Beosin: How Top Hackers Steal and Launder Cryptocurrencies
Author: Beosin
I don’t know if you still remember the close to 200 million US dollars that happened in March this yearEuler Financeattack event.
After several rounds of negotiations between Euler Labs and the attackers, the attackers have returned all funds stolen from the protocol.
At first, the Euler Finance attackers transferred 100 ETH to a state-level background hacker organization (also the hacker of the Ronin security incident) in order to confuse the public. Subsequently, the hacker group sent an on-chain notification to Euler's attackers, asking them to decrypt an encrypted message.
In the transaction that includes this notice, the state-backed hacking group sent 2 ETH to the Euler attackers.But experts say the message was a phishing scam attempting to steal the private keys to Euler's attacker's wallet.
Is it a typical "black eating black"? It is understood thatThe state-backed hacking group has long been conducting cyberattacks on cryptocurrency businesses and has assembled several specialized teams to carry out cyberattacks and launder stolen funds.
Today we combineBeosin KYTAnti-money laundering and analysis platform, how does this country-level hacker attack and clean cryptocurrencies?
image description
Image source etda.or.th
Recently, a foreign intelligence company analyzed the attack activities of the national-level background hacker organization (hereinafter referred to as the hacker organization), which included attacks on cryptocurrencies. According to the researchers, the hacker group would use phishing techniques to try to infect the target, then intercept large cryptocurrency transfers, change the recipient address, and push the transfer amount to the maximum amount, with the intention of depleting the account funds in a single transaction.
How did your cryptocurrency get hacked?
Harpoon emails as bait
Hacker groups use spear-phishing emails from fake or deceptive personas to get closer to their targets, with sites containing fake login pages tricking victims into entering account credentials.
image description
Source Kaspersky
Malicious Android App Stealing
Foreign intelligence firms have observed hacking groups using malicious Android apps targeting Chinese users looking to obtain cryptocurrency loans, with the app and associated domains potentially harvesting user credentials.
Hacker groups will even set up fake cryptocurrency software development companies to trick victims into installing legitimate-looking apps that, when updated, install backdoors.
Experts believe that the hacker group is currently actively testing new malware delivery methods, such as infecting victims with previously unused file types such as new Visual Basic Script, hidden Windows batch files, and Windows executable files.
Replace Metamask plugin
When a hacker organization gains access to a user's host, it will monitor the user for weeks or months to collect keyloggers and monitor the user's daily operations.
If the hacker group finds that the target user uses a browser extension wallet (such as Metamask), they will change the extension source from Web Store to local storage, and replace the core extension component (backgorund.js) with a tampered version.
image description
Source Kaspersky
image description
Source Kaspersky
In this case, hackers set up monitoring of transactions between specific sender and recipient addresses. This triggers notifications and steals funds when large transfers are detected.
image description
Source Kaspersky
Just in case, pay attention to whether the browser selects the developer mode. If you use the developer mode, make sure that the important extensions are from the online store:
social engineering attacks
The Beosin security research team also found that hacking groups may use social engineering methods, such as counterfeiting trading platforms, sending fraudulent emails, etc., to trick users into transferring cryptocurrencies to their accounts.
Counterfeit trading platform: Pretending to be a well-known cryptocurrency trading platform, tricking users into entering their account information through fake websites or applications, thereby stealing users' assets.
Funds fraud: create false cryptocurrency funds, promise high returns to users, and guide users to invest, then transfer users' funds to other accounts, and close the funds.
Social media fraud: Use social media platforms, such as Twitter, Telegram, Reddit, etc., to pretend to be cryptocurrency trading experts or investors, publish false investment advice or price analysis, and lure users to invest, thereby defrauding funds.
Further reading:Encryption big V encountered a Trojan horse virus, and his wallet has a large amount of assets stolen. What enlightenment does it give us?
How Do Hackers Launder Cryptocurrencies?
Cleaning with a mixer
In addition, hacker organizations also use Tornado Cash, the most popular mixer on the Ethereum blockchain, to transfer funds. For example, an exchange was stolen in 2020, when the stolen funds exceeded 270 million US dollars.
image description
image description
Fund Flow Map of Beosin KYT Hacker Organization Address
So, what is Tornado Cash?
