SharkTeam: 2023 Cryptocurrency Crime Analysis Report

Intermediate1/23/2024, 7:05:18 PM
This article describes some reports of blockchain crimes, mainly including contract risks, phishing attacks, Rugpull and fraud, ransomware, money laundering, and current sanctions and regulatory measures.

In 2023, the Web3 industry experienced more than 940 security incidents, large and small, which increased by more than 50% compared to 2022, and lost $1.79 billion. Among them, the third quarter had the highest number of security incidents (360 cases) and the biggest loss (7.4) USD billion), and losses increased 47% over 2022. In particular, in July, 187 security incidents occurred, and losses amounted to US$350 million.

Figure: Number of quarterly/monthly security incidents for Web 3 2023

Figure: Web 3 2023 quarterly/monthly security incident losses (in millions of dollars)

First, hacker attacks are still a major cause of significant losses. There were 216 hacking incidents throughout 2023, causing $1.06 billion in losses. Contract breaches, private key theft, phishing attacks, and national hacking are still important reasons threatening the security of the Web3 ecosystem.

Second, Rugpull and treasury fraud is on the rise. There were 250 Rugpull and Scam fraud cases in 2023, with the most frequent occurrence of such incidents on BNBChain. Fraudulent projects attract investors to participate by posting seemingly attractive crypto projects, and provide some false liquidity. Once sufficient funds are attracted, all funds are suddenly stolen and assets are transferred. This type of fraud causes serious financial losses to investors, and also greatly increases the difficulty for investors to choose the right project.

Additionally, ransomware is trending using cryptocurrencies to collect ransoms, such as Lockbit, Conti, Suncrypt, and Monti. Cryptocurrency is more difficult to track than fiat money, and how to use on-chain analysis tools to track and locate ransomware gangs is also becoming more important.

Finally, in criminal activities such as cryptocurrency hacking attacks and fraudulent extortion, criminals often need to launder money through on-chain fund transfers and OTC after obtaining cryptocurrency. Money laundering usually uses a mix of decentralized and centralized methods. Centralized exchanges are the most concentrated places for money laundering, followed by on-chain coin mixing platforms.

2023 is also a year of substantial development in Web3 regulation. FTX2.0 was restarted, Binance was sanctioned, USDT banned addresses such as Hamas, and the SEC passed a Bitcoin spot ETF in January 2024. These landmark events all indicate that regulation is deeply involved in the development of Web3.

This report will conduct a systematic analysis of key topics such as the 2023 Web3 hacking attack, Rugpull fraud, ransomware, cryptocurrency money laundering, Web3 regulation, etc., to understand the security landscape of the cryptocurrency industry’s development.

1. Contract loopholes

Contract vulnerability attacks mainly occurred on Ethereum. In the second half of 2023, 36 contract vulnerability attacks occurred on Ethereum, with losses amounting to more than 200 million US dollars, followed by BNBChain. In terms of attack methods, business logic flaws and flash loan attacks are still the most common.

Figure: Web 3 2023 Quarterly Hacking Incidents and Losses (in millions of dollars)

Figure: Number and amount of monthly contract exploits and hacking attacks on Web 3 2023H2

Figure: Number of contract exploit attacks and loss amounts per month in different Web 3 2023H2 chains

Figure: The number and amount of losses caused by the Web 3 2023H2 contract vulnerability using specific attack methods

Typical event analysis: Vyper vulnerabilities cause projects such as Curve and JPEG’d to be attacked

Take JPEG’d being attacked as an example:

Attacker address: 0x6ec21d1868743a44318c3c259a6d4953f9978538

Attacker contract: 0x9420f8821ab4609ad9fa514f8d2f5344c3c0a6ab

Attack transactions:

0xa84aa065ce61dbb1eb50ab6ae67fc31a9da50dd2c74eefd561661bfce2f1620c

(1) The attackers (0x6ec21d18) created a 0x466B85B4 contract and borrowed 80,000 WETH from [Balancer: Vault] through flash loans.

(2) The attackers (0x6ec21d18) added 40,000 WETH to the peth-ETH-F (0x9848482d) liquidity pool and obtained 32,431 pETH.

(3) Subsequently, the attackers (0x6ec21d18) repeatedly removed liquidity from the peth-ETH-F (0x98482D) liquidity pool.

(4) In the end, the attackers (0x6ec21d18) obtained 86,106 WETH, and after returning the flash loan, a profit of 6,106 WETH left the market.

Vulnerability analysis: This attack is a typical re-entry attack. Bytecode decompilation of the attacked project contract. We can see from the following figure: the add_liquidity and remove_liquidity functions are not the same when verifying the storage slot value. Using a different storage slot, the reentry lock may not work. At this point, it is suspected that it is a Vyper underlying design bug.

Combined with Curve’s official tweet. Ultimately, the targeting was a Vyper version bug. This vulnerability exists in versions 0.2.15, 0.2.16, and 0.3.0, and there is a flaw in the reentry lock design. We compare 0.2.14 and 0.3.0 before 0.2.15 Later, in the 0.3.1 version, it was discovered that this part of the code was constantly being updated. The old 0.2.14 and newer 0.3.1 versions did not have this problem.

In the reentry lock-related settings file data_positions.py corresponding to Vyper, the storage_slot value will be overwritten. In ret, the slot that first acquired the lock is 0, then when the function is called again, the lock slot will be increased by 1. At this point, the re-entry lock will expire.

II. Phishing attacks

Phishing attacks are a type of cyber attack designed to deceive and induce targets to obtain sensitive information or induce them to perform malicious actions. This type of attack is usually carried out via email, social media, SMS, or other communication channels. Attackers disguise themselves as trusted entities, such as project parties, authorities, KOLs, etc., to lure victims into providing private keys, mnemonics, or transaction authorization. Similar to contract vulnerability attacks, phishing attacks showed high incidence and high losses in Q3. A total of 107 phishing attacks occurred, of which 58 occurred in July.

Figure: Number of phishing attacks and losses per quarter in Web 3 2023 (millions of dollars)

Figure: Number of monthly phishing attacks on Web 3 2023

Analysis of on-chain asset transfers of typical phishing attacks

On September 7, 2023, the address (0x13e382) was hit by a phishing attack and lost over $24 million. Phishing hackers used fund theft, fund exchange, and decentralized fund transfers. Of the final lost funds, 3,800 ETH was transferred to Tornado.Cash in batches, 10,000 ETH was transferred to an intermediate address (0x702350), and 1078,087 DAI remains at the intermediate address (0x4F2F02).

This is a typical phishing attack. By stealing user assets by defrauding wallet authorizations or private keys, attackers have formed a black industry chain of phishing + money laundering. Currently, more and more fraud gangs and even national hackers use phishing methods to commit crimes in the Web3 field, which requires everyone’s attention and vigilance.

According to SharkTeam’s on-chain big data analysis platform ChainAegis (https://app.chainaegis.com/) In the follow-up analysis, we will analyze the fraud process of typical phishing attacks, the transfer of funds, and the on-chain behavior of fraudsters.

(1) Phishing attack process

The victim address (0x13e382) grants rETH and stETH to scammer address 1 (0x4c10a4) via ‘Increase Allowance’.

The scammer’s address 1 (0x4c10a4) transferred 9,579 stETH from the victim’s address (0x13e382) account to the scammer’s address 2 (0x693b72) for an amount of approximately $15.32 million.

The scammer’s address 1 (0x4c10a4) transferred 4,850 rETH from the victim’s address (0x13e382) account to the scammer’s address 2 (0x693b72) for an amount of approximately $8.41 million.

