North Korean hackers’ crypto expertise allows them to steal and launder in plain sight  

Forget about crypto evangelists waxing lyrical about web3 and digital assets — North Korean hackers just might be the world’s leading crypto experts. Their unparallelled expertise allows them to exploit weaknesses in vast crypto ecosystems to penetrate exchanges, steal assets and then launder them before anyone notices.

A recent analysis by blockchain intelligence companies ChainArgos and Allium uncovered how North Korean hackers’ deep knowledge of Dubai-based crypto exchange Bybit allowed them to steal $1.5 billion and then use a network of decentralised exchanges as well as mainstream exchanges, and service provider wallets to launder the proceeds unchallenged.

“What [North Korea] did was very simple, and the reason it was undetected is because no one is looking,” said Patrick Tan, general counsel at ChainArgos in Singapore.

North Korean cyber criminals hacked one of Bybit’s suppliers and altered the wallet address to which 401,000 Ethereum coins (ETH) were sent. Bybit thought it sent the ETH to its own wallet, but it went to the hackers. The initial surge of activity on THORChain went unnoticed. The ETH was then laundered into Bitcoin and Solana through other platforms, a strategy so effective that so far only about $30 million has been recovered.

“Once they cash out, it’s gone. It’s in North Korea,” said Luke Wilson, global head of public sector at Allium in New York. “They’ve been doing this for easily 10 to 12 years.”

Deep knowledge

One of the noteworthy characteristics of the Bybit hack was its size — as well as the hackers’ ability to siphon such a large sum from a single wallet using hundreds of thousands of wallet addresses, said Carlos Cortés-Gómez, a data scientist at Allium.

“Whoever did that had deep technical knowledge about how blockchain and digital assets work. And of course, [using many addresses to launder is] a classic obfuscation technique. But the magnitude of it was something that kind of surprised everybody,” he said.

The hackers then had to try many different service providers to move outside Ethereum into Bitcoin and Solana, which showed a solid understanding of the Ethereum ecosystem. “They had to knock on every single service on Ethereum,” Cortés-Gómez said, which would have been achieved by “a very thoughtful security probe of every service”.

He added that the way the hackers were able to hack Bybit using multi-signature [wallets] showed “they have a deep knowledge of how Bybit works internally,” though he emphasised he was not accusing any Bybit employee of being involved.

Obscure DEXes key to laundering

North Korean hackers used lesser-known decentralised finance (DeFi) tools and decentralised exchanges (DEX) such as THORChain and ParaSwap, as well as cross-chain bridges to move the assets out of Ethereum, mostly into Bitcoin and Solana.

Allium analysed cross-chain DeFi and DEX activity to uncover how they used DeFi aggregators to swap $386 million through DeFi protocols. DeFi aggregators bring together trades across various decentralised finance platforms into one place. The hackers laundered one-fifth of the stolen funds ($263 million) through PancakeSwap alone, and also used SushiSwap, Curve, Uniswap, Fluid, deBridge, Across and a few others.

“The protocols they used were pretty obscure. THORChain, before the hack was not a very popular service, not very well known,” Cortés-Gómez said.

Role of aggregators

While large exchanges and DeFi protocols require Know Your Customer (KYC) checks, many smaller ones do not. They tend to check an address’s history to determine transaction eligibility. Unfortunately, many addresses must be flagged manually, and most data providers cannot do real-time transaction validation. In any case, the issue with the Bybit hack was that larger DEXs picked up transactions from DeFi aggregators on an institution-to-institution basis to enable the hackers’ money laundering.

“Thatʼs a big vulnerability, and thatʼs why security researchers that have been working on this hack and other hacks say itʼs kind of frustrating, because the guilt of the unlawful transactions is spread between many institutional providers and everybody is pointing fingers at each other,” Cortés-Gómez said.                                                                                                                                                    

Service provider wallets

Another finding in the Allium/ChainArgos report was the hackers’ use of a service provider wallet 0x62a address to fund gas fees, or transaction costs, for the main Bybit hacker wallet 0x476 address and numerous other wallet addresses linked to the hack. They found the controller of the service provider wallet 0x62a address had accounts at Coinbase, MEXC and KuCoin. Therefore, those exchanges should have the requisite KYC documentation, the report concluded.

Service provider wallets are not new, said ChainArgos’s Tan. In fact, there is a cottage industry of service providers offering pre-funded wallets as a service using untraceable ETH — that is, older ETH that was mined before it changed to proof of stake. Identifying service providers who may be “unwittingly” dealing with hackers could help move forward the Bybit investigation.  

He added: “Itʼs incumbent on the investigators to say ‘weʼve noticed that these service providers who pre-funded these North Korean wallets also have accounts at these exchanges. Letʼs go speak to the exchanges to find out who the service provider is.”