Tornado Cash is a privacy-preserving protocol on Ethereum designed to provide users with completely anonymous cryptocurrency transactions. It is based on zk-SNARK (Zero-Knowledge Proof) technology, which allows users to conduct transactions without exposing any personal information, thereby protecting their privacy.
Tornado Cash works by mixing users' tokens together, making them untraceable. Users first send tokens to a smart contract, which then mixes those tokens with other users' tokens. After mixing is complete, users can withdraw the same amount of tokens from the smart contract, but these tokens have been mixed and cannot be linked to the original sent tokens.
Tornado Cash supports Ethereum (ETH) and ERC-20 tokens, and users can choose different "mixed pools" for transactions. Additionally, Tornado Cash can also be used to send completely anonymous tokens to other people, making it an important tool for privacy protection.
It is important to note that Tornado Cash only provides privacy protection, not anonymity. Users need to take appropriate steps to protect their identities from being tracked by other means. In addition, using Tornado Cash also requires payment of certain transaction fees, which may be higher than normal transaction fees.
In addition, common coin mixers include:
Blender.io: Blender is a virtual currency mixer established in 2017 running on the Bitcoin blockchain, and the first mixer to be sanctioned by the US Department of the Treasury.
CoinMixer: An old bitcoin currency mixing protocol that has existed since 2017 and is currently not subject to government sanctions.
ChipMixer: A dark web cryptocurrency mixer provided by a Vietnamese operator, which has laundered more than $3 billion worth of cryptocurrency since 2017. The website and backend server were seized by the Federal Police on March 15, 2023.
Umbra: Umbra is a protocol that allows users to transfer money privately on Ethereum, with the characteristic that only the sender and payer know who received the transfer.
CoinJoin: CoinJoin is one of the oldest mixers, developed for Bitcoin (BTC) and Bitcoin Cash (BCH).
In addition to specialized currency mixers, using decentralized exchanges such as FixedFloat, sideshift, and ChangeNow to exchange virtual currencies can also achieve the purpose of money laundering.
Cleaning via hash power leasing or cloud mining services
The hacking group used cryptocurrency services to launder stolen funds, including buying domain addresses and paying for services, as well as possibly using hash power leasing and cloud mining services to launder stolen cryptocurrency into clean cryptocurrency.
Hackers use stolen bitcoins to pay for Namecheap services (Source: Mandiant)
image description
Hacker organizations launder money through hash power rental services (source Mandiant)
Cleaning through darknet markets
Cryptocurrency exchanges on darknet markets may be used by hacking groups to launder money. These markets allow for anonymous transactions where hackers can transact in order to turn their dirty money into disposable funds.
The process of hackers using darknet markets to launder cryptocurrency can be roughly divided into the following steps:
1. Find buyers on darknet markets: Hackers will look for buyers who want to buy cryptocurrencies on darknet markets. There are many tools and services for anonymous transactions on these markets, making it easier for hackers to conduct transactions while reducing the risk of being discovered.
2. Laundering-ready cryptocurrencies: Hackers need to have cryptocurrencies they obtain from illicit activities ready to move funds quickly at the time of transaction while reducing the risk of transactions being traced.
3. Complete the transaction: The hacker will complete the transaction through anonymous transaction tools and services on the dark web market, transferring the cryptocurrency to the buyer's address. These transactions may involve multiple cryptocurrencies and payment methods.
4. Transfer laundered proceeds to legitimate channels: Hackers need to transfer the cryptocurrencies they get from darknet markets to legitimate channels so that they can use these funds for daily life and business activities. This may include converting cryptocurrencies to fiat currency, or investing them in other legal assets.
Cleaning with Proxy Accounts
Hacker groups may use proxy accounts to avoid being tracked. These agency accounts may be held by overseas associates or overseas students.
The following are possible proxy account money laundering techniques:
Money laundering through control of other people's accounts: The government or its agents may take control of other people's bank accounts to launder money. These controlled accounts may be overseas compatriots or closely related personal accounts.
Buying a ready-made proxy account: Another possibility is to buy a pre-existing proxy account. These accounts may be created and held by overseas associates or overseas agents.
Creation of Fake Companies and Accounts: Fake companies and accounts may be created and used as proxy accounts for money laundering. Such tactics usually involve false identities, addresses and contact information to evade supervision and scrutiny.
