{"id":14698,"date":"2022-04-23T19:13:30","date_gmt":"2022-04-23T19:13:30","guid":{"rendered":"http:\/\/egrowonline.com\/?p=14698"},"modified":"2022-04-23T19:13:30","modified_gmt":"2022-04-23T19:13:30","slug":"north-korea-hackers-still-accessing-money-they-stole-from-axie-infinity","status":"publish","type":"post","link":"http:\/\/egrowonline.com\/?p=14698","title":{"rendered":"North Korea hackers still accessing money they stole from Axie Infinity"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<div class=\"hide-for-print mb-sm mt-0 relative undefined\" style=\"margin-left:-12px;margin-top:-9px;min-height:40px;padding-left:2px\" data-qa=\"article-actions\"><title id=\"sc-article-actions-skeleton-react-aria-1-aria\">Placeholder while article actions load<\/title><\/div>\n<div class=\"teaser-content grid-center\">\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">North Korean hackers who last month carried out one of the largest cryptocurrency thefts ever are still laundering their haul more than a week after they were identified as the thieves.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">The cybercriminals\u2019 continued access to the money, more than $600 million stolen from the Axie Infinity video game, underscores the limits of law enforcement\u2019s ability to stop the flow of illicit cryptocurrency across the globe. The hackers are still moving their loot, most recently about $4.5 million worth of the Ethereum currency on Friday, according to data from cryptocurrency tracking site Etherscan \u2014 eight days after the Treasury Department attempted to freeze those assets by sanctioning the digital wallet the group used in its attack.<\/p>\n<\/div>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">The gang, which the Treasury Department <a target=\"_blank\" href=\"https:\/\/www.washingtonpost.com\/technology\/2022\/04\/14\/us-links-axie-crypto-heist-north-korea\/?itid=lk_inline_manual_5\" rel=\"noopener\">identified<\/a> as the Lazarus Group, also known for the 2014 hacking of Sony Pictures, so far has laundered nearly $100 million \u2014 about 17 percent \u2014 of the stolen crypto, <a target=\"_blank\" href=\"https:\/\/www.elliptic.co\/blog\/540-million-stolen-from-the-ronin-defi-bridge\" rel=\"noopener\">according<\/a> to blockchain analytics firm Elliptic. They moved their haul beyond the immediate reach of U.S. authorities by converting it into the cryptocurrency Ethereum, which unlike the cryptocurrency they stole cannot be hobbled remotely. Since then, the gang has worked to obscure the crypto\u2019s origins primarily by sending installments of it through a program called Tornado Cash, a service known as a mixer that pools digital assets to hide their owners.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p><span class=\"font--article-body font-copy hide-for-print ma-0 pb-md db italic interstitial\"><a target=\"_blank\" data-qa=\"interstitial-link\" href=\"https:\/\/www.washingtonpost.com\/politics\/2022\/04\/22\/among-top-hacking-nations-north-koreas-weirdest\/?itid=lk_interstitial_manual_6\" rel=\"noopener\">Among top hacking nations, North Korea\u2019s the weirdest<\/a><\/span><\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">Authorities and major crypto industry players are scrambling to keep up. Treasury <a target=\"_blank\" href=\"https:\/\/home.treasury.gov\/policy-issues\/financial-sanctions\/recent-actions\/20220422\" rel=\"noopener\">sanctioned<\/a> three more addresses associated with the gang on Friday, as Binance, a large international crypto exchange, <a target=\"_blank\" href=\"https:\/\/twitter.com\/cz_binance\/status\/1517385438469791749?s=20&amp;t=6sxAYXD9fXHmOgDTZ0DTkw\" rel=\"noopener\">announced<\/a> it had frozen $5.8 million worth of crypto the hackers had transferred onto its platform.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">The cat-and-mouse game unfolding between law enforcement and the North Korean hackers is another example of how criminals have learned to target the growing crypto economy\u2019s weak points. They exploit faulty code in decentralized crypto platforms, use tools that help them hide their tracks such as converting assets to privacy-enhancing cryptocurrencies like Monero, and take advantage of spotty law enforcement coordination across international borders.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">The North Korean case also trains a spotlight on a crypto industry eager to demonstrate its trustworthiness to regulators, investors and customers, while retaining crypto\u2019s freewheeling ethos. Some of the largest companies in the sector say they welcome government oversight and tout their investments in internal compliance programs.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">Yet a review by The Washington Post of crypto accounts sanctioned by the Treasury Department over the last year-and-a-half found four wallets that remained free to transact months after being placed on the administration\u2019s blacklist. The apparent lapses are owed to flawed or incomplete compliance programs by Tether and Centre Consortium, a pair of companies involved in issuing so-called stablecoins, a type of cryptocurrency whose value is pegged to an external asset, typically the dollar.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">\u201cWe\u2019re at a particularly important moment: Everyone is still learning what\u2019s possible and how attacks might occur, and the borderless nature of crypto makes it difficult to enforce standards globally,\u201d said Chris DePow, a compliance official at Elliptic. \u201cThese are people acting all over the world. Even if you enforce very well in one jurisdiction, if there are other jurisdictions with weaker enforcement, you&#8217;re still going to end up with a problem.\u201d<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">Digital thieves are on track for a record-breaking year. They stole $1.3 billion worth of cryptocurrency in the first three months of the year, after seizing $3.2 billion in 2021, according to blockchain data firm Chainalysis. Hackers pulled off another <a target=\"_blank\" href=\"https:\/\/twitter.com\/peckshield\/status\/1515671775085928448\" rel=\"noopener\">major heist<\/a> last Sunday, stealing about $76 million worth of digital assets from a crypto project called Beanstalk, according to Etherscan data.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p><span class=\"font--article-body font-copy hide-for-print ma-0 pb-md db italic interstitial\"><a target=\"_blank\" data-qa=\"interstitial-link\" href=\"https:\/\/www.washingtonpost.com\/technology\/2022\/04\/14\/us-links-axie-crypto-heist-north-korea\/?itid=lk_interstitial_manual_17\" rel=\"noopener\">North Korean hackers linked to $620 million Axie Infinity crypto heist<\/a><\/span><\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">As cybercriminals\u2019 successes mount, so does the urgency for U.S. authorities, who have come to <a target=\"_blank\" href=\"https:\/\/www.washingtonpost.com\/national-security\/revil-ransomware-arrests-doj\/2021\/11\/08\/9432dfc2-409f-11ec-a88e-2aa4632af69b_story.html?itid=lk_inline_manual_18\" rel=\"noopener\">view<\/a> the attacks as threats to national security. The Lazarus Group, for one, is an important funding source for North Korea\u2019s nuclear and ballistic missile programs, according to United Nations investigators. And Russian hackers last spring temporarily hobbled the operations of a critical American fuel pipeline and the world\u2019s largest meat supplier, relenting only after collecting multimillion-dollar ransoms in cryptocurrency. (Much of the Colonial Pipeline ransom was <a target=\"_blank\" href=\"https:\/\/www.washingtonpost.com\/business\/2021\/06\/07\/colonial-pipeline-ransomware-payment-recovered\/?itid=lk_inline_manual_18\" rel=\"noopener\">later recovered<\/a>.)<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">The Russian invasion of Ukraine has sharpened policymakers\u2019 focus on the issue. Some lawmakers have worried that Russian government and oligarchs could use crypto to evade the international sanctions choking off their access to traditional financial channels.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">So far, they haven\u2019t. \u201cIt\u2019s hard to imagine that occurring using crypto,\u201d Treasury Secretary Janet Yellen said on Thursday. But the department is also signaling it is not taking chances. It leveled sanctions against Russian crypto mining firm Bitriver and 10 of its subsidiaries on Wednesday, explaining in a statement the Biden administration \u201cis committed to ensuring that no asset, no matter how complex, becomes a mechanism for the Putin regime to offset the impact of sanctions.