Chainalysis: Hackers becoming more advanced as crypto exchanges upgrading its security
This article is a part of the Chainalysis 2020 Crypto Crime Report, coming out later in January 2020. You need to sign up and a copy of the report will be sent to you as soon as possible.
Source: 2019 Exchange Attacks Quantified
Currencies included: ADA, BCH, BTC, ETH, EOS, LTC, NANO, NEM, USDT, XRP, and others. The different colors on each bar show how much each hack put up to the total loss that year.
2019 witnessed more cryptocurrency hacks than any other year. Although among the 11 attacks that happened this year, none of their stolen were as much as such as 2018’s $534 million Coincheck hacks, or the $473 million Mt. Gox hack in 2014. Therefore, the total amount stolen from exchanges decreased rapidly to $283 million worth of cryptocurrency in spite of the increased number of attacks.
The final count of 2019 exchange attacks was based on specific aspects, thus, other media sources and elsewhere may report different numbers:
- It counted both hacks involving exploitation of technical vulnerabilities and attacks conducted through social engineering or other forms of deception. And it only focused on attacks that allowed bad actors to access funds belonging to exchanges, and not payment processors, wallet providers, investment platforms, or other types of services.
- It did not count exchange exit scams or cases of users exploiting an exchange error, such as the pricing discrepancy that nearly allowed a Synthetix user to net over $1 billion in faulty trades. But it included attacks in which the amount stolen was publicly confirmed by multiple sources. That means the report did not include incidents in which exchanges’ user data was compromised, but no cryptocurrency was stolen and excluded hacks that have been privately reported to the report’s writers, but are confident that including them would not significantly skew the data.
Under these limited aspects, nearly all of the hacks we did not include were on smaller exchanges for relatively low amounts of cryptocurrency. Therefore, the estimates of the total amount in exchange hacks are likely a lower boundary, but it is not far off from the actual total.
2019 exchange attacks measured
Currencies included: ADA, BCH, BTC, ETH, EOS, LTC, NANO, NEM, USDT, XRP, and others. Source: 2019 Exchange Attacks Quantified
Currencies included: ADA, BCH, BTC, ETH, EOS, LTC, NANO, NEM, USDT, XRP, and others. Source: 2019 Exchange Attacks Quantified
There are no hacks exceeding more than the $105 million stolen from Coinbene, both the average and median amount was stolen per hack fell substantially in 2019, after having risen each of the three preceding years. Only 54% of the hacks in 2019 taken in more than $10 million, compared with all hacks in 2018. While the increase in the number of individual hacks should be concerning, the data indicate that exchanges have improved better at preventing itself from being hacked.
Where do funds go after the attacks?
By applying blockchain analysis, we can analyze the movements of funds stolen in hacks to get a sense of how hackers liquidate funds. Here are the most common destinations for funds stolen in exchange attacks broken down by year.
Source: 2019 Exchange Attacks Quantified
Most of the funds stolen in exchange attacks end up being sent to other exchange platforms, where they’re likely converted into cash. However, a substantial portion of funds stays unspent, sometimes for years. Such cases may still be an opportunity for law enforcement to seize the stolen funds. In 2019, there was an increasing portion of all funds stolen are passed through third-party mixers or CoinJoin wallets to obscure their illicit origins. However, any mixed funds on the chart above are categorized according to their final destination after mixing took place.
Hackers deal with exchanges’ security measures
Exchanges have taken better improvement to protect customers’ funds from hacks and the sharp decreases in the amount lost per hack indicate they have been successful. Many exchanges now keep a lower percentage of funds in less secure hot wallets, require more withdrawal authorizations, and monitor transactions more closely for suspicious activity so as to catch hacks earlier. In 2019, some exchanges were even willing to come forward when attacked and share details with the rest of the cryptocurrency community have made it easier to track down stolen funds.
