Chainalysis

Euler Finance to enter talks with exploiter over the return of funds

The flash loan exploiter claims they have “no intention of keeping what is not ours” and wants to “come to an agreement” with Euler Finance.

Ethereum-based lending protocol Euler Finance could be a step closer to recovering funds stolen in a $196 million flash loan attack last week, with private discussions now initiated with the exploiter.

In an on-chain message to Euler on March 20, days after sending funds to a red-flagged North Korean address, the exploiter claimed they now want to “come to an agreement” with Euler.

“We want to make this easy on all those affected. No intention of keeping what is not ours. Setting up secure communication. Let us come to an agreement,” said the exploiter.

*The hacker’s most recent public on-chain message to Euler. Source:* *Etherscan*

Hours later, Euler replied with its own on-chain message, acknowledging the message and asking the exploiter to talk “in private,” stating:

“Message received. Let’s talk in private on blockscan via the Euler Deployer address and one of your EOAs, via signed messages over email at contact@euler.foundation, or any other channel of your choice. Reply with your preference.”

*Euler’s latest public on-chain message to the hacker. Source:* *Etherscan*

Euler had previously tried to cut a deal with the exploiter after the exploit, insisting that they return 90% of the funds they stole within 24 hours or potentially face legal consequences.

There was no response, and 24 hours later, Euler launched a $1 bounty reward for any information that could lead to the exploiter’s arrest and return of the funds.

While the identity of the exploiter is not known, the recent language used by the exploiter could suggest more than one person is involved.

In a March 17 tweet, blockchain analytics firm Chainalysis said the recent 100 Ether (ETH) transfer to a wallet address associated with North Korea could mean the hack is the work of the “DPRK” — the Democratic People’s Republic of Korea.

However, this could also be an attempt to intentionally misdirect investigators, the firm said.

Other transactions from the exploiter’s wallet address include 3000 ETH, which was sent back to Euler Finance on March 18, along with funds sent to crypto mixer Tornado Cash and even an apparent victim of the exploit.

https://t.co/4OBksAu9od pic.twitter.com/Zb3MIyex2f

— PeckShield Inc. (@peckshield) March 18, 2023

On March 20, another address reached out to Euler on-chain, claiming to have found a “solid string of connections” that could help them find out who and where the exploiter was.

Cointelegraph reached out to the Euler Foundation for comment but did not receive an immediate response.

Crypto users turned to DEXs, loaded up on USDC after Silicon Valley Bank crash

The collapse of FTX led to a similar exodus from centralized exchanges, as users worried they may lose access to funds during crises.

The collapse of Silicon Valley Bank saw investors loading their bags with USD Coin (USDC), along with an exodus of funds from centralized exchanges (CEXs) to decentralized exchanges (DEXs).

Outflows from centralized exchanges often spike when the markets are in turmoil, blockchain analysis firm Chainalysis said in a March 16 blog post, as users are likely worried about losing access to their funds when exchanges go down.

*Funds sent from CEXs to DEXs following SVB’s collapse. Source: Chainalysis*

The Chainalysis data shows that hourly outflows from CEXs to DEXs spiked to over $300 million on March 11, soon after SVB was shut down by a California regulator.

A similar phenomenon was observed during the collapse of cryptocurrency exchange FTX last year, amid fears that the contagion could spread to other crypto firms.

However, data from the blockchain analytics platform Token Terminal suggests that the surge in daily trading volumes for large DEXs was short-lived in both cases.

*Daily trading volumes for large DEXs from September to March. Source:* *Token Terminal*

USDC was identified as one of the top assets being moved to DEXs, which Chainalysis said was unsurprising given that USDC depegged after stablecoin issuer Circle announced it had $3.3 billion in reserves stuck on SVB, prompting many CEXs like Coinbase to temporarily halt USDC trading.

What was surprising, Chainalysis noted, was the surge in USDC acquisitions on large DEXs such as Curve3pool and Uniswap. “Several assets saw large spikes in user acquisition, but none more than USDC,” the blockchain analysis firm wrote.

*Token acquisitions on Uniswap from March 7 to March 14. Source: Chainalysis*

Chainalysis theorized that this was due to confidence in the stablecoin, with some crypto users loading up on USDC while it was relatively cheap and betting that it would regain its peg — which it did on March 13 according to CoinMarketCap.

