixers to “clean up” and withdraw stolen cryptocurrency. Instead, they tended to park the funds in a wallet, wait 12 to 18 months, and suddenly move all the funds to the low KYC exchange when the coast appeared open.
We conclude that this was due primarily to Lazarus’ motivations being financial. While other leading hacking groups seem to be more concerned with causing chaos for targets and avoiding detection, Lazarus’s behavior showed that he was focused on converting stolen cryptocurrency into cash, even if it meant waiting for a long time and somehow moving them to an exchange. It is relatively easy to watch. While we don’t claim to know if Lazarus’ motivations changed in 2019, we do know that the way in which to move and cash out funds stolen in exchange hacks has changed. First, we see that a much higher percentage of their stolen funds are moved to the mixer.
98% of all funds Lazarus stole from exchanges in 2018, all moved to exchanges with low KYC requirements, and none went to the mixer or CoinJoin wallets. However, in 2019, 48% of funds stolen by Lazarus were moved to CoinJoin wallets, while 50% were not spent in the hackers’ original wallet.
We can see this below using the Chainalysis Reactor to compare the processing efficiency associated with a Lazarus hack in 2018 with one from 2019.
Above we see how Lazarus moved the stolen funds after one of the 2018 stock market hacks. Although it looks complicated due to the large number of processes, it is actually very simple. The funds leave the Kurban Borsasi wallet on the left, move between the two brokers wallets, and then are distributed across four different exchanges on the right. The many jumps in between represent the unspent exchange from wallet to stock market. Although the funds have a long path, they are relatively easy to follow.
The Reactor chart showing how Lazarus moved funds following the 2019 DragonEx hack is much more complex. In this case, stolen altcoins like Ethereum and Litecoin were moved to exchanges and traded for Bitcoin. They then shuffle Bitcoin withdrawn from exchanges between various local wallets, before moving it to the far-right Wasabi Wallet to mix funds through the CoinJoin protocol.
The Lazarus Group also moved the stolen funds to services where they could be liquidated much faster this year. In 2018, Lazarus took up to 500 days to move the funds from its first private wallet to a liquidation service, and it did not do so in less than 250 days. However, that changed drastically in 2019. Almost all of the stolen funds in both hacks attributed to Lazarus were moved to liquidation services in under 60 days, but some still remain unspent. Attacks attributed to other groups also followed this trend.
The increasing complexity and speed of Lazarus in laundering stolen cryptocurrency puts more pressure on intelligence agencies and exchanges to act faster when cybercriminals attack exchanges.
Exchanges need to continue to prioritize security
Exchanges have raised the bar on anti-hacking security in the past few years, but subsequent developments from groups like Lazarus show that they cannot count on their reputation. To stay one step ahead, they need to stay alert and continue to improve the improvements they have already made. We recommend that exchanges continue to install guard rails to ensure that suspicious transactions are flagged before they are completed, and take steps to prevent employees from downloading malware that could compromise their networks and give hackers access to the exchange’s private keys. In the event that exchanges are hacked, they must immediately report this to law enforcement and provide important information such as the addresses to which the stolen funds have been moved.
In addition to protecting them from being hacked, exchanges also have a responsibility to ensure that criminals do not use them to make money from other hacked exchanges. We recommend that exchanges handle large deposits – or small deposits with high volumes in a short time – from mixers or CoinJoin wallets with increasing suspicion. While there are legitimate uses for mixers, the data make it clear that they are increasingly being used by hackers to confuse the stolen funds before they can withdraw cash. Exchanges could possibly halt some of these cash payments and help law enforcement get back stolen funds by stopping suspicious transactions from mixers. Binance has already started doing this, and we think their model could be a useful example for other exchanges to follow.
Finally, we believe that increasing cross-border cooperation between law enforcement agencies can go a long way toward mitigating swap attacks. If financial intelligence units (FIUs) around the world can quickly share information from exchanges after they’ve been hacked, hackers can freeze funds before moving them to a mixer or low-KYC exchange.