A $620 million hack? Just another day in crypto
The FBI said on Thursday that the Lazarus Group, a prolific hacking team run by the North Korean government, is responsible for the March 2022 hack of a cryptocurrency platform called Ronin Network.
The hackers stole $620 million in the cryptocurrency Ethereum. This is a staggering number that can be seen in any context. But in the Wild West environment of crypto, the Ronin hack is just one of eight megaheists in the past year in which hackers have stolen more than $100 million in cryptocurrency.
” Things are moving too quickly for people to keep pace with,” Kim Grauer, director research at Chainalysis, says. “People bake into their investment strategy a kind of acceptance of the risk that you might get hacked or it all might go to zero.”
In 2021, criminal hackers stole approximately $3.2 billion in cryptocurrency, six times more than they made off with in 2020, according to Chainalysis. That year included six hacks of at least $100 million stolen and dozens of smaller hacks involving tens of millions.
Now 2022 is off to its own headline-grabbing start. The year in heists began when Qubit Finance, a new decentralized finance protocol, lost $80 million to hackers in January. When the anonymous crypto blog rekt.news chronicled the incident, the writer captured the strange feeling around the blistering pace of these enormous hacks: “But will anyone remember this next week?”
It was a prescient question. Before that week was out, the cryptocurrency platform Wormhole was hacked for $325 million when attackers exploited an improperly applied security fix.
Why does this keep happening again? This is why the cryptocurrency industry is so fast-paced. Security is often an afterthought. Scams are common and investors don’t always fully consider the risks associated with a variety of new investments.
This industry is growing so quickly,” Grauer states. “There are so many opportunities to start new businesses online that people are investing at unprecedented levels and in platforms that aren’t well-structured or managed. It’s a common investment strategy to maybe invest in 50 different protocols and tokens and hope that one of them goes to the moon. But how are you going to do proper due diligence on all 50?”
The normal answer is: No.
Poorly managed teams using open-source code are common in crypto and elsewhere. Hackers know this and take advantage of it to make huge sums.
In February’s hack on Wormhole, a platform for decentralized finance (known under “DeFi”) that acts as a “bridge between blockchains,” a hacker discovered that open-source code was not being applied to the main project to fix a critical vulnerability. The code was finally uploaded to the public GitHub page, weeks after it was first written. The hacker discovered the security code first, and the project was not immediately updated. Within hours, the vulnerability was exploited.
The biggest thefts of crypto currency were those involving funds taken from centralized exchanges. That type of crime still totals approximately $500 million per year, according to Chainalysis, but pales in comparison to how much now gets stolen from DeFi platforms, which totaled nearly $2.5 billion last year.
To support MIT Technology Review’s journalism, please consider becoming a subscriber.
DeFi–an idea similar to smart contracts–is all about transparency and open-source code as an ideology. In practice, this often means multimillion-dollar projects that are tacked together with tape and gum.
” “There are a few things which make DeFi more susceptible to hacking,” Grauer explains. “The code is freely available. Anyone can look at it looking for bugs. This is a serious problem that we have seen. There is also a small industry of crypto audit companies that will approve your project. An audit is not a panacea. There is often little or no accountability for the auditors and the projects when hacks occur. The security firm Neodyme audited Wormhole just a few months prior to the theft.
Many of these hacks have been organized. North Korea has long used hackers to steal money to fund a regime that is largely cut off from the world’s traditional economy. Pyongyang has found cryptocurrency a huge goldmine. In recent years, hackers from the country have stolen billions of dollars.
Most hackers who target cryptocurrency are not funding a state rogue. The already strong cybercriminal network is taking opportunistic shots on weak targets.
For the budding cybercrime kingpin the more difficult challenge is to successfully launder all the stolen money and turn it from code into something useable–cash, in North Korea’s instance, weapons. This is where law enforcement steps in. Police around the globe have invested heavily in blockchain analysis tools over the past few years to track and sometimes even recover stolen funds.
The proof is the Ronin hack. The FBI was able connect the wallet to North Korea two weeks after the heist. This made it possible to add the crypto wallet that held the stolen currency to the US sanctions list. This will make it more difficult to use the bounty, but not impossible. While new tools for tracing hacks have begun to shed light on some of them, law enforcement’s ability recover and return funds to investors remains limited.
“The laundering is more sophisticated than the hacks themselves,” Christopher Janczewski, who was formerly lead case agent at the IRS specializing in cryptocurrency cases, told MIT Technology Review.
The big risk in crypto is still part of the game.
I’m a journalist who specializes in investigative reporting and writing. I have written for the New York Times and other publications.