*USDC’s brief depeg from March 11 to March 13. Source: CoinMarketCap*

Euler Finance’s offer to hacker: Keep $20M or face the law

The hacker committed a $196 million flash loan attack on the Ethereum-based lending protocol on March 13.

Ethereum-based noncustodial lending protocol Euler Finance is trying to cut a deal with the exploiter that stole millions from its protocol, demanding the hacker returns 90% of the funds they stole within 24 hours or face legal consequences.

Euler Labs sent its ultimatum to the flash loan attacker who exploited the platform for $196 million by transferring the hacker 0 Ether (ETH) with an attached message on March 14:

“Following up on our message from yesterday. If 90% of the funds are not returned within 24 hours, tomorrow we will launch a $1M reward for information that leads to your arrest and the return of all funds.”

euler just sent an on-chain message to the hacker pic.twitter.com/0wKIW51NjM

— 0xngmi (llamazip arc) (@0xngmi) March 14, 2023

The threat of law enforcement comes as Euler sent the hacker a much more civil message the day before.

“We understand you are responsible for this morning’s attack on the Euler platform,” it read. “We are writing to see whether you would be open to speaking with us about any potential next steps.”

The request for a 90% fund return would see the hacker send back $176.4 million while holding onto the remaining $19.6 million.

However, many observers have noted that the hacker has very little to no incentive to follow through with the deal.

Look over your shoulder for the rest of your life, or take a $20m deal. No brainer.

Although, they could easily be state actors and aren’t really worried about low levels feds. https://t.co/i5zUSDqFca

— drnick ️² (@DrNickA) March 15, 2023

“If I was the hacker I’d simply say ‘to anyone who manages to track me down, I will give you $2 million not to tell Euler,’” one observer said.

“Yeh he has 200 Million they have 2 Million. He wins in a bidding war,” another Twitter user wrote in response.

Euler Labs said it was already working with law enforcement in the United States and the United Kingdom, along with engaging blockchain intelligence platforms Chainalysis, TRM Labs and the broader Ethereum community, to help track down the hacker.

An update on our work today to recover funds for Euler protocol users.

Here are a few actions we took immediately:

1. Stopped the direct attack as soon as possible by helping disable the EToken module, which blocked deposits and the vulnerable donation function

2. Engaged TRM… https://t.co/6ZClE9uGoH

— Euler Labs (@eulerfinance) March 14, 2023

The lending platform added it was able to promptly stop the flash loan attack by blocking deposits and the “vulnerable” donation function.

As for the exploited code, the team explained that the vulnerability “was not discovered” in the audit of its smart contract, which had existed on-chain for eight months until bei exploited on March 13.

Euler Labs works with various security groups to perform audits of the Euler Finance protocol.

While the vulnerable code was reviewed and approved during an outside audit, the vulnerability was not discovered as part of the audit.

The vulnerability remained on-chain for eight… https://t.co/M3PYSOwHhL

— Euler Labs (@eulerfinance) March 14, 2023

Ukraine netted $70M in crypto donations since start of Russia conflict

Since Russia’s invasion a year ago, there’s been $28.9 million in Ether donated to Ukraine, as well as $22.8 million in Bitcoin and $11.6 million in Tether.

Ukraine has received over $70 million in cryptocurrencies since the start of the Russian-Ukrainian conflict, providing the nation with funds for military equipment and humanitarian assistance.

The figures came from a Feb. 24 report by blockchain data platform Chainalysis, which found the majority of the funds to have come in the form of Ether (ETH) and Bitcoin (BTC).

ETH donors led the way with $28.9 million given, while donors of BTC and Tether (USDT) chipped in $22.8 million and $11.6 million, respectively.

*Cryptocurrencies donated to Ukraine wallets provided by the Ukrainian government. Source:* *Chainalysis*

Donations have also come in the form of nonfungible tokens, such as UkraineDAO’s auction of a Ukrainian flag NFT thasold for $6.1 million.