(2) Asset exchange and transfer

Exchange stolen stETH and rETH for ETH. Beginning in the early morning of 2023-09-07, the scammer’s address 2 (0x693b72) carried out multiple exchange transactions on the UniSwapV2, UniSwapv3, and Curve platforms respectively, exchanging all 9,579 stETH and 4,850 rETH into ETH, for a total of 14,783.9413 ETH.

stETH exchange:

rETH exchange:


Exchange some ETH for DAI. The scammer’s address 2 (0x693b72) exchanged 1,000 ETH for 1,635,047.761675421713685327 via the UniSwapv3 platform DAI. The fraudsters used decentralized fund transfers to multiple intermediate wallet addresses, totaling 1,635,139 DAI and 13,785 ETH. Of these, 1,785 ETH was transferred to an intermediate address (0x4F2F02), 2,000 ETH was transferred to an intermediate address (0x2ABDC2), and 10,000 ETH was transferred to an intermediate address (0x702350). Additionally, the intermediate address (0x4F2F02) received 1,635,139 DAI the next day

Intermediate wallet address (0x4F2F02) fund transfer:

The address has gone through a tiered fund transfer and has 1,785 ETH and 1,635,139 DAI. Decentralized transfer of funds DAI, and small amounts converted to ETH

First, the scammers began transferring 529,000 DAI through 10 transactions in the early morning of 2023-09-07. Subsequently, the first 7 total of 452,000 DAIs were transferred from the intermediate address to 0x4E5B2E (fixedFloat), the eighth, from the intermediate address to 0x6CC5F6 (OKX), and the last 2 total 77,000 DAIs were transferred from the intermediate address to 0xF1DA17 (exCH).

Second, on September 10, 28,052 DAI was exchanged for 17.3 ETH via UniswapV2.

From September 8th to September 11th, 18 transactions were carried out, and all 1,800 ETH were transferred to Tornado.Cash.

After the transfer, the address ultimately left the stolen funds 1078,087 DAI that were not transferred.

Transfer of funds to an intermediate address (0x2ABDC2):

The address has been transferred through a tier of funds and has 2,000 ETH. First, the address transferred 2000ETH to an intermediate address (0x71C848) on September 11th.

The intermediate address (0x71C848) then transferred funds through two fund transfers on September 11 and October 1, respectively, for a total of 20 transactions, 100 ETH each, totaling 2000 ETH to Tornado.Cash.

The address has been transferred through a tier of funds and holds 10,000 ETH. As of October 08, 2023, 10,000 ETH has not been transferred to this address’s account.

Address clue tracking: After analyzing the historical transactions of the scammer’s address 1 (0x4c10a4) and the scammer’s address 2 (0x693b72), it was discovered that an EOA address (0x846317) transferred 1.353 ETH to the scammer’s address 2 (0x693b72), and the source of funding for this EOA address involved the hot wallet addresses of centralized exchanges KuCoin and Binance.

III. Rugpull and Fraud

The frequency of Rugpull fraud incidents in 2023 showed a significant upward trend. Q4 reached 73 cases, with a loss amount of US$19 million, with an average single loss of about US$26,000. The quarter with the highest share of Rugpull fraud losses in the whole year was Q2, followed by Q3, which accounted for more than 30% of losses.

In the second half of 2023, there were a total of 139 Rugpull incidents and 12 fraud incidents, which resulted in losses of $71.55 million and $340 million respectively.

Rugpull events mainly occurred on BNBChain in the second half of 2023, reaching 91 times, accounting for more than 65%, and losses amounting to $29.57 million, accounting for 41% of losses. Ethereum (44 times) followed, with a loss of $7.39 million. In addition to Ethereum and BNBChain, the BALD Rugpull incident occurred on the Base Chain in August, causing serious losses of $25.6 million.

Figure: Number of Rugpull and Scam incidents and losses per quarter for Web 3 2023 (millions of dollars)

Figure: Number of Rugpull and Scam incidents and losses per month on Web 3 2023H2

Figure: Number of monthly Rugpull incidents and loss amounts in different Web 3 2023H2 chains

Rugpull fraud factory behavior analysis

A Rug fraud factory model is popular on BNBChain to mass-manufacture Rugpull tokens and commit fraud. Let’s take a look at the Rugpull factory fraud pattern of fake SEI, X, TIP, and Blue tokens.

(1) SEI

First, the fake SEI token holder 0x0a8310eca430beb13a8d1b42a03b3521326e4a58 exchanged 249 fake SEIs for 1U.

Then, 0x6f9963448071b88fb23fd9971d24a87e5244451A carried out bulk buy and sell operations. Under the buying and selling operations, the token’s liquidity increased markedly, and the price also increased.

Through phishing and other methods of promotion, a large number of users are tempted to buy. As liquidity increases, the token price doubles.

When the price of the token reaches a certain value, the token owner enters the market and sells to perform a Rugpull operation. As can be seen from the image below, the entry harvest period and price are all different.

(2) Fake X, fake TIP, fake Blue

First, X, TIP, and Blue token holders 0x44A028DAE3680697795a8d50960c8c155cbc0d74 exchanged 1U for the corresponding token. Then, just like a fake Sei token.

0x6f9963448071b88fb23fd9971d24a87e5244451A bulk buy and sell operations. Under buying and selling operations, liquidity increased markedly, and prices rose.

It was then promoted through phishing and other channels to entice a large number of users to make purchases. As liquidity increased, the token price doubled.

Like a fake SEI, when the price of the token reaches a certain value, the token owner enters the market to sell and perform a Rugpull operation. As can be seen from the image below, the entry harvest period and price are all different.

The fluctuation chart for the fake SEI, fake X, fake TIP, and fake Blue tokens is as follows:

We can learn from the traceability of funds and behavioral patterns:

In the fund traceability content, the coin factory creator and token creator’s funds come from multiple EOA accounts. There are also financial transactions between different accounts. Some of them are transferred through phishing addresses, some are obtained through previous Rugpull tokens, and others are obtained through mixed platforms such as Tornado Cash. Transferring funds in a variety of ways is aimed at constructing complex and intricate financial networks. Various addresses have also created multiple token factory contracts and mass-produced tokens.

When analyzing the behavior of the token Rugpull, we found the address

0x6f9963448071b88fb23fd9971d24a87e5244451a is one of the funding sources. The batch method is also used to manipulate token prices. The address 0x072E9A13791F3A45FC6EB6EB6AD38E6EA258C080cc3 also acts as a funding provider, providing corresponding funds to multiple token holders.

Through analysis, it can be seen that behind this series of acts, there is a Web3 fraud gang with a clear division of labor, forming a black industrial chain. It mainly involves hot spot collection, automatic coin issuance, automated trading, false publicity, phishing attacks, and Rugpull harvesting, which mostly occurred in BNBChain. The fake Rugpull tokens issued are all closely related to hot events in the industry, and are highly confusing and encouraging. Users should always be alert, be rational, and avoid unnecessary losses.

IV. Ransomware

The threat of ransomware attacks in 2023 continues to threaten institutions and businesses all the time. Ransomware attacks are becoming more sophisticated, and attackers use a variety of techniques to exploit vulnerabilities in organizational systems and networks. Proliferating ransomware attacks continue to pose a major threat to business organizations, individuals, and critical infrastructure around the world. Attackers are constantly adapting and refining their attack strategies, using leaked source code, intelligent attack schemes, and emerging programming languages to maximize their illegal profits.

