SharkTeam: Cryptocurrency Crime Analysis Report 2023

avatar
SharkTeam
2 months ago
This article is approximately 5037 words,and reading the entire article takes about 7 minutes
In 2023, the Web3 industry experienced more than 940 security incidents of various sizes, an increase of more than 50% year-on-year in 2022, and the amount of losses reached US$1.79 billion.

In 2023, the Web3 industry experienced more than 940 security incidents, large and small, an increase of more than 50% year-on-year in 2022, and the amount of losses reached US$1.79 billion. Among them, the third quarter had the most security incidents (360) and the largest losses ($740 million), with losses increasing by 47% year-on-year in 2022. In July in particular, there were 187 security incidents, with losses amounting to $350 million.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Number of security incidents per quarter/month in Web 3 2023

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Web 3 2023 security incident losses per quarter/month (USD million)

First, hacking continues to be a major cause of significant losses. In 2023, there were 216 hacking incidents, resulting in losses of US$1.06 billion. Contract vulnerabilities, private key theft, phishing attacks, and state hackers are still important reasons that threaten the security of the Web3 ecosystem.

Secondly, Rugpull and fund disk fraud are on the rise. A total of 250 Rugpull and Scam fraud incidents occurred in 2023, with the highest frequency of such incidents occurring on BNBChain. Fraudulent projects attract investors to participate by publishing seemingly attractive crypto projects and provide some false liquidity. Once they attract enough funds, they will suddenly steal all funds and conduct asset transfers. This type of fraud will cause serious economic losses to investors and greatly increase the difficulty for investors to choose the right project.

There is also a trend of ransomware using cryptocurrencies to collect ransoms, such as Lockbit, Conti, Suncrypt and Monti. Cryptocurrencies are more difficult to track than fiat currencies, and it is increasingly important to use on-chain analysis tools to track and locate the identities of ransomware gangs.

Finally, in these criminal activities such as cryptocurrency hacks and fraud and extortion, criminals often need to launder money through on-chain fund transfers and OTC after obtaining the cryptocurrency. Money laundering usually adopts a mixture of decentralized and centralized methods. Centralized exchanges are the most concentrated places for money laundering, followed by on-chain currency mixing platforms.

2023 is also the year when Web3 supervision has achieved substantial development. FTX 2.0 has restarted, sanctioned Binance, USDT has banned Hamas and other addresses. In January 2024, the SEC passed the Bitcoin spot ETF. These landmark events all represent the ongoing development of supervision. In-depth involvement in the development of Web3.

This report will conduct a systematic analysis of key topics such as Web3 hacking attacks, Rugpull fraud, ransomware, cryptocurrency money laundering, and Web3 regulation in 2023 to understand the security situation of the development of the cryptocurrency industry.

1. Contract loopholes

Contract vulnerability attacks mainly occur on Ethereum. In the second half of 2023, a total of 36 contract vulnerability attacks occurred on Ethereum, with losses exceeding US$200 million, followed by BNBChain. In terms of attack methods, business logic vulnerabilities and flash loan attacks are still the most common.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Web 3 2023 Number of hacking incidents per quarter and amount of losses (millions of dollars)

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Web 3 2023 H 2 Monthly number of contract vulnerability exploit hacking attacks and amount of losses

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Web 3 2023 H 2 Number of contract vulnerability exploitation attacks and amount of losses per month on different chains

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Web 3 2023 H 2 The number of specific attack methods used to exploit contract vulnerabilities and the amount of losses

Typical incident analysis: Vyper vulnerability leads to attacks on Curve, JPEGd and other projects

Take the JPEGd attack as an example:

Attacker address: 0x6ec21d1868743a44318c3c259a6d4953f9978538

Attacker contract: 0x9420F8821aB4609Ad9FA514f8D2F5344C3c0A6Ab

Attack transaction:

0xa84aa065ce61dbb1eb50ab6ae67fc31a9da50dd2c74eefd561661bfce2f1620c

(1) The attacker (0x6ec21d18) created a contract of 0x466B85B4 and borrowed 80,000 WETH from [Balancer: Vault] through a flash loan.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

(2) The attacker (0x6ec21d18) added 40,000 WETH to the pETH-ETH-f (0x9848482d) liquidity pool and obtained 32,431 pETH.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

(3) The attacker (0x6ec21d18) then repeatedly removed liquidity from the pETH-ETH-f (0x9848482d) liquidity pool.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

(4) In the end, the attacker (0x6ec21d18) obtained 86,106 WETH. After returning the flash loan, he left the market with a profit of 6,106 WETH.

Vulnerability analysis: This attack is a typical re-entrancy attack. After decompiling the bytecode of the project contract under attack, we can find from the figure below: when the two functions add_liquidity and remove_liquidity verify the storage slot value, the storage slots to be verified are different. Using a different storage slot, the reentrancy lock may become invalid. At this time, it is suspected that there is a vulnerability in the underlying design of Vyper.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

According to Curve’s official tweet. Ultimately, the location is a Vyper version vulnerability. This vulnerability exists in versions 0.2.15, 0.2.16, and 0.3.0, and has flaws in the reentrancy lock design. We compared the 0.2.14 before 0.2.15 and the 0.3.1 version after 0.3.0, and found that this part of the code is constantly being updated. The old 0.2.14 and newer 0.3.1 versions do not have this problem.

SharkTeam: Cryptocurrency Crime Analysis Report 2023SharkTeam: Cryptocurrency Crime Analysis Report 2023

In the reentrancy lock-related settings file data_positions.py corresponding to Vyper, the value of storage_slot will be overwritten. In ret, the slot of the lock acquired for the first time is 0, and then when the function is called again, the slot of the lock will be increased by 1. At this time, the reentrant lock will become invalid.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

2. Phishing attack

Phishing attacks are a type of cyber attack designed to deceive and induce targets to obtain their sensitive information or induce them to perform malicious operations. This attack is usually carried out through email, social media, SMS or other communication channels. The attacker will pretend to be a trusted entity, such as a project party, an authority, KOL, etc., to lure the victim to provide private keys, mnemonic words or Transaction authorization. Similar to contract vulnerability attacks, phishing attacks showed a high incidence and high losses in Q3. A total of 107 phishing attacks occurred, of which 58 occurred in July.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Web 3 2023 Number of phishing attacks per quarter and amount of losses (millions of US dollars)

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Number of phishing attacks per month in Web 3 2023

Analysis of asset transfer on the chain of typical phishing attacks

On September 7, 2023, the address (0x13e382) suffered a phishing attack, resulting in a loss of over US$24 million. Phishing hackers used fund theft, fund exchange and decentralized fund transfer. Of the final lost funds, 3,800 ETH was transferred to Tornado.Cash in batches, 10,000 ETH was transferred to the intermediate address (0x702350), and 1078 , 087 DAI remains at the intermediate address (0x4F2F02) to this day.

This is a typical phishing attack. The attacker steals user assets by defrauding wallet authorization or private keys. It has formed a black industry chain of phishing + money laundering. At present, more and more fraud gangs and even national hackers are using phishing. The method is doing evil in the Web3 field and requires everyones attention and vigilance.

Based on the tracking analysis of SharkTeams on-chain big data analysis platform ChainAegis (https://app.chainaegis.com/), we will conduct relevant analysis on the fraud process, fund transfers and on-chain behavior of typical phishing attacks.

(1) Phishing attack process

The victim address (0x13e382) granted rETH and stETH to the scammer address 1 (0x4c10a4) via Increase Allowance.

SharkTeam: Cryptocurrency Crime Analysis Report 2023SharkTeam: Cryptocurrency Crime Analysis Report 2023

Scammer address 1 (0x4c10a4) transferred 9,579 stETH from the account of the victim address (0x13e382) to scammer address 2 (0x693b72), amounting to approximately $15.32 million.

Scammer address 1 (0x4c10a4) transferred 4,850 rETH from the account of the victim address (0x13e382) to scammer address 2 (0x693b72), amounting to approximately $8.41 million.

