North Korea

North Korea and criminals are using DeFi services for money laundering — US Treasury

Despite the warnings on DeFi, the Treasury noted that “most money laundering, terrorist financing, and proliferation financing” occurred using fiat or outside the crypto ecosystem.

A new report from the United States Treasury Department analyzing decentralized finance concluded that actors from the Democratic People’s Republic of Korea, as well as other scammers, are able to exploit vulnerabilities to facilitate money laundering.

In its “Illicit Finance Risk Assessment of Decentralized Finance” report released on April 6, the U.S. Treasury said many groups engaged in illicit activity from North Korea benefited from some DeFi platforms’ non-compliance with certain Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) regulations. According to the report, insufficient AML/CFT controls and other shortcomings in DeFi services “enable the theft of funds.”

“Illicit actors, including criminals, scammers, and North Korean cyber actors are using DeFi services in the process of laundering illicit funds,” said Brian Nelson, under secretary of the Treasury for Terrorism and Financial Intelligence. “Capturing the potential benefits associated with DeFi services requires addressing these risks.”

The report noted that some projects had “affirmatively touted a lack of AML/CFT controls as one of the primary goals of decentralization,” noting that actors were often able to circumvent sanctions from the U.S. and United Nations. However, the Treasury reiterated that “most money laundering, terrorist financing, and proliferation financing” occurred using fiat currency or was otherwise outside the digital asset ecosystem.

Officials recommended an increase in the regulatory supervision of AML/CFT for platforms offering DeFi services, guidance to DeFi platforms with respect to AML/CFT, and addressing any regulatory gaps.

“DeFi services at present often do not implement AML/CFT controls or other processes to identify customers, allowing layering of proceeds to take place instantaneously and pseudonymously, using long strings of alphanumeric characters rather than names or other personally identifying information.”

Related: In crypto winter, DeFi needs an overhaul to mature and grow

The assessment was in accordance with the executive order on digital assets signed by President Joe Biden in March 2022. Since the implementation of the executive order, many U.S. government agencies have begun investigating the potential impact of aspects of the digital asset space on the country’s financial system and existing payment infrastructure. In September 2022, the Treasury released a report that included countering illicit finance risks from crypto assets.

Magazine: DeFi abandons Ponzi farms for ‘real yield’

Massive supply chain attack targeting small number of crypto companies: Kaspersky

Crowdstrike and Kaspersky found an infection in a communications app that delivered a backdoor but said it had been deployed only a few times.

A supply chain attack installed a backdoor in computers around the world but has only been deployed in fewer than 10 computers, cybersecurity company Kaspersky has reported. The deployments showed a particular interest in cryptocurrency companies, it added. 

Cybersecurity company Crowdstrike reported on March 29 that it has identified malicious activity on the 3CX softphone app 3CXDesktopApp. The app is marketed to corporate clients. The malicious activity detected included “beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.”

Kaspersky said it suspected the involvement of the North Korea-linked threat actor Labyrinth Chollima. 3CX said of the infection:

“This appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware.”

Kaspersky was already investigating a dynamic link library (DLL) found in one of the infected 3CXDesktopApp.exe files, it said. The DLL in question had been used to deliver the Gopuram backdoor, although it was not the only malicious payload deployed in the attack. Gopuram has been found to coexist with the AppleJeus backdoor attributed to the North Korean Lazarus group, Kaspersky added.

Related: North Korean hackers are pretending to be crypto VCs in new phishing scheme — Kaspersky

Infected 3CX software has been detected around the world, with highest infection figures in Brazil, Germany, Italy and France. Gopuram has been deployed in fewer than ten computers, however, in a display of “surgical precision,” Kaspersky said. It had found a Gopuram infection in a Southeast Asian cryptocurrency company in the past.

The 3CX app is used by over 600,000 companies, including several major brands, Kapersky said, citing the maker. The infected app had DigiCert certification.

Magazine: 4 out of 10 NFT sales are fake: Learn to spot the signs of wash trading

North Korean hackers using stolen crypto to mine more crypto via cloud services: Report

Cybersecurity firm Mandiant has “graduated” a new group of hackers who finance state goals and their own existence with the help of crypto laundering.

The North Korean cybercrime operator APT43 is using cloud computing to launder cryptocurrency, a report from cybersecurity service Mandiant has found. According to the researchers, the North Korean group uses “stolen crypto to mine for clean crypto.”

Mandiant, a Google subsidiary, has been tracking the North Korean Advanced Persistent Threat (APT) group since 2018 but has only now “graduated” the group to an independent identity. Mandiant characterized the group as a “major player” that often cooperated with other groups.

Although its main activity was spying on South Korea, Mandiant found that APT43 was likely engaged in raising funds for the North Korean regime and funding itself through its illicit operations. Apparently the group has been successful in those pursuits:

“APT43 steals and launders enough cryptocurrency to buy operational infrastructure in a manner aligned with North Korea’s juche state ideology of self-reliance, therefore reducing fiscal strain on the central government.”

The researchers detected the North Korean group’s “likely use of hash rental and cloud mining services to launder stolen cryptocurrency into clean cryptocurrency.”

Hash rental and cloud mining are similar practices that involve renting crypto mining capacity. According to Mandiant, they make it possible to mine crypto “to a wallet selected by the buyer without any blockchain-basedassociation to the buyer’s original payments.”

Mandiant identified payment methods, aliases, and addresses used for purchases by the group. PayPal, American Express cards and “Bitcoin likely derived from previous operations” were the payment methods the group used.

Related: South Korea sets independent sanctions for crypto theft against North Korea

In addition, APT43 was implicated in the use of Android malware to harvest credentials of people in China looking for cryptocurrency loans. The group also operates several spoof sites for the targeted credential harvesting.

North Korea has been implicated in numerous crypto heists, including the recent Euler exploit of over $195 million. According to the United Nations, North Korean hackers had a record haul of between $630 million and more than $1 billion in 2022. Chainalysis put that figure at a minimum of $1.7 billion.

Magazine: Justin Sun vs. SEC, Do Kwon arrested, 180M player game taps Polygon: Asia Express

Euler Finance hacker sends 100 ETH to red-flagged North Korean address

While Chainalysis suspected the involvement of North Korea in the Euler Finance hack, it highlighted the possibility of misdirection by other hackers.

Ever since Euler Finance fell victim to the biggest decentralized finance (DeFi) hack of 2023, the crypto community closely followed the $197 million loot on-chain — hoping to track down the attacker. Out of the series of transfers made by the hacker, one transaction of 100 Ether (ETH) was allegedly sent to an address associated with North Korea-linked actors.

Blockchain investigator Chainalysis identified that 100 ETH from Euler’s stolen funds was transferred to an address flagged in an older hack with links to North Korea.

The hacker also transferred 3,000 ETH to Euler’s deployer account without disclosing their intent. However, no other transfers were made after that at the time of writing. In both cases, it was unclear whether the hacker was trolling or if they genuinely considered accepting Euler Finance’s bounty reward of $20 million.

While Chainalysis suspected the involvement of North Korea in the Euler Finance hack, it highlighted the possibility of misdirection by other hackers.

Related: Euler hacker seemingly taking their chances, sends funds to crypto mixer

Euler Labs CEO Michael Bentley shared his displeasure with the $197 million hack as he revealed that ten separate audits conducted over two years assured its security.

As Cointelegraph previously reported, blockchain security firms, including Halborn, Solidified, ZK Labs, Certora, Sherlock and Omnisica, conducted smart contract audits on Euler Finance from May 2021 to September 2022.

Brit who consulted North Korea on crypto reportedly detained in Moscow

Earlier, Christopher Emms was released by Saudi authorities due to the lack of evidence against him.

The Moscow bureau of Interpol detained a British national charged by the United States Department of Justice (DoJ). The man is accused of conspiring to violate U.S. sanctions on North Korea. 

According to local media, on Feb. 21, Christopher Emms was arrested in Moscow upon the “red notice” from Interpol. Th 31-year-old British citizen was detained in the hostel where he was staying.

In April 2022, alongside Spanish national Alejandro Cao De Benos, Emms allegedly provided instructions to North Korea on how it could use blockchain and cryptocurrency to launder money and evade sanctions. The two planned and organized the 2019 Pyongyang Blockchain and Cryptocurrency Conference.

The third participant in the conspiracy is Virgil Griffith, a former Ethereum developer. He was arrested by the Federal Bureau of Investigation in November 2019, pleaded guilty, and was sentenced to 63 months in prison. Emms could face up to 20 years in prison for one count of conspiring to violate the International Emergency Economic Powers Act.

Related: North Korea stole more crypto in 2022 than any other year

Radha Stirling, the founder of Due Process International, a nongovernmental organization that helps to defend human rights in the face of international enforcement agencies, previously claimed that there was no strong evidence against Emms:

“Precisely because he did nothing wrong; he provided no information to North Korea that doesn’t already appear on the first page of Google.”

In September 2022, Saudi Arabia rejected the American extradition request for the lack of a legal basis and released Emms after an eight-month travel ban. He immediately left the country and fled to Russia. However, despite the country being targeted by the DoJ’s efforts to enforce the financial sanctions in the crypto sector, the local officials decided to help their American counterparts. 

Crypto mixer Blender has been rebranded to Sinbad, says Elliptic

Elliptic’s analysis of wallets tied to a suspected Blender operator showed $22 million going to Sinbad as well as similar “characteristics of transactions” between the mixers.

Blender, the cryptocurrency mixer sanctioned by the United States Department of the Treasury’s Office of Foreign Assets Control in May, was “highly likely” relaunched as Sinbad, according to risk management firm Elliptic.

In a Feb. 13 report, Elliptic said its analysis of Sinbad indicated that the crypto mixer was likely a rebrand of Blender as well as having “the same individual or group responsible for it.” According to the firm, Sinbad was behind the laundering of roughly $100 million in Bitcoin (BTC) for North Korea’s hacking group Lazarus.

Elliptic said that after U.S. authorities cracked down on crypto mixers — as OFAC did with Tornado Cash in August and Blender in May — Lazarus hackers used Sinbad to launder some of the funds from the $100-million attack on Horizon Bridge in January. Blockchain analysis of wallets tied to a suspected Blender operator also showed $22 million in crypto going to Sinbad and other funds sent to individuals who promoted the mixer.

“The on-chain pattern of behavior is very similar for both mixers, including the specific characteristics of transactions, and the use of other services to obfuscate their transactions,” said Elliptic. “The way in which the Sinbad mixer operates is identical to Blender in several ways, including ten-digit mixer codes, guarantee letters signed by the service address, and a maximum seven-day transaction delay.”

Source: Elliptic

Elliptic speculated that the individuals behind Sinbad may have rebranded to “gain trust from users” following Blender shutting down, adding that OFAC could consider ordering sanctions on the crypto mixer. The U.S. Treasury Department is already facing lawsuits for its sanctions on Tornado Cash.

Related: Into the storm: The murky world of cryptocurrency mixers

Lazarus has allegedly been responsible for several major attacks in the crypto space, including a $620-million hack of Axie Infinity’s Ronin Bridge in March. South Korea’s government has also imposed its own sanctions against North Korean entities tied to the theft of cryptocurrency.

South Korea sets independent sanctions for crypto theft against North Korea

The sanctions against several well-known individuals and hacking groups came just hours after S. Korea announced a joint cyber venture with U.S. intelligence agencies against ransomware threats.

South Korea announced its first independent sanctions related to cryptocurrency thefts and cyberattacks against specific North Korean groups and individuals.

According to Seoul’s Ministry of Foreign Affairs, four North Korean individuals and seven businesses have been placed on a blacklist for their alleged involvement in cyberattacks and cryptocurrency theft. The blacklisted individuals include the infamous Park Jin-hyok, Jo Myong-rae, Song Rim and Oh Chung-Seong.

The most notorious of the four hackers, Park, works in information technology for the Chosun Expo Joint Venture, a front company connected to the Lazarus Group in North Korea. He is well-known for participating in the WannaCry ransomware assault in 2017 and the cyberattack on Sony Pictures Entertainment in November 2014. The United States Treasury placed him on a blacklist in 2018.

FBI Wanted poster against N.Korean hacker. Source: FBI

According to information provided by the foreign ministry, North Korean hackers have stolen virtual assets worth over $1.2 billion since 2017, including $626 million in 2022. As Cointelegraph reported, a confidential United Nations report has revealed North Korean hackers stole more crypto assets in 2022 than in any other year. The U.N. report put the theft amount between $650 million and $1 billion.

North Korean hackers have been stealing more crypto than ever before. Source Chainalysis

The independent sanctions against North Korean hackers and hacker groups come just hours after South Korea and the United States announced a joint cybersecurity venture against ransomware attacks. The National Intelligence Service of South Korea, in coordination with the National Security Agency and other U.S. intelligence organizations, released a joint cybersecurity alert on the threat posed by ransomware from North Korea.

Related: North Korea’s Lazarus Group masterminded $100M Harmony hack: FBI confirms

These cyber activities, which are frequently connected to the Reconnaissance General Bureau — North Korea’s military intelligence agency — are thought to be one of the country’s main sources of funding for its nuclear and missile programs despite the country being subject to severe international sanctions.

North Korea stole more crypto in 2022 than any other year: UN report

A report submitted to the United Nations found North Korean cyber attacks have become vastly more sophisticated and raked in more crypto than ever before.

A confidential United Nations report has revealed North Korean hackers stole more crypto assets in 2022 than in any other year .

The UN report, seen by Reuters, was reportedly submitted to a 15-member North Korea sanctions committee last week.

It found North Korean-linked hackers were responsible for between $630 million and more than $1 billion in stolen crypto assets last year after targeting networks of foreign aerospace and defense companies.

The UN report also noted that cyber attacks were more sophisticated than in previous years, making tracing stolen funds more difficult than ever.

“[North Korea] used increasingly sophisticated cyber techniques both to gain access to digital networks involved in cyber finance, and to steal information of potential value, including to its weapons programmes,” the independent sanctions monitors saiin its report to the UN Security Council Committee.

Last week, a Feb. 1 report from blockchain analytics firm Chainalysis came to a similar conclusion, linking North Korean hackers to at least $1.7 billion worth of stolen crypto in 2022, making it the worst-ever year for crypto hacking.

North Korean hackers have been stealing more crypto than ever before. Source Chainalysis

The firm named the cybercriminal syndicates as the most “prolific cryptocurrency hackers over the last few years.”

“For context, North Korea’s total exports in 2020 totaled $142 million worth of goods, so it isn’t a stretch to say that cryptocurrency hacking is a sizable chunk of the nation’s economy,” Chainalysis said.

According to Chainalysis, at least $1.1 billion of the stolen loot was taken from hacks of decentralized financeprotocols, making North Korea one of the driving forces behind the DeFi hacking trend that intensified in 2022.

Chainalysis has revealed North Korean hackers tend to send large amounts of their stolen funds to mixers. Source: Chainalysis.

The firm also found that  North Korea-linked hackers tend to send large sums to mixers such as Tornado Cash and Sinbad. 

“In fact, funds from hacks carried out by North Korea-linked hackers move to mixers at a much higher rate than funds stolen by other individuals or groups,” Chainalysis said.

Related: North Korean hacking activity ceases after regulators implement KYC: Report

North Korea has frequently denied allegations of being responsible for cyberattacks, but the new UN report alleged North Korea’s primary intelligence bureau, the Reconnaissance General Bureau uses several groups such as Kimsuky, Lazarus Group and Andariel specifically for cyberattacks.

“These actors continued illicitly to target victims to generate revenue and solicit information of value to the DPRK, including its weapons programmes,” the UN report said.

Submitted before the 15-member council’s North Korea sanctions committee last week, the full report is reportedly due for public release later this month or early March.

DeFi enjoys a prolific start to 2023: Finance Redefined

DeFi marks a perfect entry into 2023 with a bullish January and TVL nearing $50 billion.

Welcome to Finance Redefined, your weekly dose of essential decentralized finance (DeFi) insights — a newsletter crafted to bring you significant developments over the last week.

2023 started on a bullish note for the entire crypto market, including the DeFi ecosystem, with most of the tokens posting double-digit gains in January and recording multi-month highs. Aside from the bull rally, January also saw a 93% year-on-year decline in losses from DeFi exploits and hacks.

The slew of regulatory action against the Mango Markets exploiter is being hailed as a big win for the DeFi sector. The United States Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) have taken action against the alleged fraudster, which shows that DeFi is becoming a “safer and more welcoming environment,” according to credit rating firm Moody’s.

Amid all the positive developments, Solana DeFi protocol Everlend shut down over liquidity issues stemming from the FTX crisis and told users to withdraw funds. North Korean hackers also tried laundering $27 million in Ether (ETH) from the Harmony bridge attack.

The bullish momentum of the top 100 DeFi tokens continued into February as the total value locked (TVL) in DeFi protocols reached nearly $50 billion, with most tokens registering another weekly price surge.

DeFi enjoys prolific start to 2023: DappRadar

DeFi protocols experienced a boom in TVL across different staking pools in January. The market hit $74.6 billion worth of staked assets, increasing by 26% from December.

In its latest monthly report, DappRadar outlined the growth of the DeFi sector alongside rejuvenated nonfungible token (NFT) markets, which have also had upticks in trading volume and sales.