LockBit, ALPHV/BlackCat, and BlackBasta are currently the most active ransomware ransomware organizations.

Figure: Number of victims of extortion organizations

Currently, more and more ransomware uses cryptocurrency payment methods. Take Lockbit as an example. Companies recently attacked by Lockbit include TSMC at the end of June this year, Boeing in October, and the US wholly-owned subsidiary of the Industrial and Commercial Bank of China in November. Most of them use Bitcoin to collect ransom, and LockBit will launder cryptocurrency money after receiving the ransom. Let’s analyze the ransomware money laundering model using Lockbit as an example.

According to ChainAegis analysis, LockBit ransomware mostly uses BTC to collect ransoms, using different payment addresses. Some addresses and payment amounts are arranged as follows. The BTCs in a single extortion ranged from 0.07 to 5.8, ranging from about $2,551 to $211,311.

Figure: LockBit partial payout address and payout amount

On-chain address tracking and anti-money laundering analysis were carried out using the two addresses with the highest amounts involved:

Ransom receipt address 1:1ptfhwkusgvtg6mh6hyxx1c2sjxw2zhpem;

Ransom Recipient Address 2:1hpz7rny3kbjeuurhkhivwdrnwaasgvVVPH.

(1) Ransomware collection address 1:1ptfhwkusgvtg6mh6hyxx1c2sjxw2zhpem

According to the analysis below, Address 1 (1Ptfhw) received a total of 17 on-chain transactions from March 25, 2021 to May 15, 2021. After receiving the funds, the assets were quickly transferred to 13 core intermediate addresses. These intermediate addresses are transferred through the funding layer to 6 second-tier intermediate addresses, namely: 3fVzPx… cuVH, 1gVKmU… Bbs1, bc1qdse… ylky, 1gucci… vSGB, bc1qan… 0ac4, and 13CPvF… Lpdp.

The intermediate address 3fVzPx… cuvH, through on-chain analysis, it was discovered that its final flow to the dark web address 361AKMknnwywzrsce8ppnMoH5AQF4V7G4P was discovered.

Intermediate address 13cPVf… Lpdp transferred a small amount of 0.00022 BTC to CoinPayments. There were 500 similar transactions, and a total of 0.21 BTC were collected to the CoinPayments address: bc1q3y… 7y88 to launder money using CoinPayments.

Other intermediary addresses ended up flowing into centralized exchanges Binance and Bitfinex.

Figure: Address 1 (1Ptfhw… hPEM) Funding Sources and Outflow Details

Figure: Address 1 (1Ptfhw… hPem) money flow tracking

Figure: Details of intermediate addresses and money flows involved in address 1 (1Ptfhw… hPEM)

Figure: Address 1 (1Ptfhw… hPEM) transaction map

(2) Extortion Receipt Address 2:1hpz7rny3kbjeuurhkHivwdrnWaasgVVPH

The victim paid 4.16 BTC to the ransom operator LockBit in 11 transactions between May 24, 2021 and May 28, 2021. Immediately, address 2 (1hpz7rn… vVPH) quickly transferred 1.89 BTC of the ransom funds to intermediate address 1: bc1qan… 0ac4, 1.84 to intermediate address 2:112qjqj… Sdha, 0.34 The item goes to the middle address 3:19Uxbt… 9rdF.

The final intermediate address 2:112qJqj… Sdha and intermediate address 3:19Uxbt… 9rdF both transferred funds to intermediate address 1: bc1qan… 0ac4. Immediately after that, the middle address 1 bc1qan… 0ac4 continued to transfer funds. A small portion of the funds was transferred directly to the Binance exchange, and the other part of the funds were transferred layer by layer through the middle address, and eventually transferred to Binance and other platforms for money laundering. The specific transaction details and address tags are as follows.

Figure: Address 2 (1hpz7rn… vVPH) Funding Sources and Outflow Details

Figure: Address 2 (1hpz7rn… vVPH) fund flow tracking

Figure: Details of intermediate addresses and money flows involved in address 2 (1hpz7rn… vVPH)

LockBit will launder cryptocurrency money after receiving the ransom. Unlike traditional money laundering methods, this money laundering model usually occurs on the blockchain. It has the characteristics of long cycle, scattered funds, high automation, and high complexity. To carry out cryptocurrency supervision and fund tracking, on the one hand, it is necessary to build on-chain and off-chain analysis and forensics capabilities, and on the other hand, it is necessary to carry out APT-level security attacks and defense at the network security level, with the ability to integrate attack and defense.

5. MONEY LAUNDRY

Money laundering (money laundering) is an act of legalizing illegal proceeds. It mainly refers to the formal legalization of illegal proceeds and the proceeds generated by concealing the origin and nature of illegal proceeds through various means. Such acts include, but are not limited to, providing financial accounts, assisting in the conversion of property forms, and assisting in the transfer of funds or remittance abroad. However, cryptocurrencies — especially stablecoins — have been used for money laundering for quite some time due to their low transfer costs, degeolocation, and certain censorship-resistant properties, which is one of the main reasons cryptocurrencies have been criticized.

Traditional money laundering activities often use the cryptocurrency OTC market to exchange fiat to cryptocurrency, or from cryptocurrency to fiat. Among them, money laundering scenarios are different and forms are diverse, but regardless of the nature of such acts, they are aimed at blocking the investigation of capital links by law enforcement officials, including traditional financial institution accounts or cryptographic institution accounts.

Unlike traditional money laundering activities, the target of the new type of cryptocurrency money laundering activity is the cryptocurrency itself, and the infrastructure of the crypto industry, including wallets, cross-chain bridges, decentralized trading platforms, etc., will all be illegally used.

Figure: Amount of money laundered in recent years

From 2016 to 2023, cryptocurrency laundered a total of $147.7 billion. Since 2020, the amount of money laundered has continued to increase at a rate of 67% per year, to reach $23.8 billion in 2022, and to reach as much as $80 billion in 2023. The amount of money laundered is astonishing, and anti-money laundering actions are imperative.

According to statistics from the ChainAegis platform, the amount of funds on the on-chain coin mixing platform Tornado Cash has maintained rapid growth since January 2020. Currently, nearly 3.62 million ETH deposits have been placed in this fund pool, with a total deposit of 7.8 billion US dollars. Tornado Cash has become Ethereum’s largest money laundering center. However, as the US law enforcement agency issued a document sanctioning Tornado Cash in August 2022, the number of weekly Tornado Cash deposits and withdrawals dropped exponentially, but due to the decentralized nature of Tornado Cash, it was impossible to stop them at the source, and funds continued to pour into the system to mix coins.

Lazarus Group (North Korean APT Organization) Money Laundering Model Analysis

National APT (Advanced Persistent Threat) organizations are top hacker groups with national background support that target specific targets for a long period of time. The North Korean APT organization Lazarus Group is a very active APT gang. The main purpose of the attack is to steal funds, which can be called the biggest threat to global financial institutions. They are responsible for many attacks and capital theft cases in the cryptocurrency sector in recent years.

The security incidents and losses of Lazarus attacks on the cryptographic field that have been clearly counted so far are as follows:

More than 3 billion US dollars of funds were stolen by Lazarus in a cyber attack. According to reports, the Lazarus hacker group is supported by North Korea’s strategic interests to fund North Korea’s nuclear and ballistic missile programs. To this end, the US announced a $5 million reward to sanction the Lazarus hacker group. The US Treasury Department has also added relevant addresses to the OFAC Specially Designated Nationals (SDN) list, prohibiting US individuals, entities, and related addresses from trading to ensure that state-funded groups cannot redeem these funds, thereby imposing sanctions. Ethereum developer Virgil Griffith was sentenced to 5 years and 3 months in prison for helping North Korea evade sanctions using virtual currency. In 2023, OFAC also sanctioned three people associated with the Lazarus Group. Two of the sanctioned, Cheng Hung Man and Wu Huihui, were OTC traders who facilitated cryptocurrency transactions for Lazarus, while a third party, Sim Hyon Sop, provided other finance Support.

Despite this, Lazarus has completed over $1 billion in asset transfers and cleanings, and their money laundering model is analyzed below. Take the Atomic Wallet incident as an example. After removing the technical disruptors set by the hacker (a large number of fake token transfer transactions + multiple address splits), the hacker’s fund transfer model can be obtained:

Figure: Atomic Wallet Victim 1 Fund Transfer View

Victim 1 transfers 304.36 ETH from address 0xb02d… c6072 to the hacker address 0x3916... 6340, and after 8 installments through intermediate address 0x0159... 7b70, it returns to address 0x69ca… 5324. The collected funds have since been transferred to address 0x514c… 58f67. Currently, the funds are still in this address, and the address’s ETH balance is 692.74 ETH (worth $1.27 million).

Figure: Atomic Wallet Victim 2 Fund Transfer View

Victim 2 transferred 1.266,000 USDT from address 0x0b45... d662 to the hacker address 0xf0f7... 79b3. The hacker split it into three transactions, two of which were transferred to Uniswap, totaling 1,266,000 USDT; the other transfer was transferred to address 0x49ce… 80fb, with a transfer amount of 672.71 ETH. Victim 2 transferred 22,000 USDT to the hacker address 0x0d5a… 08c2. The hacker directly or indirectly collected the funds to address 0x3c2e… 94a8 through multiple installments through intermediate addresses 0xec13... 02d6, etc.

This money laundering model is highly consistent with the money laundering model in previous Ronin Network and Harmony attacks, and all include three steps:

(1) Stolen funds consolidation and exchange: After the attack is launched, the original stolen tokens are sorted out, and various tokens are swapped into ETH through DEX and other methods. This is a common way to circumvent the freezing of funds.

(2) Collection of stolen funds: Collecting the sorted ETH into several disposable wallet addresses. In the Ronin incident, the hackers shared 9 such addresses, Harmony used 14, and the Atomic Wallet incident used nearly 30 addresses.

(3) Transfer out of stolen funds: Use the collection address to launder money through Tornado.Cash. This completes the entire money transfer process.

In addition to having the same money laundering steps, there is also a high degree of consistency in the details of money laundering:

(1) The attackers are very patient. They all used up to a week to carry out money laundering operations, and they all began follow-up money laundering operations a few days after the incident occurred.

(2) Automated transactions are used in the money laundering process. Most of the money collection actions have a large number of transactions, small time intervals, and a uniform model.

Through analysis, we believe that Lazarus’ money laundering model is generally as follows:

(1) Split accounts and transfer assets in small amounts and multiple transactions to make tracking more difficult.

(2) Start manufacturing a large number of counterfeit currency transactions to make tracking more difficult. Taking the Atomic Wallet incident as an example, 23 of the 27 intermediate addresses were all counterfeit money transfer addresses. Similar technology was recently discovered in the Stake.com incident analysis, but the previous Ronin Network and Harmony incident did not have this interference technology, which indicates that Lazarus’ money laundering technology has also been upgraded.

(3) More on-chain methods (such as Tonado Cash) are used for coin mixing. In early incidents, Lazarus often used centralized exchanges to obtain start-up capital or carry out subsequent OTC, but recently less and less centralized exchanges are being used, and it can even be thought that they are trying to avoid using centralized exchanges as much as possible. This should be related to several recent sanctions incidents.

VI. Sanctions and Regulation

Agencies such as the US Treasury’s Office of Foreign Assets Control (OFAC) and similar agencies in other countries adopt sanctions against countries, regimes, individuals, and entities deemed to be a threat to national security and foreign policy. Traditionally, enforcement of sanctions has relied on the cooperation of mainstream financial institutions, but some bad actors have turned to cryptocurrencies to circumvent these third-party intermediaries, creating new challenges for policymakers and sanctioning agencies. However, the inherent transparency of cryptocurrencies, and the will to comply with cryptocurrency services, particularly the many centralized exchanges that act as a link between cryptocurrencies and fiat currencies, have proven that imposing sanctions is possible in the cryptocurrency world.

Here’s a look at some of the individuals or entities linked to cryptocurrencies that were sanctioned in the US in 2023, and the reasons for the OFAC sanctions.

Tether, the company behind the world’s largest stablecoin, announced on December 9, 2023, that it will “freeze” tokens in the wallets of sanctioned individuals on the US Office of Foreign Assets Control (OFAC) list of sanctioned individuals. In its announcement, Tether viewed the move as a voluntary step to “proactively prevent any potential Tether token misuse and enhance security measures.”

This also shows that the investigation and punishment of cryptocurrency crimes has entered a substantial stage. Cooperation between core enterprises and law enforcement agencies can form effective sanctions to monitor and punish cryptocurrency crimes.

In terms of Web3 regulation in 2023, Hong Kong has also made tremendous progress, and is sounding the trumpet for “compliantly developing” the Web3 and crypto markets. When the Monetary Authority of Singapore began restricting retail customers from using leverage or credit for cryptocurrency transactions in 2022, the HKSAR Government issued a “Policy Declaration on the Development of Virtual Assets in Hong Kong”, and some Web3 talents and companies went to a new promised land.

On June 1, 2023, Hong Kong fulfilled the declaration and issued the “Guidelines for Virtual Asset Trading Platform Operators”. The virtual asset trading platform license system was officially implemented, and Class 1 (securities trading) and Class 7 (providing automated trading services) licenses have been issued.

Currently, organizations such as OKX, BGE, HKBiteX, HKVAX, VDX, Meex, PantherTrade, VAEX, Accumulus, and DFX Labs are actively applying for virtual asset trading platform licenses (VASP).

Chief Executive Li Jiachao, Financial Secretary Chen Maobo, and others have frequently spoken out on behalf of the Hong Kong government to support the launch of Web3 in Hong Kong and attract crypto companies and talents from all over the world to build. In terms of policy support, Hong Kong has introduced a licensing system for virtual asset service providers, which allows retail investors to trade cryptocurrencies, launched a $10 million Web3 Hub ecosystem fund, and plans to invest over HK$700 million to accelerate the development of the digital economy and promote the development of the virtual asset industry. It has also set up a Web 3.0 development task force.

However, when great strides were being made, risky events also took advantage of the momentum. The unlicensed crypto exchange JPEX involved more than HK$1 billion, the HOUNAX fraud case involved over 100 million yuan, HongKongDAO and BitCuped suspected virtual asset fraud… These vicious incidents attracted great attention from the Hong Kong Securities Regulatory Commission and the police. The Hong Kong Securities Regulatory Commission said it will develop risk assessment guidelines for virtual asset cases with the police and exchange information on a weekly basis.

I believe that in the near future, a more complete regulatory and security system will help Hong Kong, as an important financial hub between East and West, open its arms to Web3.

Disclaimer:

  1. This article is reprinted from [aicoin]. All copyrights belong to the original author [SharkTeam]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
  2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
  3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.

SharkTeam: 2023 Cryptocurrency Crime Analysis Report

Intermediate1/23/2024, 7:05:18 PM
This article describes some reports of blockchain crimes, mainly including contract risks, phishing attacks, Rugpull and fraud, ransomware, money laundering, and current sanctions and regulatory measures.

In 2023, the Web3 industry experienced more than 940 security incidents, large and small, which increased by more than 50% compared to 2022, and lost $1.79 billion. Among them, the third quarter had the highest number of security incidents (360 cases) and the biggest loss (7.4) USD billion), and losses increased 47% over 2022. In particular, in July, 187 security incidents occurred, and losses amounted to US$350 million.

Figure: Number of quarterly/monthly security incidents for Web 3 2023

Figure: Web 3 2023 quarterly/monthly security incident losses (in millions of dollars)

First, hacker attacks are still a major cause of significant losses. There were 216 hacking incidents throughout 2023, causing $1.06 billion in losses. Contract breaches, private key theft, phishing attacks, and national hacking are still important reasons threatening the security of the Web3 ecosystem.

Second, Rugpull and treasury fraud is on the rise. There were 250 Rugpull and Scam fraud cases in 2023, with the most frequent occurrence of such incidents on BNBChain. Fraudulent projects attract investors to participate by posting seemingly attractive crypto projects, and provide some false liquidity. Once sufficient funds are attracted, all funds are suddenly stolen and assets are transferred. This type of fraud causes serious financial losses to investors, and also greatly increases the difficulty for investors to choose the right project.

Additionally, ransomware is trending using cryptocurrencies to collect ransoms, such as Lockbit, Conti, Suncrypt, and Monti. Cryptocurrency is more difficult to track than fiat money, and how to use on-chain analysis tools to track and locate ransomware gangs is also becoming more important.

Finally, in criminal activities such as cryptocurrency hacking attacks and fraudulent extortion, criminals often need to launder money through on-chain fund transfers and OTC after obtaining cryptocurrency. Money laundering usually uses a mix of decentralized and centralized methods. Centralized exchanges are the most concentrated places for money laundering, followed by on-chain coin mixing platforms.

2023 is also a year of substantial development in Web3 regulation. FTX2.0 was restarted, Binance was sanctioned, USDT banned addresses such as Hamas, and the SEC passed a Bitcoin spot ETF in January 2024. These landmark events all indicate that regulation is deeply involved in the development of Web3.

This report will conduct a systematic analysis of key topics such as the 2023 Web3 hacking attack, Rugpull fraud, ransomware, cryptocurrency money laundering, Web3 regulation, etc., to understand the security landscape of the cryptocurrency industry’s development.

1. Contract loopholes

Contract vulnerability attacks mainly occurred on Ethereum. In the second half of 2023, 36 contract vulnerability attacks occurred on Ethereum, with losses amounting to more than 200 million US dollars, followed by BNBChain. In terms of attack methods, business logic flaws and flash loan attacks are still the most common.

Figure: Web 3 2023 Quarterly Hacking Incidents and Losses (in millions of dollars)

Figure: Number and amount of monthly contract exploits and hacking attacks on Web 3 2023H2

Figure: Number of contract exploit attacks and loss amounts per month in different Web 3 2023H2 chains

Figure: The number and amount of losses caused by the Web 3 2023H2 contract vulnerability using specific attack methods

Typical event analysis: Vyper vulnerabilities cause projects such as Curve and JPEG’d to be attacked

Take JPEG’d being attacked as an example:

Attacker address: 0x6ec21d1868743a44318c3c259a6d4953f9978538

Attacker contract: 0x9420f8821ab4609ad9fa514f8d2f5344c3c0a6ab

Attack transactions:

0xa84aa065ce61dbb1eb50ab6ae67fc31a9da50dd2c74eefd561661bfce2f1620c

(1) The attackers (0x6ec21d18) created a 0x466B85B4 contract and borrowed 80,000 WETH from [Balancer: Vault] through flash loans.

(2) The attackers (0x6ec21d18) added 40,000 WETH to the peth-ETH-F (0x9848482d) liquidity pool and obtained 32,431 pETH.

(3) Subsequently, the attackers (0x6ec21d18) repeatedly removed liquidity from the peth-ETH-F (0x98482D) liquidity pool.

(4) In the end, the attackers (0x6ec21d18) obtained 86,106 WETH, and after returning the flash loan, a profit of 6,106 WETH left the market.

Vulnerability analysis: This attack is a typical re-entry attack. Bytecode decompilation of the attacked project contract. We can see from the following figure: the add_liquidity and remove_liquidity functions are not the same when verifying the storage slot value. Using a different storage slot, the reentry lock may not work. At this point, it is suspected that it is a Vyper underlying design bug.

Combined with Curve’s official tweet. Ultimately, the targeting was a Vyper version bug. This vulnerability exists in versions 0.2.15, 0.2.16, and 0.3.0, and there is a flaw in the reentry lock design. We compare 0.2.14 and 0.3.0 before 0.2.15 Later, in the 0.3.1 version, it was discovered that this part of the code was constantly being updated. The old 0.2.14 and newer 0.3.1 versions did not have this problem.

In the reentry lock-related settings file data_positions.py corresponding to Vyper, the storage_slot value will be overwritten. In ret, the slot that first acquired the lock is 0, then when the function is called again, the lock slot will be increased by 1. At this point, the re-entry lock will expire.

II. Phishing attacks

Phishing attacks are a type of cyber attack designed to deceive and induce targets to obtain sensitive information or induce them to perform malicious actions. This type of attack is usually carried out via email, social media, SMS, or other communication channels. Attackers disguise themselves as trusted entities, such as project parties, authorities, KOLs, etc., to lure victims into providing private keys, mnemonics, or transaction authorization. Similar to contract vulnerability attacks, phishing attacks showed high incidence and high losses in Q3. A total of 107 phishing attacks occurred, of which 58 occurred in July.

Figure: Number of phishing attacks and losses per quarter in Web 3 2023 (millions of dollars)

Figure: Number of monthly phishing attacks on Web 3 2023

Analysis of on-chain asset transfers of typical phishing attacks

On September 7, 2023, the address (0x13e382) was hit by a phishing attack and lost over $24 million. Phishing hackers used fund theft, fund exchange, and decentralized fund transfers. Of the final lost funds, 3,800 ETH was transferred to Tornado.Cash in batches, 10,000 ETH was transferred to an intermediate address (0x702350), and 1078,087 DAI remains at the intermediate address (0x4F2F02).

This is a typical phishing attack. By stealing user assets by defrauding wallet authorizations or private keys, attackers have formed a black industry chain of phishing + money laundering. Currently, more and more fraud gangs and even national hackers use phishing methods to commit crimes in the Web3 field, which requires everyone’s attention and vigilance.

According to SharkTeam’s on-chain big data analysis platform ChainAegis (https://app.chainaegis.com/) In the follow-up analysis, we will analyze the fraud process of typical phishing attacks, the transfer of funds, and the on-chain behavior of fraudsters.

(1) Phishing attack process

The victim address (0x13e382) grants rETH and stETH to scammer address 1 (0x4c10a4) via ‘Increase Allowance’.

The scammer’s address 1 (0x4c10a4) transferred 9,579 stETH from the victim’s address (0x13e382) account to the scammer’s address 2 (0x693b72) for an amount of approximately $15.32 million.

The scammer’s address 1 (0x4c10a4) transferred 4,850 rETH from the victim’s address (0x13e382) account to the scammer’s address 2 (0x693b72) for an amount of approximately $8.41 million.

(2) Asset exchange and transfer

Exchange stolen stETH and rETH for ETH. Beginning in the early morning of 2023-09-07, the scammer’s address 2 (0x693b72) carried out multiple exchange transactions on the UniSwapV2, UniSwapv3, and Curve platforms respectively, exchanging all 9,579 stETH and 4,850 rETH into ETH, for a total of 14,783.9413 ETH.

stETH exchange:

rETH exchange:


Exchange some ETH for DAI. The scammer’s address 2 (0x693b72) exchanged 1,000 ETH for 1,635,047.761675421713685327 via the UniSwapv3 platform DAI. The fraudsters used decentralized fund transfers to multiple intermediate wallet addresses, totaling 1,635,139 DAI and 13,785 ETH. Of these, 1,785 ETH was transferred to an intermediate address (0x4F2F02), 2,000 ETH was transferred to an intermediate address (0x2ABDC2), and 10,000 ETH was transferred to an intermediate address (0x702350). Additionally, the intermediate address (0x4F2F02) received 1,635,139 DAI the next day

Intermediate wallet address (0x4F2F02) fund transfer:

The address has gone through a tiered fund transfer and has 1,785 ETH and 1,635,139 DAI. Decentralized transfer of funds DAI, and small amounts converted to ETH

First, the scammers began transferring 529,000 DAI through 10 transactions in the early morning of 2023-09-07. Subsequently, the first 7 total of 452,000 DAIs were transferred from the intermediate address to 0x4E5B2E (fixedFloat), the eighth, from the intermediate address to 0x6CC5F6 (OKX), and the last 2 total 77,000 DAIs were transferred from the intermediate address to 0xF1DA17 (exCH).

Second, on September 10, 28,052 DAI was exchanged for 17.3 ETH via UniswapV2.

From September 8th to September 11th, 18 transactions were carried out, and all 1,800 ETH were transferred to Tornado.Cash.

After the transfer, the address ultimately left the stolen funds 1078,087 DAI that were not transferred.

Transfer of funds to an intermediate address (0x2ABDC2):

The address has been transferred through a tier of funds and has 2,000 ETH. First, the address transferred 2000ETH to an intermediate address (0x71C848) on September 11th.

The intermediate address (0x71C848) then transferred funds through two fund transfers on September 11 and October 1, respectively, for a total of 20 transactions, 100 ETH each, totaling 2000 ETH to Tornado.Cash.

The address has been transferred through a tier of funds and holds 10,000 ETH. As of October 08, 2023, 10,000 ETH has not been transferred to this address’s account.

Address clue tracking: After analyzing the historical transactions of the scammer’s address 1 (0x4c10a4) and the scammer’s address 2 (0x693b72), it was discovered that an EOA address (0x846317) transferred 1.353 ETH to the scammer’s address 2 (0x693b72), and the source of funding for this EOA address involved the hot wallet addresses of centralized exchanges KuCoin and Binance.

III. Rugpull and Fraud

The frequency of Rugpull fraud incidents in 2023 showed a significant upward trend. Q4 reached 73 cases, with a loss amount of US$19 million, with an average single loss of about US$26,000. The quarter with the highest share of Rugpull fraud losses in the whole year was Q2, followed by Q3, which accounted for more than 30% of losses.

In the second half of 2023, there were a total of 139 Rugpull incidents and 12 fraud incidents, which resulted in losses of $71.55 million and $340 million respectively.

Rugpull events mainly occurred on BNBChain in the second half of 2023, reaching 91 times, accounting for more than 65%, and losses amounting to $29.57 million, accounting for 41% of losses. Ethereum (44 times) followed, with a loss of $7.39 million. In addition to Ethereum and BNBChain, the BALD Rugpull incident occurred on the Base Chain in August, causing serious losses of $25.6 million.

Figure: Number of Rugpull and Scam incidents and losses per quarter for Web 3 2023 (millions of dollars)

Figure: Number of Rugpull and Scam incidents and losses per month on Web 3 2023H2

Figure: Number of monthly Rugpull incidents and loss amounts in different Web 3 2023H2 chains

Rugpull fraud factory behavior analysis

A Rug fraud factory model is popular on BNBChain to mass-manufacture Rugpull tokens and commit fraud. Let’s take a look at the Rugpull factory fraud pattern of fake SEI, X, TIP, and Blue tokens.

(1) SEI

First, the fake SEI token holder 0x0a8310eca430beb13a8d1b42a03b3521326e4a58 exchanged 249 fake SEIs for 1U.

Then, 0x6f9963448071b88fb23fd9971d24a87e5244451A carried out bulk buy and sell operations. Under the buying and selling operations, the token’s liquidity increased markedly, and the price also increased.

Through phishing and other methods of promotion, a large number of users are tempted to buy. As liquidity increases, the token price doubles.

When the price of the token reaches a certain value, the token owner enters the market and sells to perform a Rugpull operation. As can be seen from the image below, the entry harvest period and price are all different.

(2) Fake X, fake TIP, fake Blue

First, X, TIP, and Blue token holders 0x44A028DAE3680697795a8d50960c8c155cbc0d74 exchanged 1U for the corresponding token. Then, just like a fake Sei token.

0x6f9963448071b88fb23fd9971d24a87e5244451A bulk buy and sell operations. Under buying and selling operations, liquidity increased markedly, and prices rose.

It was then promoted through phishing and other channels to entice a large number of users to make purchases. As liquidity increased, the token price doubled.

Like a fake SEI, when the price of the token reaches a certain value, the token owner enters the market to sell and perform a Rugpull operation. As can be seen from the image below, the entry harvest period and price are all different.

The fluctuation chart for the fake SEI, fake X, fake TIP, and fake Blue tokens is as follows:

We can learn from the traceability of funds and behavioral patterns:

In the fund traceability content, the coin factory creator and token creator’s funds come from multiple EOA accounts. There are also financial transactions between different accounts. Some of them are transferred through phishing addresses, some are obtained through previous Rugpull tokens, and others are obtained through mixed platforms such as Tornado Cash. Transferring funds in a variety of ways is aimed at constructing complex and intricate financial networks. Various addresses have also created multiple token factory contracts and mass-produced tokens.

When analyzing the behavior of the token Rugpull, we found the address

0x6f9963448071b88fb23fd9971d24a87e5244451a is one of the funding sources. The batch method is also used to manipulate token prices. The address 0x072E9A13791F3A45FC6EB6EB6AD38E6EA258C080cc3 also acts as a funding provider, providing corresponding funds to multiple token holders.

Through analysis, it can be seen that behind this series of acts, there is a Web3 fraud gang with a clear division of labor, forming a black industrial chain. It mainly involves hot spot collection, automatic coin issuance, automated trading, false publicity, phishing attacks, and Rugpull harvesting, which mostly occurred in BNBChain. The fake Rugpull tokens issued are all closely related to hot events in the industry, and are highly confusing and encouraging. Users should always be alert, be rational, and avoid unnecessary losses.

IV. Ransomware

The threat of ransomware attacks in 2023 continues to threaten institutions and businesses all the time. Ransomware attacks are becoming more sophisticated, and attackers use a variety of techniques to exploit vulnerabilities in organizational systems and networks. Proliferating ransomware attacks continue to pose a major threat to business organizations, individuals, and critical infrastructure around the world. Attackers are constantly adapting and refining their attack strategies, using leaked source code, intelligent attack schemes, and emerging programming languages to maximize their illegal profits.