SharkTeam: Cryptocurrency Crime Analysis Report 2023SharkTeam: Cryptocurrency Crime Analysis Report 2023SharkTeam: Cryptocurrency Crime Analysis Report 2023

(2) Asset exchange and transfer

Exchange stolen stETH and rETH into ETH. Since the early morning of 2023-09-07, scammer address 2 (0x693b72) has conducted multiple exchange transactions on the Uniswap V2, Uniswap V3, and Curve platforms, converting all 9,579 stETH and 4,850 rETH into ETH, with a total exchange amount of 14 , 783.9413 ETH.

stETH exchange:

SharkTeam: Cryptocurrency Crime Analysis Report 2023

rETH exchange:

SharkTeam: Cryptocurrency Crime Analysis Report 2023SharkTeam: Cryptocurrency Crime Analysis Report 2023

Part of the ETH is exchanged for DAI. Scammer address 2 (0x693b72) exchanged 1,000 ETH for 1,635,047.761675421713685327 DAI through the Uniswap V3 platform. The scammers used decentralized fund transfer methods to transfer the stolen funds to multiple intermediate wallet addresses, totaling 1,635,139 DAI and 13,785 ETH. Of these, 1,785 ETH were transferred to the intermediate address (0x4F2F02), 2,000 ETH were transferred to the intermediate address (0x2ABdC2), and 10,000 ETH were transferred to the intermediate address (0x702350). In addition, the intermediate address (0x4F2F02) received 1, 635, 139 DAI the next day

Intermediate wallet address (0x4F2F02) fund transfer:

The address, which was transferred through layer 1 funds, holds 1,785 ETH and 1,635,139 DAI. Decentralized transfer of funds DAI, and exchange of small amounts into ETH

First, the scammer began to transfer 529,000 DAI through 10 transactions in the early morning of 2023-09-07. Subsequently, the first seven transactions totaling 452,000 DAI were transferred from the intermediate address to 0x4E5B2e (FixedFloat), the eighth transaction was transferred from the intermediate address to 0x6cC5F6 (OKX), and the last two transactions totaling 77,000 DAI were transferred from the intermediate address to 0xf1dA17 ( eXch).

Secondly, on September 10, 28,052 DAI was exchanged for 17.3 ETH via Uniswap V2.

From September 8 to September 11, 18 transactions were carried out, and all 1,800 ETH was transferred to Tornado.Cash.

After the transfer, the address finally had 1078,087 DAI of stolen funds remaining that had not been transferred out.

Intermediate address (0x2ABdC2) fund transfer:

This address has 2, 000 ETH via a layer of funds transfer. First, this address transferred 2,000 ETH to an intermediate address (0x71C848) on September 11.

Subsequently, the intermediate address (0x71C848) made two fund transfers on September 11 and October 1 respectively, with a total of 20 transactions, each transferring 100 ETH, and a total of 2000 ETH was transferred to Tornado.Cash.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Intermediate address (0x702350) fund transfer

This address has 10,000 ETH via a layer of funds transfer. As of October 8, 2023, 10,000 ETH is still in the account at this address and has not been transferred.

Address clue tracking: After analyzing the historical transactions of scammer address 1 (0x4c10a4) and scammer address 2 (0x693b72), it was found that there was an EOA address (0x846317) that transferred 1.353 ETH to scammer address 2 (0x693b72), and The source of funds for this EOA address involves hot wallet addresses with centralized exchanges KuCoin and Binance.

3. Rugpull and fraud

The frequency of Rugpull fraud incidents showed a significant upward trend in 2023, reaching 73 in Q4, with a loss amount of US$19 million. The average single loss was approximately US$26,000, accounting for the highest proportion of Rugpull fraud losses throughout the year. The quarter is Q2, followed by Q3, and the losses accounted for more than 30%.

In the second half of 2023, there were a total of 139 Rugpull incidents and 12 fraud incidents, resulting in losses of $71.55 million and $340 million respectively.