But at the same time, the most prolific hackers have also grown more sophisticated, both in how they carry out hacks and in how they launder their stolen funds afterward. While this is not a positive development, it suggests that the measures adopted by exchanges are effective enough to force hackers to adapt in the first place. And there are concrete steps exchanges and law enforcement can take to counter hackers’ new tactics.
Let’s find out some of the new tactics exchange hackers have adopted by analyzing the activity of one high-profile cybercriminal organization.
How Lazarus Group became the most dangerous hacker organization in 2019
Lazarus Group is an infamous cybercriminal syndicate linked to the North Korean government, which considered an advanced persistent threat by cybersecurity experts. Lazarus is widely believed to be behind the 2014 hack of Sony Pictures and 2017 WannaCry ransomware attacks, as well as a number of cryptocurrency exchange attacks.
In 2019, Lazarus Group made three key changes to its hacking and money laundering strategies:
- More sophisticated engines. Lazarus Group has historically relied on social engineering to attack exchanges, typically tricking employees into downloading malicious software that gives Lazarus access to users’ funds. But in an exchange attack this past year, Lazarus took this strategy a step further and executed one of the most elaborate phishing schemes we’ve seen to gain access to users’ funds.
- Increased use of mixers and CoinJoin wallets. In 2019, hackers have more often sent funds stolen from exchanges through mixers or, to be more specific in the case of Lazarus Group, CoinJoin wallets. Mixers obfuscate the path of funds by fusing cryptocurrency from multiple users and giving each one back an amount from the pool equal to what they initially put in, minus a 1-3% service fee. Everyone ends up with a “mix” of the funds that the other put in, which makes it more difficult to connect the inputs to an output on the users’ transactions. Many criminals use mixers to hide the source of illegal cryptocurrency before moving it to other services. CoinJoin wallets (named for the underlying CoinJoin protocol), such as Wasabi Wallet, accomplish the same thing by providing a wallet service that allows multiple users to trustlessly join their payments into a single transaction with multiple recipients.
- Faster liquidations. Lazarus also moved their funds to exchanges and other services for liquidation in shorter amounts of time than in 2018. This trend could suggest that hackers in 2019 improved their money laundering capabilities, or that they’re simply prioritizing faster access to stolen funds more so than in 2018.
Let’s look at examples of how Lazarus has applied these new tactics.
How Lazarus Group used a fake company as phishing bait
In 2019, hackers broke through the Singapore-based DragonEx exchange, taking roughly $7 million worth of various cryptocurrencies, including Bitcoin, Ripple, and Litecoin. DragonEx responded quickly, announcing on various social media platforms that it had been hacked and released a list of 20 wallet addresses to which its funds had been transferred. That allowed other exchanges to flag those wallets and freeze accounts associated with them, making it harder for the attackers to move the funds. DragonEx was also quick to contact Chainalysis and need our help alongside legal authorities.
While the DragonEx hack was relatively small, it was notable for the lengths Lazarus Group went in order to attack the exchange’s systems in a sophisticated phishing attack. The hacker organization created a fake company claiming to offer an automated cryptocurrency trading bot called Worldbit-bot, complete with a polish website and social media presence for made up employees.
It even went so far as to create a software product resembling the trading bot they claimed to be selling. Of course, the key difference was that the program contained malware giving the hackers access to any computer’s users who downloaded it. Hackers provided a free trial of the software to DragonEx employees, eventually convincing someone to download it to a computer containing the private keys for the exchange’s wallets. From there, the hackers were able to make off with millions.
Whereas most phishing attempts rely on little more than an email or small-scale website, Lazarus Group’s fake Worldbit-bot company is on another level of sophistication. It reveals the time and resources Lazarus has at its disposal, as well as the deep knowledge of the cryptocurrency ecosystem necessary to successfully impersonate legitimate participants.
Increased mixer usage and faster cashouts are out-standing changes
In 2018, Lazarus Group’s post-hack money laundering transactions did not use sophisticated money laundering techniques like mixers to delete and withdraw stolen cryptocurrency quickly like other prominent hacking groups. Instead, they tended to park funds in a wallet, wait 12 to 18 months, and suddenly move all the funds to a low-KYC exchange when the coast seemed clear.
