- North Korea used LayerZero to hack Kelp DAO.
- The attackers then used the crypto bridge when laundering the stolen funds.
- Other crypto bridges handled the vast majority of laundering activity.
The crypto industry has been left reeling after North Korean hackers stole a combined $579 million from onchain apps in less than 20 days.
Beyond the financial damage inflicted, the latest incident, a $293 million theft from crypto app Kelp DAO, has killed morale and sparked a crisis of confidence across many parts of the $2.7 trillion industry.
To make the attack possible, hackers from the hermit kingdom compromised an application built on top of LayerZero, a popular app for sending crypto between unconnected blockchains. This allowed hackers to send a fake message instructing the application to release the funds to them.
If that wasn't bad enough, the hackers returned days later to use LayerZero to send portions of the stolen funds to different blockchains as part of an elaborate laundering scheme.
So far, the North Korean hackers have sent at least $500,000 through LayerZero, onchain records show.
Itâs the first documented instance in which the same app served as both the attack vector and one of the methods used to launder the stolen funds.
LayerZero did not immediately respond to a request for comment.
âStandardised business operationsâ
State-funded North Korean hackers have plagued the crypto industry for almost a decade.
But in recent years, their attacks have become more organised, sophisticated and damaging to the industry.
Last year, North Korean attackers stole an unprecedented $1.5 billion from Bybit by compromising employees at Safe, the crypto exchangeâs wallet provider.
âWe are seeing these actors treat exploits as standardised business operations, characterised by infrastructure reuse and the exploitation of settlement corridors with the efficiency of a global enterprise,â Matt Price, vice president of investigations at Elliptic, a crypto security firm, told DL News.
In response, crypto security researchers have urged developers to shore up their defences.
âSecurity is no longer just about the integrity of the protocolâs code. Operational security is now equally critical,â Yajin Zhou, co-founder of blockchain security firm BlockSec, told DL News. âIf the operational rails are weak, the code's security becomes irrelevant.â
David Schwed, chief operating officer at SVRN and a cybersecurity expert who led development of BNY Mellonâs digital asset offerings, told DL News earlier this week that projects need to hire seasoned chief information security officers and empower them to bring in teams of experts to build robust security systems.
Crypto security firm Halborn has also warned against projects that create single points of failure, which attackers can exploit with devastating consequences.
Laundering schemes
Hackers canât just send stolen crypto to an exchange to cash it out; it would be easily spotted and confiscated.
To avoid this, hackers set up elaborate laundering schemes that split the money into small chunks and repeatedly send it across different wallets and blockchains to help distance it from its source.
Thatâs where LayerZero comes in. Hackers used it to send a portion of the stolen funds from Arbitrum, a layer 2 blockchain, to Tron.
In addition to preventing the hacks in the first place, security researchers are also pressing developers to make it more difficult for hackers to launder stolen funds.
One way is to block wallets identified as belonging to hackers from sending transactions to bridges. Another is to use safeguards to recover the funds the hackers stole.
This is what Arbitrumâs Security Council chose to do on Monday: take back some $71 million stolen in the Kelp DAO hack, which North Korean operatives had sent to the blockchain.
To be sure, LayerZero handled only a comparatively small amount of laundering.
Other crypto bridges, such as Thorchain, are consistently the preferred choice for North Korean hackers.
Following last yearâs hack of Bybit, North Korean hackers also used Thorchain to launder $900 million in stolen funds.
âEveryone say thank you to Thorchain for providing such a valuable service to DPRK and helping them get away once again,â said security researcher Taylor Monahan after North Korean hackers used Thorchain to swap nearly $175 million stolen from Kelp DAO into Bitcoin.
âThorchainâs decentralised nature does not fully insulate it from the legal ramifications of facilitating illicit transactions,â Yuriy Brisov, a partner at crypto legal consulting firm D&A Partners, previously told DL News.
Tim Craig is DL Newsâ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.