In the second half of 2023, Rugpull incidents mainly occurred on BNBChain, reaching 91 times, accounting for more than 65%, and the losses reached US$29.57 million, accounting for 41% of the losses. Ethereum (44 times) followed with a loss of $7.39 million. In addition to Ethereum and BNBChain, the BALD Rugpull incident occurred on the Base chain in August, causing serious losses of $25.6 million.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Number of Rugpull and Scam incidents per quarter and amount of losses in Web 3 2023 (millions of US dollars)

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Web 3 2023 H 2 The number of Rugpull and Scam incidents each month and the amount of losses

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Web 3 2023 H 2 The number of Rugpull events that occur on different chains each month and the amount of losses

Rugpull fraud factory behavior analysis

There is a Rug fraud factory model popular on BNBChain, which is used to mass-produce Rugpull tokens and commit fraud. Let’s take a look at the Rugpull Factory fraud pattern of fake SEI, X, TIP and Blue tokens.

(1)SEI

First, the fake SEI token owner 0x0a8310eca430beb13a8d1b42a03b3521326e4a58 redeemed 249 fake SEI at a price of 1 U.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Then, 0x6f9963448071b88FB23Fd9971d24A87e5244451A performed bulk buy and sell operations. Under buy and sell operations, the liquidity of the token increased significantly and the price also increased.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Promote it through phishing and other methods to lure a large number of users to buy. As liquidity increases, the token price doubles.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

When the price of the token reaches a certain value, the token owner enters the market and performs sell operation to perform Rugpull. As can be seen from the figure below, the entry and harvest time periods and prices are different.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

(2) False X, false TIP, false Blue

First, X, TIP and Blue token owner 0x44A028Dae3680697795A8d50960c8C155cBc0D74 exchanged 1 U for the corresponding tokens. Then, same with fake Sei tokens.

0x6f9963448071b88FB23Fd9971d24A87e5244451A Bulk buy and sell operations. Under buy and sell operations, liquidity increases significantly and prices rise.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Then it is promoted through phishing and other channels to lure a large number of users to buy. As liquidity increases, the token price doubles.

Just like the fake SEI, when the price of the token reaches a certain value, the token owner enters the market to sell and perform Rugpull. As can be seen from the figure below, the entry and harvest time periods and prices are different.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

The fluctuation charts of fake SEI, fake X, fake TIP and fake Blue tokens are as follows:

SharkTeam: Cryptocurrency Crime Analysis Report 2023

We can learn from the fund traceability and behavioral patterns:

In the fund traceability content, the founders of the token factory and the token creators’ funds come from multiple EOA accounts. There are also fund flows between different accounts, some of which were transferred through phishing addresses, some were obtained through previous token rugpull actions, and some were obtained through currency mixing platforms such as tornado cash. Using multiple methods to transfer funds aims to build a complex and intricate financial network. Different addresses also create multiple token factory contracts and produce tokens in large quantities.

While analyzing the token Rugpull behavior we discovered that the address

0x6f9963448071b88FB23Fd9971d24A87e5244451A is one of the funding sources. A batch approach is also used when operating token prices. The address 0x072e9A13791f3a45fc6eB6AD38e6ea258C080cc3 also acts as a fund provider, providing corresponding funds to multiple token holders. .

Through analysis, it can be concluded that there is a Web3 fraud group with a clear division of labor behind this series of behaviors, forming a black industry chain, which mainly involves hotspot collection, automatic currency issuance, automatic transactions, false propaganda, phishing attacks, Rugpull harvesting and other links. Happened on BNBChain. The fake Rugpull tokens issued are closely related to hot industry events and are highly confusing and instigative. Users need to be vigilant at all times, remain rational, and avoid unnecessary losses.

4. Ransomware

The threat of ransomware attacks continues to threaten organizations and businesses in 2023. Ransomware attacks are becoming increasingly sophisticated, with attackers using a variety of techniques to exploit vulnerabilities in organizational systems and networks. Proliferating ransomware attacks continue to pose a significant threat to organizations, individuals, and critical infrastructure around the world. Attackers are constantly adjusting and improving their attack strategies, using leaked source code, intelligent attack schemes and emerging programming languages ​​to maximize their illegal gains.