Continue reading

Crypto exploit losses in January see nearly 93% year-on-year decline

Aside from the bullish crypto market rally in January, there’s been more positive industry news as the month saw a steep decline in losses from exploits compared to January 2022.

According to data from blockchain security firm, PeckShield, as of Jan. 31, there were $8.8 million in losses from crypto exploits. There were 24 exploits over the month, with $2.6 million worth of crypto sent to mixers such as Tornado Cash. The breakdown of assets sent to mixers includes 1,200 ETH and approximately 2,668 BNB.

Continue reading

Regulatory action against Mango Markets exploiter is a win for DeFi — Moody’s

Recent charges brought against Mango Markets exploiter Avraham Eisenberg will positively impact the DeFi space, according to credit rating firm Moody’s.

In a Jan. 31 note from Moody’s Investor Service, the assistant vice president of decentralized finance, Cristiano Ventricelli, stated that enforcement actions brought by the two leading U.S. market regulators in January mean that DeFi is moving toward a “safer and more welcoming environment.”

Continue reading

Solana DeFi protocol Everlend shuts down over liquidity issues

Solana DeFi protocol Everlend is closing down its operations and urging clients to withdraw funds from the platform.

The company announced the decision on Twitter on Feb. 1, saying that despite having “enough runway” to continue operating, it would be a gamble under current market conditions.

Continue reading

North Korean hackers try to launder $27M in ETH from Harmony bridge attack

North Korean exploiters behind the Harmony bridge attack continue to try and launder the funds stolen in June 2022. According to on-chain data revealed on Jan. 28 by blockchain sleuth, ZachXBT, the perpetrators moved 17,278 ETH over the weekend, worth about $27 million.

The tokens were transferred to six crypto exchanges, ZachXBT wrote in a Twitter thread, without disclosing which platforms had received the tokens. Three primary addresses carried out the transactions.

Continue reading

DeFi market overview

Analytical data reveals that DeFi’s total market value remained over $40 billion this past week, trading at about $48.1 billion at the time of writing. Data from Cointelegraph Markets Pro and TradingView show that DeFi’s top 100 tokens by market capitalization had a bullish week, with nearly all the tokens registering price gains.

dYdX (DYDX) was the biggest gainer again, with a 39% surge on the weekly charts, followed by Fantom (FTM), which continued last week’s bullish momentum and registered a 33% weekly surge.

Thanks for reading our summary of this week’s most impactful DeFi developments. Join us next Friday for more stories, insights and education in this dynamically advancing space.

North Korean hackers try to launder $27M in ETH from Harmony bridge attack

Three main addresses sent 17,278 Ether to six exchanges, which managed to freeze at least some of the stolen funds.

North Korean exploiters behind the Harmony bridge attack continue to try and launder the funds stolen in June. According to on-chain data revealed on Jan. 28 by blockchain sleuth ZachXBT, over the weekend the perpetrators moved 17,278 Ether (ETH), worth about $27 million.

The tokens were transferred to six different crypto exchanges, ZachXBT wrote in a Twitter thread, without disclosing which platforms had received the tokens. Three main addresses carried out the transactions.

According to ZachXBT, the exchanges were notified about the fund transfers and part of the stolen assets were frozen. The movements made by the exploiters to launder the money were very similar to those taken on Jan. 13, when over $60 million was laundered, the crypto detective said.

The funds were moved a few days after the Federal Bureau of Investigation (FBI) confirmed that Lazarus Group and APT38 were the criminals behind the $100 million hack. In a statement, the FBI noted that “through our investigation, we were able to confirm that the Lazarus Group and APT38, cyber actors associated with the DPRK [North Korea], are responsible for the theft of $100 million of virtual currency from Harmony’s Horizon bridge.”

Related: ‘Nobody is holding them back’ — North Korean cyber-attack threat rises

Harmony’s Horizon Bridge facilitates transfer between Harmony and the Ethereum network, Binance Chain and Bitcoin. A number of tokens worth about $100 million were stolen from the platform on June 23.

Following the exploit, 85,700 Ether was processed through the Tornado Cash mixer and deposited at multiple addresses. On Jan. 13, the hackers started shifting around $60 million worth of the stolen funds via the Ethereum-based privacy protocol RAILGUN. According to an analysis from crypto tracking platform MistTrack, 350 addresses have been associated with the attack through many exchanges in an attempt to avoid identification.

Lazarus is a well-known hacking syndicate that has been implicated in a number of key crypto industry breaches, including the $600 million Ronin Bridge hack last March.