LockBit, ALPHV/BlackCat, and BlackBasta are currently the most active ransomware ransomware organizations.

Figure: Number of victims of extortion organizations

Currently, more and more ransomware uses cryptocurrency payment methods. Take Lockbit as an example. Companies recently attacked by Lockbit include TSMC at the end of June this year, Boeing in October, and the US wholly-owned subsidiary of the Industrial and Commercial Bank of China in November. Most of them use Bitcoin to collect ransom, and LockBit will launder cryptocurrency money after receiving the ransom. Let’s analyze the ransomware money laundering model using Lockbit as an example.

According to ChainAegis analysis, LockBit ransomware mostly uses BTC to collect ransoms, using different payment addresses. Some addresses and payment amounts are arranged as follows. The BTCs in a single extortion ranged from 0.07 to 5.8, ranging from about $2,551 to $211,311.

Figure: LockBit partial payout address and payout amount

On-chain address tracking and anti-money laundering analysis were carried out using the two addresses with the highest amounts involved:

Ransom receipt address 1:1ptfhwkusgvtg6mh6hyxx1c2sjxw2zhpem;

Ransom Recipient Address 2:1hpz7rny3kbjeuurhkhivwdrnwaasgvVVPH.

(1) Ransomware collection address 1:1ptfhwkusgvtg6mh6hyxx1c2sjxw2zhpem

According to the analysis below, Address 1 (1Ptfhw) received a total of 17 on-chain transactions from March 25, 2021 to May 15, 2021. After receiving the funds, the assets were quickly transferred to 13 core intermediate addresses. These intermediate addresses are transferred through the funding layer to 6 second-tier intermediate addresses, namely: 3fVzPx… cuVH, 1gVKmU… Bbs1, bc1qdse… ylky, 1gucci… vSGB, bc1qan… 0ac4, and 13CPvF… Lpdp.

The intermediate address 3fVzPx… cuvH, through on-chain analysis, it was discovered that its final flow to the dark web address 361AKMknnwywzrsce8ppnMoH5AQF4V7G4P was discovered.

Intermediate address 13cPVf… Lpdp transferred a small amount of 0.00022 BTC to CoinPayments. There were 500 similar transactions, and a total of 0.21 BTC were collected to the CoinPayments address: bc1q3y… 7y88 to launder money using CoinPayments.

Other intermediary addresses ended up flowing into centralized exchanges Binance and Bitfinex.

Figure: Address 1 (1Ptfhw… hPEM) Funding Sources and Outflow Details

Figure: Address 1 (1Ptfhw… hPem) money flow tracking

Figure: Details of intermediate addresses and money flows involved in address 1 (1Ptfhw… hPEM)

Figure: Address 1 (1Ptfhw… hPEM) transaction map

(2) Extortion Receipt Address 2:1hpz7rny3kbjeuurhkHivwdrnWaasgVVPH

The victim paid 4.16 BTC to the ransom operator LockBit in 11 transactions between May 24, 2021 and May 28, 2021. Immediately, address 2 (1hpz7rn… vVPH) quickly transferred 1.89 BTC of the ransom funds to intermediate address 1: bc1qan… 0ac4, 1.84 to intermediate address 2:112qjqj… Sdha, 0.34 The item goes to the middle address 3:19Uxbt… 9rdF.

The final intermediate address 2:112qJqj… Sdha and intermediate address 3:19Uxbt… 9rdF both transferred funds to intermediate address 1: bc1qan… 0ac4. Immediately after that, the middle address 1 bc1qan… 0ac4 continued to transfer funds. A small portion of the funds was transferred directly to the Binance exchange, and the other part of the funds were transferred layer by layer through the middle address, and eventually transferred to Binance and other platforms for money laundering. The specific transaction details and address tags are as follows.

Figure: Address 2 (1hpz7rn… vVPH) Funding Sources and Outflow Details

Figure: Address 2 (1hpz7rn… vVPH) fund flow tracking

Figure: Details of intermediate addresses and money flows involved in address 2 (1hpz7rn… vVPH)

LockBit will launder cryptocurrency money after receiving the ransom. Unlike traditional money laundering methods, this money laundering model usually occurs on the blockchain. It has the characteristics of long cycle, scattered funds, high automation, and high complexity. To carry out cryptocurrency supervision and fund tracking, on the one hand, it is necessary to build on-chain and off-chain analysis and forensics capabilities, and on the other hand, it is necessary to carry out APT-level security attacks and defense at the network security level, with the ability to integrate attack and defense.

5. MONEY LAUNDRY

Money laundering (money laundering) is an act of legalizing illegal proceeds. It mainly refers to the formal legalization of illegal proceeds and the proceeds generated by concealing the origin and nature of illegal proceeds through various means. Such acts include, but are not limited to, providing financial accounts, assisting in the conversion of property forms, and assisting in the transfer of funds or remittance abroad. However, cryptocurrencies — especially stablecoins — have been used for money laundering for quite some time due to their low transfer costs, degeolocation, and certain censorship-resistant properties, which is one of the main reasons cryptocurrencies have been criticized.

Traditional money laundering activities often use the cryptocurrency OTC market to exchange fiat to cryptocurrency, or from cryptocurrency to fiat. Among them, money laundering scenarios are different and forms are diverse, but regardless of the nature of such acts, they are aimed at blocking the investigation of capital links by law enforcement officials, including traditional financial institution accounts or cryptographic institution accounts.

Unlike traditional money laundering activities, the target of the new type of cryptocurrency money laundering activity is the cryptocurrency itself, and the infrastructure of the crypto industry, including wallets, cross-chain bridges, decentralized trading platforms, etc., will all be illegally used.

Figure: Amount of money laundered in recent years

From 2016 to 2023, cryptocurrency laundered a total of $147.7 billion. Since 2020, the amount of money laundered has continued to increase at a rate of 67% per year, to reach $23.8 billion in 2022, and to reach as much as $80 billion in 2023. The amount of money laundered is astonishing, and anti-money laundering actions are imperative.

According to statistics from the ChainAegis platform, the amount of funds on the on-chain coin mixing platform Tornado Cash has maintained rapid growth since January 2020. Currently, nearly 3.62 million ETH deposits have been placed in this fund pool, with a total deposit of 7.8 billion US dollars. Tornado Cash has become Ethereum’s largest money laundering center. However, as the US law enforcement agency issued a document sanctioning Tornado Cash in August 2022, the number of weekly Tornado Cash deposits and withdrawals dropped exponentially, but due to the decentralized nature of Tornado Cash, it was impossible to stop them at the source, and funds continued to pour into the system to mix coins.

Lazarus Group (North Korean APT Organization) Money Laundering Model Analysis

National APT (Advanced Persistent Threat) organizations are top hacker groups with national background support that target specific targets for a long period of time. The North Korean APT organization Lazarus Group is a very active APT gang. The main purpose of the attack is to steal funds, which can be called the biggest threat to global financial institutions. They are responsible for many attacks and capital theft cases in the cryptocurrency sector in recent years.