LockBit, ALPHV/BlackCat, and BlackBasta are currently the most active ransomware extortion groups.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Number of victims of ransomware groups

At present, more and more ransomware uses cryptocurrency to collect payments. Take Lockbit as an example. Companies recently attacked by LockBit include: TSMC at the end of June this year, Boeing in October, and the U.S. wholly-owned subsidiary of Industrial and Commercial Bank of China in November. Companies, etc., mostly use Bitcoin to collect ransoms, and LockBit will launder cryptocurrency after receiving the ransom. Lets take Lockbit as an example to analyze the ransomware laundering model.

According to ChainAegis analysis, LockBit ransomware mostly uses BTC to collect ransoms, using different payment addresses. Some addresses and payment amounts are summarized as follows. The amount of BTC for a single ransom ranges from 0.07 to 5.8, and is approximately US$2,551 to US$211. Prices range from $311.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Part of LockBit’s payment address and payment amount

Conduct on-chain address tracking and anti-money laundering analysis using the two addresses with the highest amount of money involved:

Blackmail payment address 1: 1PtfhwkUSGVTG6Mh6hYXx1c2sJXw2ZhpeM;

Ransom payment address 2: 1HPz7rny3KbjEUURHKHivwDrNWAAsGVvPH.

(1) Blackmail payment address 1: 1PtfhwkUSGVTG6Mh6hYXx1c2sJXw2ZhpeM

According to the analysis in the figure below, address 1 (1Ptfhw) received a total of 17 on-chain transactions from March 25, 2021 to May 15, 2021. After receiving the funds, it quickly transferred the assets to 13 core intermediate addresses. These intermediate addresses are transferred to 6 layer-2 intermediate addresses through funds, namely: 3FVzPX…cUvH, 1GVKmU…Bbs1, bc1qdse…ylky, 1GUcCi…vSGb, bc1qan… 0ac4 and 13CPvF…Lpdp.

The intermediate address 3FVzPX…cUvH, through on-chain analysis, was found to eventually flow to the darknet address 361 AkMKNNWYwZRsCE 8 pPNmoh 5 aQf 4 V 7 g 4 p.

The intermediate address 13CPvF…Lpdp transferred a small amount of 0.0002 2B TC to CoinPayments. There were 500 similar transactions, and a total of 0.21 BTC were collected to the CoinPayments address: bc1q3y…7y88, and CoinPayments was used for money laundering.

Other intermediary addresses eventually made their way to centralized exchanges Binance and Bitfinex.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Address 1 (1Ptfhw…hpeM) fund source and fund outflow details

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Address 1 (1Ptfhw…hpeM) fund flow tracking

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Intermediate addresses and fund flow details involved in address 1 (1Ptfhw…hpeM)

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Address 1 (1Ptfhw…hpeM) transaction map

(2) Blackmail payment address 2: 1HPz7rny3KbjEUURHKHivwDrNWAAsGVvPH

The victim paid 4.16 BTC to ransomware operator LockBit across 11 transactions between May 24, 2021, and May 28, 2021. Immediately, address 2 (1HPz7rn...VvPH) quickly transferred 1.89 BTC of extortion funds to intermediate address 1: bc1qan...0ac4, 1.84 BTC to intermediate address 2: 112QJQj...Sdha, and 0.34 BTC to intermediate address 3: 19Uxbt... 9RdF.

Final intermediate address 2: 112QJQj…Sdha and intermediate address 3: 19 Uxbt… 9 RdF both move funds to intermediate address 1: bc1qan…0ac4. Immediately afterwards, the intermediate address 1bc1qan...0ac4 continued to transfer funds. A small part of the funds was transferred directly to the Binance exchange. The other part of the funds was transferred layer by layer through the intermediate addresses, and finally transferred to Binance and other platforms for money laundering. Specific transaction details and addresses The labels are as follows.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Address 2 (1HPz7rn...VvPH) Fund Source and Fund Outflow Details

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Address 2 (1HPz7rn...VvPH) fund flow tracking

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Intermediate addresses and fund flow details involved in address 2 (1HPz7rn...VvPH)

After LockBit receives the ransom, it will perform cryptocurrency laundering. This money laundering model is different from traditional money laundering methods. It usually occurs on the blockchain and is characterized by long cycles, dispersed funds, high automation, and high complexity. To carry out cryptocurrency supervision and fund tracking, on the one hand, we must build on-chain and off-chain analysis and evidence collection capabilities, and on the other hand, we must launch APT-level security attack and defense at the network security level, and have the ability to integrate attack and defense.