Around 80% of the total $70 million donated came in the first few months of the war, with the speed of cryptocurrency payments fast-tracking the country’s ability to respond to the Russian invasion, Ukrainian deputy digital minister Alex Bornyakov explained in an interview with Yahoo Finance on Feb. 24:

“If we used the traditional financial system it was going to take days […] We were able to secure the purchase of vital items in no time at all via crypto, and what is amazing is that around 60% of suppliers were able to accept crypto, I didn’t expect this.”

Bornyakov added that the Crypto Fund Aid For Ukraine was an “absolute success” and that he was blown away by not only the amount of donations that came through but the ease at which the digital ministry could access those funds for Ukraine’s defense.

Alona Shevchenko, co-founder of Ukraine DAO, also explained to Yahoo Finance that cryptocurrencies provided a solution when restrictions were imposed on the Ukrainian central banking system:

“The central bank introduced limits on foreign currency transfers in and out of Ukraine to stop the run on the hryvnia […] Thanks to crypto we were able to cover some of our defenders’ immediate needs, there was literally no other way at the time.”

According to an August tweet bMykhailo Fedorov, Ukraine’s vice prime minister and minister of digital transformation, much of the cryptocurrency payments to the digital ministry have been used to fund the country’s military equipment, armor clothing and a range of vehicles and medicine.

With $54 M raised by @_AidForUkraine, we’ve supplied our defenders with military equipment, armor clothes, medicines and even vehicles. Thanks to the crypto community for support since the start of the full-scale invasion! Donation by donation to the big victory. Report below. pic.twitter.com/lifHAP8R4f

— Mykhailo Fedorov (@FedorovMykhailo) August 17, 2022

The increased reliance on cryptocurrencies in Ukraine looks to have increased adoption in the country, with a September report by Chainanalysis finding Ukrainians to be the third-highest adopters, behind Vietnam and the Philippines.

However, pro-Russian military groups have also used cryptocurrency to crowdfund their war efforts, including using crypto donations to fund military purchases, spread disinformation and create pro-invasion propaganda, according to Chainalysis.

*Total value received by Russian military groups since February 2021. Source:* *Chainalysis*

The 100 groups have received a total of $5.4 million over the course of the war, however, incoming donations have fallen considerably since July.

It is unclear what impact sanctions had on this downtrend, but a 10th package of sanctions against Russia was introduced on Feb. 24.

Meanwhile, a recent crime report by Chainalysis found that of the $456.8 million total ransomware payments in 2022, a majority of these funds were taken by “actors” believed to be based in Russia.

Chainalysis explained that such attacks are often utilized by bad actors for political agendas, such as that of Russia-based pro-conflict ransomware group Conti, which reeled in $66 million from victims in 2022 and has previously announced its “full support” of the Russian government.

Crypto investors spent $4.6B buying ‘pump and dump’ tokens last year

Nearly 10,000 tokens launched on BNB and Ethereum last year are suspected to have been created just to dump on investors, according to Chainalysis.

Cryptocurrency investors funneled as much as $4.6 billion into crypto tokens suspected to be part of “pump and dump” schemes in 2022.

A Feb. 16 report from blockchain analytics firm Chainalysis “analyzed all tokens launched” in 2022 on the BNB Smart Chain and Ethereum blockchains and found thatover 9,900 bore characteristics of a “pump and dump” scheme.

A pump-and-dump scheme typically involves the creators orchestrating a campaign of misleading statements, hype, and Fear Of Missing Out (FOMO) to persuade investors into purchasing tokens while secretly selling their stake in the scheme at inflated prices.

Chainalysis estimated investors spent $4.6 billion worth of crypto buying the nearly more than 9,900 different suspected fraudulent tokens it identified.

The most prolific purported pump and dump creator Chainalysis identified — who was not named — is suspected of single-handedly launching 264 such tokens last year, with the firm explaining:

“Teams launching new projects and tokens can remain anonymous, which makes it possible for serial offenders to carry out multiple pump and dump schemes.”

Chainalysis classified a token as being “worth analyzing” as a potential “pump and dump” if it had a minimum of 10 swaps and four back-to-back days of trading on decentralized exchanges (DEXs) in the week after its launch. Of the 1.1 million new tokens launched last year, only over 40,500 fit the criteria.