The security incidents and losses of Lazarus attacks on the cryptographic field that have been clearly counted so far are as follows:

More than 3 billion US dollars of funds were stolen by Lazarus in a cyber attack. According to reports, the Lazarus hacker group is supported by North Korea’s strategic interests to fund North Korea’s nuclear and ballistic missile programs. To this end, the US announced a $5 million reward to sanction the Lazarus hacker group. The US Treasury Department has also added relevant addresses to the OFAC Specially Designated Nationals (SDN) list, prohibiting US individuals, entities, and related addresses from trading to ensure that state-funded groups cannot redeem these funds, thereby imposing sanctions. Ethereum developer Virgil Griffith was sentenced to 5 years and 3 months in prison for helping North Korea evade sanctions using virtual currency. In 2023, OFAC also sanctioned three people associated with the Lazarus Group. Two of the sanctioned, Cheng Hung Man and Wu Huihui, were OTC traders who facilitated cryptocurrency transactions for Lazarus, while a third party, Sim Hyon Sop, provided other finance Support.

Despite this, Lazarus has completed over $1 billion in asset transfers and cleanings, and their money laundering model is analyzed below. Take the Atomic Wallet incident as an example. After removing the technical disruptors set by the hacker (a large number of fake token transfer transactions + multiple address splits), the hacker’s fund transfer model can be obtained:

Figure: Atomic Wallet Victim 1 Fund Transfer View

Victim 1 transfers 304.36 ETH from address 0xb02d… c6072 to the hacker address 0x3916... 6340, and after 8 installments through intermediate address 0x0159... 7b70, it returns to address 0x69ca… 5324. The collected funds have since been transferred to address 0x514c… 58f67. Currently, the funds are still in this address, and the address’s ETH balance is 692.74 ETH (worth $1.27 million).

Figure: Atomic Wallet Victim 2 Fund Transfer View

Victim 2 transferred 1.266,000 USDT from address 0x0b45... d662 to the hacker address 0xf0f7... 79b3. The hacker split it into three transactions, two of which were transferred to Uniswap, totaling 1,266,000 USDT; the other transfer was transferred to address 0x49ce… 80fb, with a transfer amount of 672.71 ETH. Victim 2 transferred 22,000 USDT to the hacker address 0x0d5a… 08c2. The hacker directly or indirectly collected the funds to address 0x3c2e… 94a8 through multiple installments through intermediate addresses 0xec13... 02d6, etc.

This money laundering model is highly consistent with the money laundering model in previous Ronin Network and Harmony attacks, and all include three steps:

(1) Stolen funds consolidation and exchange: After the attack is launched, the original stolen tokens are sorted out, and various tokens are swapped into ETH through DEX and other methods. This is a common way to circumvent the freezing of funds.

(2) Collection of stolen funds: Collecting the sorted ETH into several disposable wallet addresses. In the Ronin incident, the hackers shared 9 such addresses, Harmony used 14, and the Atomic Wallet incident used nearly 30 addresses.

(3) Transfer out of stolen funds: Use the collection address to launder money through Tornado.Cash. This completes the entire money transfer process.

In addition to having the same money laundering steps, there is also a high degree of consistency in the details of money laundering:

(1) The attackers are very patient. They all used up to a week to carry out money laundering operations, and they all began follow-up money laundering operations a few days after the incident occurred.

(2) Automated transactions are used in the money laundering process. Most of the money collection actions have a large number of transactions, small time intervals, and a uniform model.

Through analysis, we believe that Lazarus’ money laundering model is generally as follows:

(1) Split accounts and transfer assets in small amounts and multiple transactions to make tracking more difficult.

(2) Start manufacturing a large number of counterfeit currency transactions to make tracking more difficult. Taking the Atomic Wallet incident as an example, 23 of the 27 intermediate addresses were all counterfeit money transfer addresses. Similar technology was recently discovered in the Stake.com incident analysis, but the previous Ronin Network and Harmony incident did not have this interference technology, which indicates that Lazarus’ money laundering technology has also been upgraded.

(3) More on-chain methods (such as Tonado Cash) are used for coin mixing. In early incidents, Lazarus often used centralized exchanges to obtain start-up capital or carry out subsequent OTC, but recently less and less centralized exchanges are being used, and it can even be thought that they are trying to avoid using centralized exchanges as much as possible. This should be related to several recent sanctions incidents.

VI. Sanctions and Regulation

Agencies such as the US Treasury’s Office of Foreign Assets Control (OFAC) and similar agencies in other countries adopt sanctions against countries, regimes, individuals, and entities deemed to be a threat to national security and foreign policy. Traditionally, enforcement of sanctions has relied on the cooperation of mainstream financial institutions, but some bad actors have turned to cryptocurrencies to circumvent these third-party intermediaries, creating new challenges for policymakers and sanctioning agencies. However, the inherent transparency of cryptocurrencies, and the will to comply with cryptocurrency services, particularly the many centralized exchanges that act as a link between cryptocurrencies and fiat currencies, have proven that imposing sanctions is possible in the cryptocurrency world.

Here’s a look at some of the individuals or entities linked to cryptocurrencies that were sanctioned in the US in 2023, and the reasons for the OFAC sanctions.

Tether, the company behind the world’s largest stablecoin, announced on December 9, 2023, that it will “freeze” tokens in the wallets of sanctioned individuals on the US Office of Foreign Assets Control (OFAC) list of sanctioned individuals. In its announcement, Tether viewed the move as a voluntary step to “proactively prevent any potential Tether token misuse and enhance security measures.”

This also shows that the investigation and punishment of cryptocurrency crimes has entered a substantial stage. Cooperation between core enterprises and law enforcement agencies can form effective sanctions to monitor and punish cryptocurrency crimes.

In terms of Web3 regulation in 2023, Hong Kong has also made tremendous progress, and is sounding the trumpet for “compliantly developing” the Web3 and crypto markets. When the Monetary Authority of Singapore began restricting retail customers from using leverage or credit for cryptocurrency transactions in 2022, the HKSAR Government issued a “Policy Declaration on the Development of Virtual Assets in Hong Kong”, and some Web3 talents and companies went to a new promised land.

On June 1, 2023, Hong Kong fulfilled the declaration and issued the “Guidelines for Virtual Asset Trading Platform Operators”. The virtual asset trading platform license system was officially implemented, and Class 1 (securities trading) and Class 7 (providing automated trading services) licenses have been issued.

Currently, organizations such as OKX, BGE, HKBiteX, HKVAX, VDX, Meex, PantherTrade, VAEX, Accumulus, and DFX Labs are actively applying for virtual asset trading platform licenses (VASP).

Chief Executive Li Jiachao, Financial Secretary Chen Maobo, and others have frequently spoken out on behalf of the Hong Kong government to support the launch of Web3 in Hong Kong and attract crypto companies and talents from all over the world to build. In terms of policy support, Hong Kong has introduced a licensing system for virtual asset service providers, which allows retail investors to trade cryptocurrencies, launched a $10 million Web3 Hub ecosystem fund, and plans to invest over HK$700 million to accelerate the development of the digital economy and promote the development of the virtual asset industry. It has also set up a Web 3.0 development task force.

However, when great strides were being made, risky events also took advantage of the momentum. The unlicensed crypto exchange JPEX involved more than HK$1 billion, the HOUNAX fraud case involved over 100 million yuan, HongKongDAO and BitCuped suspected virtual asset fraud… These vicious incidents attracted great attention from the Hong Kong Securities Regulatory Commission and the police. The Hong Kong Securities Regulatory Commission said it will develop risk assessment guidelines for virtual asset cases with the police and exchange information on a weekly basis.

I believe that in the near future, a more complete regulatory and security system will help Hong Kong, as an important financial hub between East and West, open its arms to Web3.

Disclaimer:

  1. This article is reprinted from [aicoin]. All copyrights belong to the original author [SharkTeam]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
  2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
  3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.
Nu Starten
Meld Je Aan En Ontvang
$100
Voucher!