5. Money laundering

Money laundering is an act of legalizing illegal income. It mainly refers to using illegal income and the income generated to cover up and conceal its source and nature through various means to make it legal in form. Its actions include but are not limited to providing capital accounts, assisting in converting property forms, assisting in transferring funds or remitting them overseas. Cryptocurrencies—especially stablecoins—have been exploited by money laundering activities quite early on due to their low transfer costs, de-geographicalization, and certain anti-censorship characteristics. This has also led to cryptocurrencies being criticized. One of the main reasons.

Traditional money laundering activities often use the cryptocurrency OTC market to exchange from legal currency to cryptocurrency, or from cryptocurrency to legal currency. The money laundering scenarios are different and the forms are diverse, but no matter what, the essence of this type of behavior is In order to block law enforcement officials from investigating financial links, including accounts at traditional financial institutions or accounts at cryptographic institutions.

Different from traditional money laundering activities, the laundering target of new cryptocurrency money laundering activities is the cryptocurrency itself, and the encryption industry infrastructure including wallets, cross-chain bridges, decentralized trading platforms, etc. will be illegally used.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Chart: Amount of money laundered in recent years

From 2016 to 2023, cryptocurrency money laundering totaled a whopping $147.7 billion. The amount of money laundered has been increasing at an annual rate of 67% since 2020, reaching US$23.8 billion in 2022, and reaching as much as US$80 billion in 2023. The amount of money laundered is staggering, and cryptocurrency anti-money laundering operations are imperative.

According to ChainAegis platform statistics, the amount of funds in the on-chain currency mixing platform Tornado Cash has maintained rapid growth since January 2020. Currently, nearly 3.62 million ETH have been deposited in this fund pool, with a total deposit amount of US$7.8 billion. Tornado Cash has become Ethereum’s largest money laundering center. However, as U.S. law enforcement agencies issued sanctions against Tornado Cash in August 2022, the number of weekly deposits and withdrawals of Tornado Cash doubled. However, due to the decentralized nature of Tornado Cash, it was impossible to stop it from the source, and funds still continued to flow in. Enter the system to mix coins.

Analysis of money laundering model of Lazarus Group (North Korean APT organization)

National-level APT (Advanced Persistent Threat) organizations are top hacker groups supported by national backgrounds and specialize in conducting long-term and persistent cyber attacks against specific targets. The North Korean APT organization Lazarus Group is a very active APT group. Its attack purpose is mainly to steal funds, making it the biggest threat to global financial institutions. In recent years, they have been responsible for many attacks and fund theft cases in the cryptocurrency field.

The security incidents and losses caused by Lazarus attacks in the encryption field that have been clearly counted are as follows:

SharkTeam: Cryptocurrency Crime Analysis Report 2023

More than $3 billion in funds was stolen by Lazarus in cyber attacks. It is reported that the Lazarus hacker organization is backed by North Koreas strategic interests and provides funds for North Koreas nuclear bomb and ballistic missile programs. To this end, the United States announced a $5 million bounty and sanctions against the Lazarus hacking group. The U.S. Treasury Department has also added the relevant addresses to OFAC’s Specially Designated Nationals (SDN) list, which prohibits U.S. individuals, entities and related addresses from conducting transactions to ensure that state-sponsored groups cannot cash out these funds as a sanction. Ethereum developer Virgil Griffith was sentenced to five years and three months in prison for helping North Korea use virtual currency to evade sanctions. In 2023, OFAC also sanctioned three individuals related to the Lazarus Group, two of whom were sanctioned Cheng Hung Man and Wu Huihui was the over-the-counter (OTC) trader who facilitated cryptocurrency trading for Lazarus, while a third person, Sim Hyon Sop, provided other financial support.