\u201d<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p><span class=\"font--article-body font-copy hide-for-print ma-0 pb-md db italic interstitial\"><a target=\"_blank\" data-qa=\"interstitial-link\" href=\"https:\/\/www.washingtonpost.com\/business\/2022\/03\/03\/crypto-sanctions-russia\/?itid=lk_interstitial_manual_23\" rel=\"noopener\">Crypto industry says it is complying with Russian sanctions, as some policymakers ring alarms<\/a><\/span><\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">U.S. authorities are also continuing to target Russian cybercriminals and the crypto platforms they rely on to enable their attacks. Earlier this month, U.S. law enforcement <a target=\"_blank\" href=\"https:\/\/home.treasury.gov\/news\/press-releases\/jy0701\" rel=\"noopener\">announced<\/a> the shutdown of Russia-based Hydra Market, a dark net marketplace allegedly selling hacked personal info, drugs and hacking services.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">As part of the crackdown, Treasury also sanctioned Garantex, a Russian crypto exchange that the department said had processed more than $100 million in illegal transactions, including $2.6 million associated with Hydra. Treasury said the move built on sanctions it enacted last year against two other Russian crypto exchanges, Suex and Chatex, which all operated out of the same office tower in Moscow\u2019s financial district.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">The designations mean any crypto company interacting with the U.S. financial system should block transactions with the sanctioned entities, Elliptic\u2019s DePow said. Yet The Post\u2019s review found that neither Tether nor Centre Consortium have blocked all transactions involving sanctioned addresses.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">Tether continues to allow transactions with crypto accounts that allegedly belong to Chatex, over half of whose business was tied to illicit or high-risk activities including <a target=\"_blank\" href=\"https:\/\/www.washingtonpost.com\/business\/2021\/05\/12\/ransomware-attack\/?itid=lk_inline_manual_29\" class=\"contextual_link\" rel=\"noopener\">ransomware<\/a> attacks, according to Treasury. <a target=\"_blank\" href=\"https:\/\/etherscan.io\/address\/0x6acdfba02d390b97ac2b2d42a63e85293bcc160e\" rel=\"noopener\">One Tether address<\/a> received and then sent about $15,000 as recently as April 19, according to a Post review of blockchain data from Etherscan. <a target=\"_blank\" href=\"https:\/\/etherscan.io\/address\/0x48549a34ae37b12f6a30566245176994e17c6b4a\" rel=\"noopener\">Another<\/a> received, then sent, nearly $42,000 in the past six months.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">In a statement, Tether said that it \u201cconducts constant market monitoring to ensure that there are no irregular movements or measures that might be in contravention of applicable international sanctions.\u201d Chatex didn\u2019t respond to requests for comment.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">Not all transactions involving sanctioned addresses are nefarious: Sometimes mainstream exchanges consolidate funds held in sanctioned accounts that no longer benefit the accused hackers who formerly owned them. And sometimes Treasury approves individual transactions with sanctioned accounts<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p><span class=\"font--article-body font-copy hide-for-print ma-0 pb-md db italic interstitial\"><a target=\"_blank\" data-qa=\"interstitial-link\" href=\"https:\/\/www.washingtonpost.com\/world\/2022\/01\/14\/russia-hacker-revil\/?itid=lk_interstitial_manual_34\" rel=\"noopener\">Russia arrests 14 alleged members of REvil ransomware gang, including hacker U.S. says conducted Colonial Pipeline attack<\/a><\/span><\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">Separately, Centre Consortium \u2014 a joint venture between U.S. crypto companies Coinbase and Circle that issues USD Coin, the second-largest stablecoin \u2014 failed to freeze three wallets belonging to Russian hackers until months after Treasury sanctioned them. Two of the accounts, blacklisted in September 2020, belong to Artem Lifshits and Anton Andreyev, employees of the Russian hacking group that spearheaded the country\u2019s interference in the 2016 U.S. presidential election. A third was associated with Yevgeniy Polyanin, whom Treasury sanctioned in November for conducting ransomware attacks as part of the REvil cybercriminal gang.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">Centre did not freeze those wallets until March 29, when a spokesman said the company conducted a review of sanctioned accounts and discovered it \u201cjust hadn\u2019t caught those addresses.\u201d The wallets didn\u2019t transact during that time.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">\u201cWe\u2019re constantly reviewing what we\u2019re doing to ensure we\u2019re state of the art in our compliance,\u201d the Centre spokesperson said. \u201cThrough that review we identified three addresses that had been missed, and we acted immediately.\u201d<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">Treasury requires U.S. companies to freeze sanctioned accounts as soon as it blacklists them and report they have done so within 10 days, said John Smith, a former director of the department\u2019s Office of Foreign Assets Control and now a partner at Morrison &amp; Foerster. The department can apply stiff penalties to violators even if they didn\u2019t know they were out of compliance, he said, though it tends to focus on more egregious cases.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">\u201cThey go after entities or individuals they think intentionally or recklessly violated sanctions,\u201d Smith said.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">A Treasury spokesperson did not respond to a request for comment.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">Neither did Tornado, when approached through a founder. That mixer is how whoever stole $75 million from the Beanstalk project also laundered their proceeds. That has upset investor A.J. Pikul, who <a target=\"_blank\" href=\"https:\/\/twitter.com\/AndrewPikul\/status\/1515694173629947916\" rel=\"noopener\">says<\/a> he lost about $150,000 in the hack. \u201cI\u2019m not super happy about the ability to launder funds through crypto at all, to be honest,\u201d he told The Post by email.<\/p>\n<\/div>\n<div class=\"article-body\" data-qa=\"article-body\">\n<p data-qa=\"drop-cap-letter\" data-el=\"text\" class=\"font-copy font--article-body gray-darkest ma-0 pb-md\">\u201cI feel like we\u2019re in a digital arms race between the good guys and the bad guys,\u201d he said.<\/p>\n<\/div>\n<section class=\"b bt bc-offblack dn-ns hide-for-print\" \/><\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/www.washingtonpost.com\/technology\/2022\/04\/23\/north-korea-hack-crypto-access\/\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Placeholder while article actions load North Korean hackers who last month carried out one of the largest cryptocurrency thefts ever are still laundering their haul more than a week after they were identified as the thieves. The cybercriminals\u2019 continued access to the money, more than $600 million stolen from the Axie Infinity video game, underscores [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":14699,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[36],"tags":[7530,3140,3562,3141,1009,71,1008,3563],"class_list":["post-14698","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency","tag-accessing","tag-axie","tag-hackers","tag-infinity","tag-korea","tag-money","tag-north","tag-stole"],"jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"http:\/\/egrowonline.com\/wp-content\/uploads\/2022\/04\/73EWOMVZ4YI6ZKJNY5R55AMMEE.jpgw1440.jpeg","_links":{"self":[{"href":"http:\/\/egrowonline.com\/index.php?rest_route=\/wp\/v2\/posts\/14698","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/egrowonline.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/egrowonline.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/egrowonline.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/egrowonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14698"}],"version-history":[{"count":1,"href":"http:\/\/egrowonline.com\/index.php?rest_route=\/wp\/v2\/posts\/14698\/revisions"}],"predecessor-version":[{"id":14700,"href":"http:\/\/egrowonline.com\/index.php?rest_route=\/wp\/v2\/posts\/14698\/revisions\/14700"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/egrowonline.com\/index.php?rest_route=\/wp\/v2\/media\/14699"}],"wp:attachment":[{"href":"http:\/\/egrowonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14698"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/egrowonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14698"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/egrowonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14698"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}