If a token from this group saw a price decline in the first week of 90% or greater, Chainalysis deemed it likely the token was a “pump and dump.” The firm found that 24% of the 40,500 tokens analyzed fit the secondary criterion.

*A table showing the analytic breakdown and number of tokens purported to be fraudulent. Source:* *Chainalysis*

Chainalysis estimated that just 445 individuals or groups are behind the suspected pump-and-dump tokens — suggesting that creators often launch multiple projects — and says they made $30 million in total profits from selling their holdings.

“It’s possible, of course, that in some cases, teams involved with token launches did their best to form a healthy offering, and the subsequent drop in price was simply due to market forces,” the firm added.

Despite the concerning statistics, in a separate report, the firm noted revenues from crypto scams were cut almost half in 2022 largely due to depressed crypto prices.

Crypto investors spent $4.6B buying ‘pump and dump’ tokens last year

Nearly 10,000 tokens launched on BNB and Ethereum last year are suspected to have been created just to dump on investors, according to Chainalysis.

Cryptocurrency investors funneled as much as $4.6 billion into crypto tokens suspected to be part of “pump and dump” schemes in 2022.

A Feb. 16 report from blockchain analytics firm Chainalysis “analyzed all tokens launched” in 2022 on the BNB and Ethereum blockchains and found just over 9,900 bore characteristics of a “pump and dump” scheme.

Chainalysis estimated investors spent $4.6 billion worth of crypto buying the nearly more than 9,900 different suspected fraudulent tokens it identified.

The most prolific purported pump and dump creator Chainalysis identified — who was not named — is suspected of single-handedly launching 264 such tokens last year, with the firm explaining:

“Teams launching new projects and tokens can remain anonymous, which makes it possible for serial offenders to carry out multiple pump and dump schemes.”

If a token from this group saw a price decline in the first week of 90% or greater Chainalysis deemed it likely the token was a “pump and dump.” The firm found that 24% of the 40,500 tokens analyzed fit the secondary criterion.

Chainalysis estimated that only 445 individuals or groups are behind the suspected pump-and-dump tokens — suggesting creators often launch multiple projects — and made $30 million in total profits from selling their holdings.

Despite the concerning statistics, in a separate report, the firm noted revenues from crypto scams were cut almost half in 2022 largely due to depressed crypto prices.

Crypto scammers feel the chill: Revenue drops 46% in 2022 — Chainalysis

Falling crypto prices caused crypto scam revenue to plummet in 2022, but two scam types managed to persist.

Crypto scam revenue was slashed by almost half in 2022 due mainly to falling crypto asset prices, but two scam types managed to stay immune.

Crypto scam revenue in 2022, which includes investment scams, NFT scams and romance scams, among others, amounted to $5.9 billion in the year — down 46% from 2021.

The data came from a Feb. 16 crime report from Chainalysis, which attributed most of the decline in scam revenue to poor market conditions, as lower crypto prices generally result in lower scam performance.

*Yearly crypto scam revenues from 2017-2022. Source: Chainalysis.*

Chainalysis however pointed to two different scam types that managed to stay relatively immune to the price falls — romance scams and giveaway scams.

“Scam revenue throughout the year tracks almost perfectly with Bitcoin’s price, consistently maintaining a three-week lag between price moves and changes in revenue. However, not every distinct type of scam follows this pattern — some types of scams see revenue changes increase as crypto asset prices decrease,” explained the firm, adding:

“For instance, unlike other kinds of scams, romance and giveaway scams don’t show a positive correlation with Bitcoin’s price.”

Romance scams, while having lower overall revenue as a category, racked up the highest average victim deposit size in the year — with the average victim losing just under $16,000, nearly 3x more than the next biggest scam type.

*Average losses for victims throughout 2022 by scam type. Source: Chainalysis.*

Romance scams typically involve building a relationship with the victim, with the scammer convincing them that they need their help.

Chainalysis said that these scam types are most likely to persist when crypto prices are down because it’s playing to a victim’s compassion rather than greed.

“That kind of emotional pitch is probably equally effective regardless of trends in the wider market, because the victim’s primary goal isn’t to get rich quick, but rather to help someone they believe to be a potential romantic partner,” the firm wrote.