Despite this, Lazarus has completed the transfer and laundering of over $1 billion in assets, and their money laundering pattern is analyzed below. Taking the Atomic Wallet incident as an example, after removing the technical interference factors set up by hackers (a large number of fake token transfer transactions + multi-address splitting), the hacker’s fund transfer model can be obtained:

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Atomic Wallet Victim 1 Fund Transfer View

Victim 1s address 0xb02d...c6072 transferred 304.36 ETH to the hackers address 0x3916...6340. After 8 splits through the intermediate address 0x0159...7b70, it was collected at the address 0x69ca...5324. The collected funds were then transferred to address 0x514c...58f67, where the funds are still currently held, with an address ETH balance of 692.74 ETH (worth $1.27 million).

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Figure: Atomic Wallet Victim 2 Fund Transfer View

Victim 2s address 0x0b45...d662 transferred 1.266 million USDT to the hackers address 0xf0f7...79b3. The hacker divided it into three transactions, two of which were transferred to Uniswap, with a total transfer of 1.266 million USDT; the other was to address 0x49ce. ..80fb made the transfer, and the transfer amount was 672.71 ETH. Victim 2 transferred 22,000 USDT to the hacker address 0x0d5a...08c2. The hacker split accounts multiple times through the intermediate addresses 0xec13...02d6, etc., and directly or indirectly collected the funds to the address 0x3c2e...94a8.

This money laundering model is highly consistent with the money laundering model in the previous Ronin Network and Harmony attacks, and both include three steps:

(1) Sorting and exchange of stolen funds: After launching an attack, sort out the original stolen tokens, and swap multiple tokens into ETH through dex and other methods. This is a common way to avoid fund freezes.

(2) Collection of stolen funds: Collect the organized ETH into several disposable wallet addresses. A total of 9 such addresses were used by hackers in the Ronin incident, 14 in the Harmony incident, and nearly 30 addresses in the Atomic Wallet incident.

(3) Transferring stolen funds: Use the collection address to launder the money through Tornado.Cash. This completes the entire fund transfer process.

In addition to having the same money laundering steps, there is also a high degree of consistency in the details of money laundering:

(1) The attackers were very patient and took up to a week to conduct money laundering operations. They all started subsequent money laundering operations a few days after the incident.

(2) Automated transactions are used in the money laundering process. Most of the fund collection actions involve a large number of transactions, a small time interval, and a unified pattern.

Through analysis, we believe that Lazarus’ money laundering model is usually as follows:

(1) Separate accounts with multiple accounts and transfer assets in multiple small amounts make tracking more difficult.

(2) Begin to create a large number of counterfeit currency transactions, making it more difficult to track. Taking the Atomic Wallet incident as an example, 23 of the 27 intermediate addresses were counterfeit currency transfer addresses. A recent analysis of the Stake.com incident also found that similar technology was used, but this was not the case in the previous Ronin Network and Harmony incidents. Interference technology shows that Lazarus’ money laundering technology is also upgrading.

(3) More on-chain methods (such as Tonado Cash) are used for currency mixing. In early incidents, Lazarus often used centralized exchanges to obtain start-up funds or conduct subsequent OTC, but recently, centralized exchanges are used less and less. Therefore, it can even be considered that they are trying to avoid using centralized exchanges, which may be related to several recent sanctions.

6. Sanctions and Supervision

Agencies such as the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and similar agencies in other countries impose sanctions by targeting countries, regimes, individuals and entities deemed to pose a threat to national security and foreign policy. Sanctions enforcement has traditionally relied on the cooperation of mainstream financial institutions, but some bad actors have turned to cryptocurrencies to circumvent these third-party intermediaries, creating new challenges for policymakers and sanctioning agencies. However, the inherent transparency of cryptocurrencies, as well as the willingness of compliant cryptocurrency services, especially the many centralized exchanges that serve as a link between cryptocurrencies and fiat currencies, have proven that imposing sanctions is possible in the cryptocurrency world.

The following is a look at some of the individuals or entities with ties to cryptocurrency that are subject to sanctions in the United States in 2023, and the reasons for OFAC sanctions.

