Anatomy of a Cybercurrency Heist

The U.S. Department of Justice last week unsealed an indictment against two alleged members of North Korea’s state-sponsored cybercrime syndicate known as Lazarus Group.  The group has executed a number of high profile hacks that include:

• the 2014 cyberattack on Sony Pictures Entertainment,
• attempts to steal more than $1.2 billion from banks in countries that include Vietnam, Bangladesh, Taiwan, and Mexico,
• cyber-enabled ATM cash-out thefts,
• ransomware attacks and extortion schemes,
• malicious cryptocurrency applications,
• theft of cryptocurrencies from exchanges and digital wallets,
• spear-phishing campaigns,
• and a fraudulent initial coin offering.

The U.S. Attorneys in California and Georgia have also indicted a Canadian and an accomplice for helping the North Koreans launder funds derived from these activities.

The FBI and Justice department shared information about the tactics, techniques, and procedures utilized by these criminals to help remediating intrusions and preventing future breaches.  Private cybersecurity companies played a key role in the investigations.

The KuCoin Hack

An example of one of the Lazarus Group’s cybercrimes is the September 2020 KuCoin hack.  KuCoin is a Singapore-based digital currency exchange from which $274.1 million was stolen.  According to Johnny Lyu, KuCoin’s CEO, the funds were emptied out of KuCoin’s hot wallets.  

What’s a digital wallet?

The software used to store and transact cryptocurrency is referred to as a digital “wallet.”  An individual wallet is identified by a public key, which is similar to a username but instead of something like “fancypants400,” it’s a long series of numbers and characters.  A private key is paired with a wallet’s public key to authenticate the wallet as the owner, much like a very long and complicated password.  Transactions in a public blockchain ledger don’t identify individuals, only their wallet addresses derived from their public keys.  This is the basis for the anonymity of cryptocurrencies like Bitcoin.

A “hot” wallet is connected to the internet where it can communicate with exchanges and execute transactions immediately.  A “cold” wallet, or “cold storage,” is a wallet that is not directly connected to the internet.  It might be held on a separate offline device, which often can only be accessed by inserting it into a computer’s USB jack.  Cold wallets are considered more secure than hot wallets.  Many cryptocurrency traders have both, keeping a proportionately smaller amount in their hot wallets and the majority of their assets in cold storage.

How does cryptocurrency get stolen?

As with any object of value that one wants to keep safe, the owner finds a hardened place to store it.  If you had a cache of gold coins, you’d want to keep it in something like an impenetrable bank vault.  However, from time to time you’d want to visit your stash and swim through the coins screaming “I’m rich!…I’m filthy stinking rich!”  To get into the vault, you’ll need the combination or password or some other reasonably convenient method to access it.  And therein lies the chink in every security system.  The owner needs to have relatively easy access to his treasure.  In the case of cryptocurrency, that’s the private key.

So, how is the private key kept safe from would-be thieves?  The same way everything else on the internet is secured, behind a username and password wall.  Remember that the blockchain ledger only transacts with wallets, it doesn’t care who is controlling the wallets.  Therefore, if a thief manages to get a hold of your wallet’s username and password, they can get control of your private key.  Once they have your private key, bye bye Bitcoin!

Of course, the people who commit these crimes prefer to do so from the safety of a remote location far removed from the victim.  That is why offline cold storage tends to be safer than hot wallets.  The methods used to steal usernames and passwords are the same ones used to hack websites, bank accounts, and any other internet-based system.  These include:

• guessing the right password, often after researching targets,
• spear phishing, where an email is used to trick the target into divulging their credentials,
• social engineering attacks that use psychological manipulation of owners or employees,
• phony applications or malware that infiltrate the target’s computer systems,
• hijacking the target’s mobile phone and using it to reset passwords,
• bribing or coercing insiders to cooperate with the thieves.

How is the stolen cryptocurrency laundered?

Once thieves have gained access to the wallets, they immediately move the stolen loot to another wallet that they control.  In fact, wallets are so easy to set up that individual criminals might control thousands of them.  However, moving money from wallet to wallet can be observed through the blockchain ledger.  That’s where “mixers” come in.  Mixers, sometimes called “tumblers,” are cryptocurrency participants that provide a passthrough service designed to make it impossible to trace the movement of currency through the ledger.  They effectively pool money from a large number of wallets and then disperse them among a larger number of other wallets so that no one can tell which coins came from whom and to whom they went on the other side.

Another method is to use DeFi, or decentralized finance, protocols.  One type of DeFi application, called a decentralized exchange (DEX), enables certain cryptocurrencies to be exchanged directly between wallets without ever taking possession of the transacted coins, unlike mainstream exchanges.  This exploits a loophole where, since the DeFi never has possession or control of the funds, it is not subject to KYC rules like other exchanges and wallet providers.  Criminals exploit these exchanges to launder cryptocurrencies because of their greater anonymity.

Conclusion

In the world of high-cryptology, the weakest link is always the human element.  Somebody always needs to have access to the decryption keys of wallets, so the criminals will target careless or gullible owners and employees to give up those private keys.  Then, they move fast to drain the victims’ accounts and launder the money through mixers and DeFi applications so that law enforcement can’t track them and recovery becomes impossible.