[Co-author: Diana Milton]
Following one of the most turbulent years in crypto history, 2023, in contrast, unfolded as a year of reprieve, including from crypto threats. According to a July 12, 2023, report from blockchain analytics firm Chainalysis, in the first half of 2023, cryptocurrency transactional inflows to “known illicit entities” are down 65 percent compared with the same period in 2022.[1] Similarly, crypto inflows to “risky entities” are down 42 percent.[2] Meanwhile, according to Chainalysis, crypto inflows to legitimate services were down just 28 percent from the same period in 2022.[3] This data appears to indicate that while the overall crypto market experienced a downturn in the first half of 2023, the downturn may have been more severe for crypto threat actors. Despite this, certain illicit finance activities pose an increasing threat. The most notable of these have come in the form of ransomware, hacks, scams and threats from the North Korea-affiliated Lazarus Group.
Ransomware
According to Chainalysis, ransomware-related crypto transactions are on track to increase by the end of 2023, with approximately $175.8 million more in cryptocurrency extorted through ransomware by mid-2023 as compared with the same period in 2022.[4] Data from Chainalysis further indicates that as of June 2023, at least $449.1 million was stolen through ransomware activities.[5] If this trend continues, more will have been extorted from victims in 2023 than in all years other than 2021, where the high was reported at $939.9 million.[6] Publicly available data indicates that bitcoin continues to be the cryptocurrency of choice for ransomware payments.[7]
Although reports indicate a significant downturn in ransomware revenue between 2021 and 2022, data suggests that this may be due to victims’ increasing unwillingness to pay ransomware attackers rather than an actual decline in the number of ransomware attacks.[8] The reason behind the unwillingness could be the legal risks of entertaining, working with and paying ransomware attackers, or the changing outlook of cyber insurance firms.[9]
DeFi Hacks
Decentralized Finance (DeFi) services continue to be vulnerable to attack because of their semi-autonomous nature. Typically, to implement a patch or security fix, a DeFi service that is controlled by a decentralized autonomous organization (DAO) has to achieve consensus (agreement among the DAO token holders) to do so. This can prevent regular security updates from being implemented in advance due to delays reaching agreement among DAO token holders. These and other DeFi vulnerabilities continue to result in successful “bridge” hacks, where smart contracts[10] holding millions of dollars’ worth of users’ cryptocurrency are exploited before users can complete the cross-chain activity the bridges support.
For example, on July 30, 2023, hackers exploited a vulnerability in a popular smart contract-oriented Ethereum Virtual Machine language that prohibited the correct execution of the reentrancy guard, which would normally lock contracts to prevent multiple functions from being executed simultaneously.[11] This failure to execute the reentrancy guard allowed attackers to repeatedly call smart contracts before initial execution was complete. The attack resulted in an estimated loss of more than $50 million among the impacted DeFi exchanges. The effects of a “reentrancy attack” could ultimately result in an attacker draining a DeFi pool of all of its funds.[12]
In another recent DeFi hack, on August 18, 2023, decentralized credit market Exactly Protocol, which operates on the Optimism network, reportedly suffered a $12 million bridge exploit. According to reports, the hacker exploited a contract on Ethereum, transferred deposits to Optimism and then bridged the stolen funds back to Ethereum.[13] Just three days earlier, on August 15, 2023, decentralized exchange RocketSwap was reportedly hacked to the tune of 471 ETH worth approximately $866,000. According to reports, the exploit occurred due to a “private key compromise” from online servers.[14] And most recently, on September 24, 2023, a DeFi cross-chain trading network suffered a hack valued at $200 million. The hack was reportedly enabled by the network’s reliance on a centralized database, which exposed it to a single point of failure.[15]
Hacks of Centralized Exchanges
Crypto hackers also continue to target centralized exchanges. According to a July 2023 press release from the U.S. Department of Justice (DOJ), a centralized exchange was compromised when one of its smart contracts was exploited, allowing the threat actor to insert fake pricing data and fraudulently cause the smart contract to generate approximately $9 million of inflated fees. These fees were then laundered through token swaps, bridging, anonymized cryptocurrency and overseas cryptocurrency exchanges.[16] More recently, on September 25, 2023, the HTX cryptocurrency exchange reportedly suffered a hack of 500 ETH, for a loss of approximately $8 million.[17]
Scams
Traditionally, revenue generated by scams far outpaces other cryptocurrency-related crime. This year, however, reports indicate that total scam revenue for the year has plummeted by 77 percent.[18] The frequency of impersonation scams, however, appears to have increased by 49 percent since 2022, indicating that more people have fallen victim to this type of scam even though the total revenue generated by the scams appears to have decreased.[19] These scams can look like fraudulent social media posts promising a token giveaway on a well-known project’s social media account. Followers of the reputable account jump at the token only to be left hanging because, upon receipt of investor funds, the scammers fail to deliver the promised cryptocurrency.[20]
With heightened conversations and news coverage circulating around cryptocurrency, more people seek “a seat at the table” but in so doing risk falling victim to scams if they lack sufficient understanding of the crypto economy. Fraudulent transactions and scams thrive in that paradigm. For example, in March 2023, the U.S. Securities and Exchange Commission (SEC) shut down BKCoin Management LLC, the Miami-based investment adviser, in connection with a four-year-long crypto asset fraud scheme, through which BKCoin collected approximately $100 million from at least 55 investors. BKCoin represented that the investors’ money would be used to trade crypto assets and that the profits of such investments would be managed in separate accounts and private funds, when in reality investor funds were commingled and the money was used for personal gain and Ponzi-like payments.[21]
One specific type of cryptocurrency scam that presents a growing threat is known as “Pig Butchering.” On September 8, 2023, the U.S. Financial Crimes Enforcement Network (FinCEN) published a FinCEN Alert (Alert) titled “Prevalent Virtual Currency Investment Scam Commonly Known as ‘Pig Butchering.’”[22] According to the Alert, “The victims in this situation are referred to as ‘pigs’ by the scammers who leverage fictitious identities, the guise of potential relationships, and elaborate storylines to ‘fatten up’ the victim into believing they are in trusted partnerships … then refer to ‘butchering’ or ‘slaughtering’ the victim after victim assets are stolen, causing the victims financial and emotional harm.” The Alert notes that the “butchering” phase often involves convincing the victims to invest in virtual currency. According to the Alert, pig butchering scams “are largely perpetrated by criminal organizations based in Southeast Asia who use victims of labor trafficking to conduct outreach to millions of unsuspecting individuals around the world,” resulting in billions of dollars in losses to U.S. victims. The Alert explains the pig butchering scam methodology and provides a list of 15 red flag indicators to assist in identifying and reporting related suspicious activity.
Lazarus Group
The Lazarus Group, a cybercrime group run by the government of North Korea, has executed at least four separate multimillion-dollar cryptocurrency hacks since June of this year, according to the U.S. Federal Bureau of Investigation (FBI).[23] Three of the four most recent exploits involved centralized crypto service providers instead of DeFi. [24] The most recent of these incidents included a $41 million hack of an online casino and betting platform[25] and a $55 million hack of CoinEx, a centralized cryptocurrency exchange.[26] This indicates a tactical shift by the threat group, which in 2022 reportedly focused on targeting decentralized services.[27] A report recently released by a leading digital asset compliance and risk management company attributes to North Korea the theft of over $2 billion worth of cryptocurrency over the past five years and almost $200 million in 2023 alone – accounting for over 20 percent of all stolen cryptocurrency this year.[28]
How to Stay Safe in a Digital World
Companies can help prevent their services from being hacked by implementing comprehensive security protocols, searching for vulnerabilities and disclosing them among their network, and ensuring that software and hardware are consistently updated. Additionally, maintaining awareness of what flaws are being exploited can provide developers a road map for implementing more sophisticated security measures. For instance, in 2022 and thus far in 2023, smart contract hacking has resulted in several DeFi services being exploited. Improving smart contract auditing and development standards may go a long way toward preventing future hacks. Another important protective mechanism is educating workplace staff and employees about the risks associated with social engineering, so they are informed and prepared to avoid falling victim to phishing, smishing or other types of social engineering hacks that could result in the loss of cryptocurrency to hacks, scams and other attacks by threat actors.
[1] Chainalysis, Crypto Crime Mid-year Update, Chainalysis: Crime (July 12, 2023), https://www.chainalysis.com/blog/crypto-crime-midyear-2023-update-ransomware-scams.
[2] Id.
[3] Id.
[4] Id.
[5] Id.
[6] Id.
[7] Gary Peters, Use of Cryptocurrency in Ransomware Attacks, Available Data, and National Security Concerns, United States Senate Committee on Homeland Security & Governmental Affairs (2022), at 2, https://www.hsgac.senate.gov/wp-content/uploads/imo/media/doc/HSGAC%20Majority%20Cryptocurrency%20Ransomware%20Report_Executive%20Summary.pdf; Jareth, Is ransomware driving up the price of Bitcoin?, Emsisoft Blog (Sept. 3, 2019), https://www.emsisoft.com/en/blog/33977/is-ransomware-driving-up-the-price-of-bitcoin/#:~:text=Bitcoin%20accounted%20for%20about%2098,part%20of%20the%20ransomware%20model.
[8] 2023 Crypto Crime Report, Chainalysis (Feb. 2023),at 33, https://go.chainalysis.com/rs/503-FAP-074/images/Crypto_Crime_Report_2023.pdf.
[9] Id, at 34.
[10] “Smart contracts are digital contracts stored on a blockchain that are automatically executed when predetermined terms and conditions are met.” See What are smart contracts on blockchain?, IBM, https://www.ibm.com/topics/smart-contracts; see also Introduction to Smart Contracts, Ethereum Foundation, https://ethereum.org/en/developers/docs/smart-contracts/ (a “smart contract” is [] a program that runs on the Ethereum blockchain. It’s a collection of code (its functions) and data (its state) that reside at a specific address on the Ethereum blockchain.”).
[11] Ana Paula Pereira, Breaking: Curve Finance pools exploited by over $47M due to reentrancy vulnerability, Cointelegraph (July 30, 2023), https://cointelegraph.com/news/curve-finance-pools-exploited-over-24-reentrancy-vulnerability.
[12] Id.
[13] Oliver Knight, Crypto Lender Exactly Hit by $12M Bridge Exploit, CoinDesk (Aug. 18, 2023), https://www.coindesk.com/business/2023/08/18/crypto-lender-exactly-hit-by-12m-bridge-exploit/.
[14] Nivesh Rustgi, Meme Coin Base DEX RocketSwap Hit by $866K Exploit, Decrypt (Aug. 15, 2023), https://decrypt.co/152519/meme-coin-base-dex-rocketswap-hit-866k-exploit.
[15] Sam Reynolds, Mixin Network Losses Nearly $200M in Hack, CoinDesk (Sept. 25, 2023), https://www.coindesk.com/tech/2023/09/25/mixin-network-losses-nearly-200m-in-hack/.
[16] Former Security Engineer For International Technology Company Arrested For Defrauding Decentralized Cryptocurrency Exchange, US Attorney’s Office S.D.NY (July 11, 2023), https://www.justice.gov/usao-sdny/pr/former-security-engineer-international-technology-company-arrested-defrauding.
[17] Oliver Knight, Crypto Exchange HTX Lost $8M of Ether Due to a Hack, Justin Sun Says, CoinDesk (Sept. 25, 2023), https://www.coindesk.com/business/2023/09/25/crypto-exchange-htx-lost-8m-of-ether-due-to-a-hack-justin-sun-says/.
[18] Crypto Crime Mid-year Update.
[19] Id.
[20] Brayden Lindrea, Blockchain Capital’s X account hacked to promote token claim scam, Cointelegraph (Aug. 9, 2023), https://cointelegraph.com/news/blockchain-capital-x-twitter-hacked-promoting-token-claim-scam.
[21] SEC Files Emergency Action Against Miami Investment Adviser BKCoin and Principal Kevin Kang for Orchestrating $100 Million Crypto Fraud Scheme, U.S. S.E.C. (Mar. 6, 2023), https://www.sec.gov/news/press-release/2023-45?utm_medium=email&utm_source=govdelivery.
[22] FinCEN Alert on Prevalent Virtual Currency Investment Scam Commonly Known as “Pig Butchering”, U.S. Financial Crimes Enforcement Network, FIN-2023-Alert0005 (Sept. 8, 2023), at 1, https://www.fincen.gov/sites/default/files/shared/FinCEN_Alert_Pig_Butchering_FINAL_508c.pdf.
[23] FBI Identifies Cryptocurrency Funds Stolen by DPRK, FBI (Aug. 22, 2023), https://www.fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk.
[24] FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stake.com, FBI (Sept. 6, 2023), https://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakecom.
[25] Id.
[26] Ezra Reguerra, North Korea’s Lazarus Group responsible for $55M CoinEx hack: Report, Cointelegraph (Sept. 13, 2023), https://cointelegraph.com/news/coinex-north-korea-s-lazarus-group-responsible-for-55-m-coin-ex-hack-report.
[27] Elliptic Research, How the Lazarus Group is stepping up crypto hacks and changing its tactics, Elliptic (Sept. 15, 2023), https://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics.
[28] Inside North Korea’s Crypto Heists: $200M in Crypto Stolen in 2023; Over $2B in the Last Five Years, TRM (Aug. 18, 2023), https://www.trmlabs.com/post/inside-north-koreas-crypto-heists.
[View source.]