We concluded that this was due to Lazarus’ motivations being primarily financial. Whereas other prominent hacking groups seem to be more interested in causing chaos for targets and avoiding detection, Lazarus’ behavior indicated a singular focus on turning stolen cryptocurrency into cash, even if it meant waiting for long periods of time and moving them to exchanges in a way that is relatively easy to trace.
The U.S. government has reported that North Korea uses funds from exchange hacks and other financial crimes to fund its weapons of mass destruction (WMD) and ballistic missile programs, supporting the theory that money is Lazarus’ primary goal.
While we don’t know sure if Lazarus’ motivations changed in 2019, we do know that their modus operandi for moving and cashing out funds stolen in exchange hacks did change. First, we see a much higher percentage of funds they steal moving to mixers.
We can see this below using Chainalysis Reactor to compare transaction activity associated with a Lazarus hack from 2018 with one from 2019.
2018 Lazarus Group exchange hack
Source: Chainalysis Reactor
Lazarus moved stolen funds following one of its 2018 exchange hacks. Although it may look complicated due to a large number of transactions, it is actually very simple. Funds leave the Victim Exchange wallet on the left, move through two intermediary wallets, and then, they are dispersed to four different exchanges on the right. The many hops in between represent unspent change moving from a wallet to an exchange. While the funds’ path may be long, it’s relatively easy to follow.
2019 Lazarus Group exchange hack
Source: Chainalysis Reactor
The Reactor graph showing how Lazarus moved funds following the 2019 DragonEx hack is much more complicated. In this case, stolen altcoins like Ethereum and Litecoin were moved to exchanges and swapped for Bitcoin. Next, they shuffle the Bitcoin withdrawn from exchanges between a variety of local wallets, before ultimately moving it to a Wasabi Wallet on the far right to mix the funds via the CoinJoin protocol.
Currencies included: BTC | Source: 2019 Exchange Attacks Quantified.
Lazarus Group also moved stolen funds to services where they can be liquidated, mostly exchanges, much faster this year. In 2018, Lazarus took as long as 500 days to move funds from their initial private wallet to a liquidation service and never did so in under 250 days. But in 2019, nearly all of the funds stolen in both hacks attributed to Lazarus were moved to liquidation services in under 60 days, though some still remain unspent. Hacks attributed to other groups followed this trend as well.
Lazarus’ growing sophistication and speed in laundering stolen cryptocurrency put more pressure on intelligence agencies and exchanges alike to move quickly when cyber criminals attack exchanges.
Security is the first priority for exchanges
Exchanges have improved their anti-hacking security in the last few years, but the subsequent advancements of groups like Lazarus show that they have no time to rest. They need to remain vigilant and continue building on the improvements they’ve already made to stay one step ahead.
We recommend exchanges continue putting guard rails in place to ensure suspicious transactions are flagged before completion and take steps to prevent employees from downloading malicious software that could compromise their network and give hackers access to the exchange’s private keys. In the event exchanges are hacked, they need to report it to law enforcement immediately and provide key information such as addresses to which stolen funds have moved.
Moreover, exchanges also have a responsibility to make sure criminals will not use them to cash out funds from other exchanges that have been hacked. We suggest that exchanges treat large deposits or high volumes of small deposits in a short amount of time from mixers or CoinJoin wallets with increased suspicion. While there are legitimate uses for mixers, the data makes it clear that they’re increasingly being utilized by hackers to obfuscate the path of stolen funds prior to cashing out. Exchanges can likely stop some of these cashouts and help law enforcement taking back stolen funds by halting suspicious transactions from mixers.
Finally, we believe that increased cross-border cooperation between law enforcement agencies can take a long way towards mitigating exchange hacks. If financial intelligence units (FIUs) around the world can swiftly share the information they get from exchanges upon being hacked, they may be able to freeze funds before hackers are able to move them to a mixer or low-KYC exchange.
Read more: