On March 29th, the Ronin Network announced that 173,600 Ether (ETH) and 25.5 million USD Coins had been stolen from the Ronin cross-chain bridge six days earlier. The total value of the stolen cryptoassets at the time of the theft was $540 million. This is the second largest crypto theft of all time.
On April 14th, the US Treasury’s Office of Foreign Assets Control (OFAC) announced new sanctions against the thief's Ethereum address and listed the owner of this address as Lazarus Group – the North Korean state hacking group. The sanctions prohibit US persons and entities from transacting with this address to ensure the state-sponsored group can’t cash out any further funds they continue to hold onto through US-based crypto exchanges.
The theft came as a result of an attacker hacking the “validator nodes”of the Ronin bridge. Funds can be moved out if five of the nine validators approve it. The attacker managed to get hold of the private cryptographic keys belonging to five of the validators, which was enough to steal the cryptoassets. The post mortem claims that “all evidence points to this attack being socially engineered, rather than a technical flaw”.
Laundered some of the stolen funds through centralized exchanges
Many features of the attack mirrored the method used by Lazarus Group in previous high-profile attacks, including the location of the victim, the attack method (believed to have involved social engineering) and the laundering pattern utilized by the group after the event.
Many commentators believe that cryptoassets stolen by Lazarus Group are used to fund the state’s nuclear and ballistic missile programs. With recent reports that North Korea may be again preparing for nuclear testing, today’s sanctions activity highlights the importance of ensuring that Lazarus Group is not able to successfully launder the proceeds of these attacks.
Virgil Griffith, a US cryptocurrency expert, was sentenced on Tuesday to 63 months in prison after pleading guilty to assisting the Democratic People's Republic of Korea (DPRK) with technical info on how to evade sanctions.
The sanctions imposed by the International Emergency Economic Powers Act (IEEPA) and Executive Order 13466 forbid the export of any goods, services, or technology to the DPRK without a Department of the Treasury license issued by the Office of Foreign Assets Control (OFAC).
Griffith, who worked as a special projects developer and research scientist for the Ethereum Foundation, was arrested in November 2019 by the FBI following a presentation in North Korea on how the country could use cryptocurrency and blockchain tech (i.e., smart contracts) to launder money and evade sanctions.
Coin mixer Tornado Cash said it is using a tool developed by compliance firm Chainalysis to block crypto wallets sanctioned by the U.S. Office of Foreign Assets Control (OFAC).
The blockade only applies to the Tornado Cash front end, not the underlying smart contract, one of the protocol's founders later tweeted.
The Chainalysis oracle for sanctions compliance is a free smart contract that scans for crypto wallets that are sanctioned by various governments. The sanctions-screening tool was launched in March against the backdrop of Russia's invasion of Ukraine.
A price manipulation vulnerability was exploited in Elephant Money in a flash loan attack
The official post-mortem stated a loss of $11.2M, yet Peckshield later pointed out that Elephant had chosen not to include the loss of ~30 billion ELEPHANT tokens, bringing the total amount lost to $22.2M.
The attacker used flash loans to manipulate the price of the ELEPHANT token during the minting process of the project’s stablecoin TRUNK.
Firstly, the attacker took flash loans of 131k WBNB and 91M BUSD, the 131,162.00 WBNB was swapped to 34.244e21 ELEPHANT.
TRUNK can be minted by depositing BUSD. During this process, the vulnerable contract first swaps BUSD to WBNB and then uses the WBNB to buy ELEPHANT, raising the price of ELEPHANT. By minting, the attacker both receives TRUNK and increases the value of the ELEPHANT from the previous step.
The attacker then swapped the ELEPHANT, originally acquired for 131k WBNB, to 164k WBNB. Additionally, the attacker redeemed the TRUNK for 37k WBNB and 67M BUSD, making for a total of ~200k WBNB and ~67M BUSD. After returning the flash loans (of 131k WBNB and 91M BUSD), this resulted in a profit of ~$4M
The same process was repeated on a cycle, leading to total gains of over 27k WBNB ($11.2M) for the hacker. Since the incident, the funds have been sent on to various accounts and then either bridged to Ethereum or sent to Tornado Cash, as can be seen in the visualisation below.