Analysis of the 2024 Blockchain Security and Anti-Money Laundering Annual Report: DPRK & Money Laundering Tools
In recent years, North Korean hackers have frequently been at the center of cybersecurity incidents, especially in the cryptocurrency sector. In 2024, these hackers allegedly stole cryptocurrency assets worth hundreds of millions of dollars through sophisticated attack methods and laundering techniques, posing significant challenges to the blockchain industry and global anti-money laundering (AML) efforts. This article explores the attack and laundering tactics of North Korean hackers, along with their use of mixing tools.
DPRK
Below is a list of major incidents attributed to North Korean hacker groups (Data source: SlowMist Hacked):
Methods of Attacks
Beyond technical exploits, many of these attacks relied heavily on social engineering to gain initial access or bypass security measures. For example, the DMM Bitcoin and Radiant breaches involved attackers building trust with targets through impersonation and phishing before deploying malware.
- Suspected North Korean Hackers Target Blockchain Community via Telegram: One prevalent tactic in 2024 involved phishing campaigns targeting blockchain and angel investing communities. In this campaign, attackers impersonated representatives of reputable investment firms on Telegram. They initiated conversations, scheduled fake meetings using platforms like Calendly, and convinced victims to download malicious App under the guise of resolving technical issues or sharing sensitive data.
- The Threat of DPRK IT Workers: Adding another dimension to DPRK’s cyber operations is the deployment of IT workers into legitimate roles. According to Google’s Threat Intelligence Group, North Korean operatives infiltrated IT, blockchain, and freelance platforms under false pretenses. These workers used falsified credentials and portfolios to secure positions, allowing them to compromise sensitive systems or facilitate broader attacks.
- Newer Variant of BeaRAT Malware: Researchers have identified a new variant of the BeaverTail malware, attributed to North Korean-affiliated attackers, that targets macOS users by masquerading as a legitimate browser-based video call application. The sophisticated malware is designed to exfiltrate sensitive information, including cryptocurrency wallet data and keychain files, from infected machines. The new version of BeaverTail is embedded in a macOS disk image mimicking the legitimate MiroTalk video call service, which is browser-based and requires no app download.
Methods of Laundering
While exploits on various blockchain networks have increased, Ethereum (ETH), Bitcoin (BTC), and TRON remain the primary networks for laundering stolen funds due to their high liquidity and extensive ecosystem support.
This subsection uses the BingX incident, tracked by SlowMist, as a case study. Our investigation highlights the basics of these methods without delving into advanced strategies for privacy reasons.
Path of Stolen Funds in the BingX Incident:
- Initial Conversion: The stolen funds were first transferred into a wallet controlled by the perpetrators, where they were converted from altcoins into Ethereum (ETH).
2. Splitting and Deposits: The ETH was split across multiple wallet addresses and deposited into platforms such as Tornado Cash, Thorchain, and Debridge.
3. After withdrawal on the Bitcoin network, the funds were fragmented and moved through several addresses before being consolidated again and bridged back to the Ethereum network as USDT.
4. In this scenario the funds were bridge to the Solana network via Debrige as USDT but then it was swapped for USDC and then deposited into Debridge and withdrawn on the Solana network.
It’s important to note that the Solana withdrawal was not the end of the investigation. This process of bridging and fragmenting funds repeated several more times before the funds were ultimately deposited into exchanges or moved to over-the-counter (OTC) markets on the TRON network.
You might wonder why the attackers bridge funds across multiple networks. The primary reason is to test the anti-money laundering (AML) systems of various exchanges. While most exchanges enforce Know Your Transaction (KYT) protocols, automated systems can only handle so much. Complex laundering patterns, involving multiple hops and network bridges, often require manual intervention by services like ours to alert exchanges effectively. Mixers, in particular, add another layer of complexity. Demixing stolen funds often requires significant manual effort, and the difficulty increases with the volume of funds involved. The more hops and networks used, the harder it becomes to trace and block the stolen assets. This underscores the need for advanced tools and expertise to combat these evolving laundering techniques.
While OTC markets may appear to be a convenient option for trading cryptocurrency, they come with significant risks. Most OTC markets do not thoroughly vet for stolen funds, and users who engage with these markets could inadvertently find themselves in possession of illicit assets. In such cases, funds are often frozen or seized, leaving users as victims.
Money Laundering Tools
Tornado Cash
In 2024, users deposited a total of 500,245 ETH (approximately $1.506 billion) into Tornado.Cash, a year-on-year increase of 47%. A total of 480,328 ETH (approximately $1.455 billion) was withdrawn from Tornado.Cash, a year-on-year increase of 53%.
eXch
In 2024, users deposited a total of 214,918 ETH (approximately $633 million) into eXch, a year-on-year increase of 355%; a total of 173,106,107 ERC20s into eXch, a year-on-year increase of 579%.
The increase in eXch activity in 2024 is largely due to its growing use by malicious actors, including DPRK-affiliated entities. Unlike Tornado Cash, which can often be demixed for larger transactions, eXch is known for its lack of cooperation with law enforcement. This makes it a more attractive option for illicit activities, as it offers greater anonymity and less risk of asset recovery. These factors have positioned eXch as a preferred platform for bad actors, driving the significant growth in both ETH and ERC20 token deposits.
Railgun
Railgun has implemented Private Proofs of Innocence (PPOI), leveraging zero-knowledge proofs to ensure users can verify their funds are not linked to illicit activities without compromising privacy. This innovation strikes a crucial balance between privacy and compliance, making it harder for malicious actors to exploit the platform for laundering funds.
Summary
In 2024, the significant increase in the use of mixing tools like Tornado Cash and eXch reflects the growing trend of hackers innovating laundering methods. North Korean hackers, through highly organized cybercriminal activities, sophisticated technical attack methods, and cross-chain laundering strategies, continue to pose severe threats to the global cybersecurity ecosystem.
To address this situation, the industry must:
- Enhance the technical capabilities of anti-money laundering (AML) systems.
- Refine the regulatory framework for mixing tools and related platforms.
- Promote international collaboration and information sharing to combat cybercrime effectively.
Additionally, both individual users and institutions need to raise security awareness and adopt proactive protective measures to counter complex cybersecurity threats. Only through collective industry efforts and proactive defense can we gain the upper hand in this battle, ensuring the healthy development of the blockchain ecosystem.
Here’s the link to the full report. Happy reading and feel free to share!
https://www.slowmist.com/report/2024-Blockchain-Security-and-AML-Annual-Report(EN).pdf
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