Romance scams, and particularly “pig-butchering” scams, have been seen as a growing area of concern within crypto.

For example, a United Kingdom investigation published on Jan. 29 found that half of all crypto companies involved with scams in the state were linked to pig-butchering scams.

North Korea stole more crypto in 2022 than any other year: UN report

A report submitted to the United Nations found North Korean cyber attacks have become vastly more sophisticated and raked in more crypto than ever before.

A confidential United Nations report has revealed North Korean hackers stole more crypto assets in 2022 than in any other year .

The UN report, seen by Reuters, was reportedly submitted to a 15-member North Korea sanctions committee last week.

It found North Korean-linked hackers were responsible for between $630 million and more than $1 billion in stolen crypto assets last year after targeting networks of foreign aerospace and defense companies.

The UN report also noted that cyber attacks were more sophisticated than in previous years, making tracing stolen funds more difficult than ever.

“[North Korea] used increasingly sophisticated cyber techniques both to gain access to digital networks involved in cyber finance, and to steal information of potential value, including to its weapons programmes,” the independent sanctions monitors saiin its report to the UN Security Council Committee.

Last week, a Feb. 1 report from blockchain analytics firm Chainalysis came to a similar conclusion, linking North Korean hackers to at least $1.7 billion worth of stolen crypto in 2022, making it the worst-ever year for crypto hacking.

*North Korean hackers have been stealing more crypto than ever before. Source Chainalysis*

The firm named the cybercriminal syndicates as the most “prolific cryptocurrency hackers over the last few years.”

“For context, North Korea’s total exports in 2020 totaled $142 million worth of goods, so it isn’t a stretch to say that cryptocurrency hacking is a sizable chunk of the nation’s economy,” Chainalysis said.

According to Chainalysis, at least $1.1 billion of the stolen loot was taken from hacks of decentralized financeprotocols, making North Korea one of the driving forces behind the DeFi hacking trend that intensified in 2022.

*Chainalysis has revealed North Korean hackers tend to send large amounts of their stolen funds to mixers. Source: Chainalysis.*

The firm also found that North Korea-linked hackers tend to send large sums to mixers such as Tornado Cash and Sinbad.

“In fact, funds from hacks carried out by North Korea-linked hackers move to mixers at a much higher rate than funds stolen by other individuals or groups,” Chainalysis said.

North Korea has frequently denied allegations of being responsible for cyberattacks, but the new UN report alleged North Korea’s primary intelligence bureau, the Reconnaissance General Bureau uses several groups such as Kimsuky, Lazarus Group and Andariel specifically for cyberattacks.

“These actors continued illicitly to target victims to generate revenue and solicit information of value to the DPRK, including its weapons programmes,” the UN report said.

Submitted before the 15-member council’s North Korea sanctions committee last week, the full report is reportedly due for public release later this month or early March.

Protocol Labs, Chainalysis and Bittrex add to crypto layoff season

Crypto execs suggested that the “extremely challenging” times forced them to cut jobs to “weather this extended” crypto winter.

Several crypto firms have made job cuts this week amid the ongoing crypto winter, retaining “impactful” employees as they prepare for a “longer downturn.”

At least 216 jobs were slashed between three crypto firms — open-source software laboratory Protocol Labs, blockchain data firm Chainalysis and cryptocurrency exchange Bittrex, with reductions of 89, 83 and 44 employees respectively.

Juan Benet, CEO of Protocol Labs, the company that launched Filecoin (FIL), announced the job cuts in a blog post on Feb. 3, stating that the company has had to focus its headcount “against the most impactful and business-critical efforts.”

He stated that the company decided to cut “89 roles,” approximately 21% of its workforce, to ensure it is well positioned to “weather this extended winter.”

Benet suggested that the company must “prepare for a longer downturn,” given it has been an “extremely challenging” time for the crypto industry.

Meanwhile, Bittrex employees were informed by CEO Richie Lai over email on Feb. 1 that the reduction to its workforce is to “ensure the long-term viability” of the company.

The email was leaked via Twitter on Feb. 2. Lai stated that despite the leadership team “working aggressively” to reduce expenses and increase efficiencies over the last several months, the efforts have not produced the “results necessary.“

Lai added that the market conditions have forced the company to reset its strategy and balance its “investments with the new economic environment.”