SharkTeam: Cryptocurrency Crime Analysis Report 2023

Tether, the company behind the world’s largest stablecoin, announced on December 9, 2023 that it would “freeze” tokens in the wallets of sanctioned individuals on the U.S. Office of Foreign Assets Control (OFAC) sanctioned individuals list. In its announcement, Tether viewed the move as a voluntary step to proactively prevent any potential misuse of Tether tokens and enhance security measures.

This also shows that the investigation and sanctions of cryptocurrency crimes have entered a substantial stage. Cooperation between core enterprises and law enforcement agencies can form effective sanctions to supervise and punish cryptocurrency crimes.

In terms of Web3 supervision in 2023, Hong Kong has also made great progress and is sounding the clarion call for compliant development of Web3 and the encryption market. When the Monetary Authority of Singapore begins to restrict retail customers from using leverage or credit for cryptocurrency trading in 2022, and the Hong Kong SAR government publishes the Policy Declaration on the Development of Virtual Assets in Hong Kong, some Web3 talents and companies are heading to the new promised land. land.

On June 1, 2023, Hong Kong fulfilled its declaration and issued the Guidelines Applicable to Virtual Asset Trading Platform Operators. The virtual asset trading platform license system was officially implemented, and Category 1 (securities trading) and Category 7 (securities trading) have been issued. Providing automated trading services) license.

Currently, OKX, BGE, HKbitEX, HKVAX, VDX, Meex, PantherTrade, VAEX, Accumulus, DFX Labs and other institutions are actively applying for virtual asset trading platform licenses (VASP).

Chief Executive Li Ka-chiu, Financial Secretary Paul Chan and others have frequently spoken out on behalf of the Hong Kong government to support the implementation of Web3 in Hong Kong and attract encryption companies and talents from all over the world to build it. In terms of policy support, Hong Kong has introduced a licensing system for virtual asset service providers, allowing retail investors to trade cryptocurrencies, launched the Web3 Hub Ecological Fund with a scale of tens of millions of dollars, and plans to invest more than HK$700 million to accelerate the development of the digital economy and promote the development of the virtual asset industry. A Web3.0 development task force has also been established.

However, while making rapid progress, risky events are also taking advantage of the momentum. The unlicensed crypto exchange JPEX was involved in a case involving more than 1 billion Hong Kong dollars, the HOUNAX fraud case involved an amount of over 100 million yuan, and HongKongDAO and BitCuped were suspected of virtual asset fraud... These vicious incidents have attracted great attention from the Hong Kong Securities Regulatory Commission and the police. The Securities and Futures Commission of Hong Kong stated that it will formulate risk assessment criteria for virtual asset cases with the police and conduct information exchanges on a weekly basis.

I believe that in the near future, a more complete supervision and security system will help Hong Kong. As an important financial hub between the East and the West, Hong Kong is opening its arms to Web3.

About us

SharkTeams vision is to secure the Web3 world. The team consists of experienced security professionals and senior researchers from around the world, who are proficient in the underlying theory of blockchain and smart contracts. It provides services including on-chain big data analysis, on-chain risk warnings, smart contract audits, encrypted asset recovery and other services, and has created an on-chain intelligent risk identification platform ChainAegis. The platform supports unlimited levels of depth graph analysis and can effectively combat the challenges of the Web3 world. Advanced Persistent Threat (APT). It has established long-term cooperative relationships with key players in various fields of the Web3 ecosystem, such as Polkadot, Moonbeam, Polygon, Sui, OKX, imToken, ChainIDE, etc.

Official website:https://www.sharkteam.org

Twitter:https://twitter.com/sharkteamorg

Discord:https://discord.gg/jGH9xXCjDZ

Telegram:https://t.me/sharkteamorg

Original article, author:SharkTeam。Reprint/Content Collaboration/For Reporting, Please Contact report@odaily.email;Illegal reprinting must be punished by law.

ODAILY reminds readers to establish correct monetary and investment concepts, rationally view blockchain, and effectively improve risk awareness; We can actively report and report any illegal or criminal clues discovered to relevant departments.

Recommended Reading
Editor’s Picks