Do you still remember the near $200 million attack on Euler Finance in March of this year?
After many rounds of negotiation between Euler Labs and the attacker, the attacker has returned all the funds stolen from the protocol.
Initially, the attacker transferred 100 ETH to a hacker group with national backgroud (the hacker behind the Ronin security incident) in order to mislead the people. This hacker group then sent an on-chain notification to the Euler attacker asking him to decrypt an encrypted message.
In the transaction containing this notification, the state-backed hacker group sent 2 ETH to the Euler attacker. But experts said the message was a phishing scam to steal the private key of the Euler attacker's wallet.
Is this a typical "dog eat dog"? The state-backed hacker group is known to have been cyber-attacking cryptocurrency businesses for a long time and has built several specialized teams - to carry out cyber-attacks and launder stolen funds.
Today, we'll reveal how this national hacker group has been attacking and laundering cryptocurrencies in conjunction with the Beosin KYT anti-money laundering and analytics platform.
The following is part of this national hacker's APT organization name:
Foreign intelligence companies have recently analyzed the attack activities of this national background hacker group ( abbreviate to the hacker group for short), which includes attacks on cryptocurrencies. According to the researchers, the hacker group would use phishing techniques to attempt to infect targets, then intercept large cryptocurrency transfers, change the recipient's address, and push the transfer amount to the maximum amount with the intention of depleting the account in a single transaction.
How are your crypto assets stolen by hackers?
Use spear phishing emails
Hacking groups use spear phishing emails from fake or deceptive characters to get close to their targets, containing fake login pages in these sites to trick victims into entering their account credentials.
The following figure shows phishing emails that have been used by hacking groups to target cryptocurrency users:
Malicious Android App Theft
Foreign intelligence companies have observed hacking groups using malicious Android apps that target Chinese users who are looking to obtain cryptocurrency loans. The app and associated domain name may collect user credentials.
Hacking groups may even create fake cryptocurrency software companies to trick victims into installing seemingly legitimate apps , which will install backdoors when they are updated.
Experts believe that hacking groups are now actively testing new malware delivery methods, for example, using previously unused file types (such as the new Visual Basic Script, hidden Windows batch files and Windows executables) to infect victims.
Replacement of Metamask plug-in
When a hacking group obtains access to a user's host, they spy on the user for weeks or months to collect keylogs and monitor the user's daily actions.
If the hacking group discovers that the targeted user uses a browser extension wallet (such as Metamask), they change the extension source from the Web Store to a local store and replace the core extension component (backgorund.js) with a doctored version.
The image below shows a comparison of two files: a legitimate Metamask background.js file and a variant of the hacker's tampered code. The modified lines of code is highlighted in yellow.
The details of the transaction are automatically submitted to the hacker's C2 (command and control) server via HTTP:
In this case, the hacker sets up monitoring of transactions between specific sender and recipient addresses. This triggers a notification when a large transfer is detected and steals the funds.
The following image shows a Trojanized extension:
As a precaution, it is important to note whether your browser is selected into the developer mode, and if so, ensure that important extensions come from the online store:
Social engineering attacks
The Beosin security research team found that hacker groups may use social engineering tactics to trick users into transferring cryptocurrency to their accounts. Examples include impersonating trading platforms, sending fraudulent emails, etc.
Counterfeit trading platforms: Disguised as well-known cryptocurrency trading platforms, they steal users' assets by tricking them into entering their account information through a counterfeit website or application.
Funds trading fraud: They create fake cryptocurrency funds trading, promise users high returns, lead them to make investments, and then transfer their funds to other accounts and close the funds trading.
Social media fraud: They use social media platforms, such as Twitter, Telegram, Reddit, etc., to disguise themselves as cryptocurrency trading experts or investors, publish false investment advice or price analysis, and lure users into making investments, thus defrauding them of funds.
How do hackers launder cryptocurrencies?
Laundering through coin mixers
In addition, hacker groups have used Tornado Cash, the most popular coin mixer on the ethereum blockchain, to transfer funds. An example is the theft of an exchange in 2020, when more than $270 million was stolen.
Hackers used Tornado Cash to launder the stolen ETH funds. View the flow of funds from the hacker (0xeb31973e0febf3e3d7058234a5ebbae1ab4b8c23) in Beosin KYT as shown below.
Beosin KYT: the overview of the hack group
Beosin KYT: the diagram of the funds flow
So, what is Tornado Cash?
Tornado Cash is a privacy-preserving protocol on ethereum designed to provide users with complete anonymity for cryptocurrency transactions. It is based on zk-SNARK (proof of zero knowledge) technology, which allows users to transact without revealing any personal information, thus protecting their privacy.
Tornado Cash works by mixing the user's tokens together and making them untraceable. Users first send tokens to a smart contract, which then mixes those tokens with other users' tokens. Once the mix is complete, the user can withdraw the same number of tokens from the smart contract. Due to the mixture, these tokens cannot be associated with the original tokens sent.
Tornado Cash supports both Ether (ETH) and ERC-20 tokens, and users can choose different " mixing pools " for transactions. In addition, Tornado Cash can also be used to send completely anonymous tokens to others, making it an important tool for privacy protection.
It is important to note that Tornado Cash only provides privacy protection, rather than anonymity. Users need to take appropriate measures to protect their identity information from being tracked in other ways. Also, there are transaction fees when using Tornado Cash, and these fees may be higher than those for regular transactions.
Other than that, common coin mixers include
Blender.io: Founded in 2017, Blender is a virtual currency blender that runs on the Bitcoin blockchain and was the first blender to be sanctioned by the U.S. Treasury Department.
CoinMixer: An old bitcoin blending protocol that has existed since 2017 and is not currently sanctioned by the government.
ChipMixer: A dark web cryptocurrency coin mixer provided by a Vietnamese operator. They have laundered over $3 billion worth of cryptocurrency from 2017 to date, the site and back-end servers were seized by the Federal Police Department on March 15, 2023.
Umbra: Umbra is a protocol that allows users to make private transfers on Ether. It features a protocol where only the recipient and the payer know who received the transfer.
CoinJoin: CoinJoin is one of the oldest coin mixers, developed specifically for Bitcoin (BTC) and Bitcoin Cash (BCH).
Apart from specialized coin mixers, money laundering can be achieved by exchanging virtual currencies using decentralized exchanges such as FixedFloat, sideshift, ChangeNow, etc.
Laundering through hash arithmetic leasing or cloud mining services
Hacker groups use cryptocurrency services to launder stolen funds, including purchasing domain addresses and paying for services, as well as potentially using hash arithmetic leasing and cloud mining services to launder stolen cryptocurrency into clean cryptocurrency.
Hash arithmetic leasing allows customers to rent computing power for cryptocurrency mining. Hash arithmetic is the computing power used by a computer or hardware to run and solve different hash algorithms. These algorithms are used to generate new cryptocurrencies and drive transactions between cryptocurrencies, a process known as mining, which can be paid for in cryptocurrency. Intelligence firms say hacker groups use these services to launder stolen cryptocurrencies and therefore cannot be traced back to malicious operations.
Laundering through dark web marketplaces
Hacker groups may use cryptocurrency transactions on dark web marketplaces to launder money. These marketplaces allow anonymous transactions, enabling hackers to trade in them in order to turn their black money into disposable funds.
The process by which hackers use dark web marketplaces to launder cryptocurrencies can be broadly divided into the following steps:
1 Finding buyers on dark web marketplaces: Hackers will look for cryptocurrencies buyers on dark web marketplaces. There are many tools and services for anonymous transactions on these marketplaces, making it easier for hackers to conduct transactions while reducing the risk of being exposed.
2 Prepare cryptocurrencies for money laundering: Hackers need to have their cryptocurrencies from illegal activities on hand in order to quickly transfer funds while reducing the risk of the transaction being traced.
3 Complete the transaction: Hackers will complete transactions through anonymous trading tools and services on dark web marketplaces to transfer cryptocurrency to the buyer's address. These transactions may involve multiple cryptocurrencies and payment systems.
4 Transferring the proceeds to legal channels: Hackers need to transfer the cryptocurrencies they obtain from dark web marketplaces to legal channels so that they can use these funds for their daily lives and business activities. This may include converting cryptocurrency into legal tender or investing it in other legitimate assets.
Laundering through Proxy Accounts
Hacker groups may use proxy accounts to avoid being traced. These proxy accounts may be held by people such as offshore associates or overseas students.
The following are possible techniques of proxy account laundering:
Money laundering through control of another person's account: The government or its agents may take control of another person's bank account to launder money. These controlled accounts may belong to a compatriot or a closely related individual outside the country.
Purchase of ready-made proxy accounts: Another possible technique is the purchase of pre-existing proxy accounts. These accounts may be created and held by offshore associates or proxies located offshore.
Creating Fictitious Companies and Accounts: Fictitious companies and accounts may be created and used as correspondent accounts for money laundering purposes. This technique usually involves false identities, addresses and contact information to avoid regulation and scrutiny.
In recent years, the amount of money laundered through virtual currencies has been increasing globally. To help Virtual Asset Service Providers (VASPs) monitor transaction risks and implement AML compliance procedures, Beosin has combined its years of technical capabilities in serving top global brands to create this Beosin KYT virtual asset AML compliance and analytics platform which provide anti-money laundering (AML) technical support for VASPs in the Web3 ecosystem.
Beosin KYT, an effective intelligent analysis engine, relying on machine learning and deep learning technologies, has combined with Beosin Trace's database, which can check various transaction patterns and track hundreds of risk indicators. The KYT system monitors the movement of designated accounts in real-time, knows the latest transaction information of the monitored accounts at the first time, detects high-risk transactions, and notifies users at the first time. Meanwhile, we can provide an easy-to-use interface and professional API integration solutions to meet the needs of regulators and enterprises in various business scenarios.
Beosin is a leading global blockchain security company co-founded by several professors from world-renowned universities and there are 40+ PhDs in the team. It has offices in 10+ countries. With the mission of "Securing Blockchain Ecosystem", Beosin provides "All-in-one" blockchain security solution covering Smart Contract Audit, Risk Monitoring & Alert, KYT/AML, and Crypto Tracing. Beosin has already audited more than 3000 smart contracts and protected more than $500 billion funds of our clients. You are welcome to contact us.