According to Washington State employment data on Feb. 2 it was revealed that Bittrex cut 83 jobs.

Maddie Kennedy, director of communications at Chainalysis, told Forbes on Feb. 1 that those “primarily in sales” at the company were let go, as 44 of its 900 employees, approximately 4.8% of the workforce, were slashed.

These layoffs come after news that at least 2,900 staff were cut across 14 crypto firms in January.

Coinbase had the largest layoffs amongst those firms, cutting 950 of its staff on Jan. 10.

Meanwhile, competitor exchanges Crypto.com, Luno and Huobi had reductions of approximately 500, 330 and 320 staff, respectively.

Cointelegraph reached out for comment from Protocol Labs, Chainalysis and Bittrex but did not receive a response by publication.

Ransom refusals hit attackers where it hurts: 40% revenue drop in 2022 — Chainalysis

A number of industry pundits believe the U.S. Office of Foreign Assets Control’s threat to impose sanctions has victims thinking twice about paying up.

Ransomware victims have seemingly had enough of the extortion, with ransomware revenues for attackers plummeting 40% to $456.8 million in 2022.

Blockchain intelligence firm Chainalysis shared the data in a Jan. 19 report, noting that the figures don’t necessarily mean the number of attacks is down from the previous year.

Instead, Chainalysis noted that companies have been forced to tighten cybersecurity measures, while ransom victims have been increasingly unwilling to pay attackers their demands.

*Total value extorted by ransomware attackers between 2017 and 2022. Source:* *Chainalysis*

The findings formed part of Chainalysis’ 2023 Crypto Crime Report. Last year, revenue from ransomware was a whopping $602 million at the time of the 2022 report, which was later tipped up to $766 million when additional cryptocurrency wallet addresses were identified.

Chainalysis added that the nature of blockchain means that attackers are having an increasingly hard time getting away with it:

“Despite ransomware attackers’ best efforts, the transparency of the blockchain allows investigators to spot these rebranding efforts virtually as soon as they happen.”

Interestingly, ransomware attackers resorted to centralized cryptocurrency exchanges 48.3% of the time when reallocating the funds — up from 2021’s figure of 39.3%.

*Destination of funds leaving ransomware wallets between 2018 and 2022. Source:* *Chainalysis*

Chainalysis also noted that the use of mixer protocols such as the now-sanctioned Tornado Cash increased from 11.6% to 15.0% in 2022.

On the other hand, fund transfers to “high-risk” cryptocurrency exchanges fell from 10.9% to 6.7%.

Victims refusing to pay

In insights shared with Chainalysis, threat intelligence analyst Allan Liska of Recorded Future said that the United States Office of Foreign Assets Control’s (OFAC) advisory statement in September 2021 may partly account for the revenue fall:

“With the threat of sanctions looming, there’s the added threat of legal consequences for paying [ransomware attackers].”

A statistical analysis carried out by Bill Siegel, CEO of ransomware incident response firm Coveware, also suggested ransomware victims are becoming less reluctant to pay up:

*Siegel’s probability chart suggests that ransomware victims have become increasingly unwilling to pay their attackers. Source.* *Chainalysis*

Cybersecurity insurance firms are also tightening up their underwriting standards, Liska explained:

“Cyber insurance has really taken the lead in tightening not only who they will insure, but also what insurance payments can be used for, so they are much less likely to allow their clients to use an insurance payout to pay a ransom.”

Many firms won’t renew policies unless the insured systems are comprehensively backed up, integrate Endpoint Detection and Response security and utilize multi-authentication mechanisms, Siegel noted.

The revenue drop came despite an explosion in the number of unique ransomware strains in circulation, according to cybersecurity firm Fortinet.

However, Siegel explained that while it looks like competition in the ransomware world is increasing, many of the new strains are being carried out by the same organizations:

”The number of core individuals involved in ransomware is incredibly small versus perception, maybe a couple hundred […] It’s the same criminals, they’re just repainting their get-away cars.”

Chainalysis also explained that the “true totals” for the figures provided in the report are likely to be much higher because not every cryptocurrency address controlled by ransomware attackers has been identified.