FBI Confirms that North Korea was Behind $41 Million Stake.com Exploit 

This week the FBI issued a release confirming that the theft of approximately $41 million in crypto assets from Stake.com, an online casino and betting platform, was the work of North Korea’s Lazarus Group.  Lazarus stole these assets from Stake-controlled addresses on Ethereum, Binance Smart Chain (BSC), and Polygon blockchains  and, as of yesterday, had moved them into the 40 crypto addresses identified in the FBI’s press release.

TRM's on-chain analysis of the hack and the post-theft movement of funds confirms DPRK involvement. The ETH and BSC assets have, for the most part, been swapped into unfreezable native assets but remain parked. The Polygon/MATIC were swapped and bridged via Squid Router. Those swaps generally went from MATIC to USDT or USDC and were moved to Avalanche. On Avalanche, they were swapped into wrapped BTC, then bridged to Bitcoin, where they now sit, parked. This type of activity is a hallmark of recent Lazarus Group exploits.

‍

‍

As described in TRM’s recent report on North Korean crypto thefts, the Avalanche Bridge has become North Korean hacker's vehicle of choice to move funds to and from the Bitcoin blockchain.

According to the FBI, and a recent report from TRM, these same DPRK actors are also responsible for several other large scale attacks stealing more than $200 million so far in 2023. According to the FBI, this amount includes, but is not limited to, approximately $60 million of virtual currency from Alphapo and CoinsPaid on or about July 22, 2023, and approximately $100 million of virtual currency from Atomic Wallet on or about June 2, 2023. According to TRM, North Korean cyber actors have stolen over $2 billion in cryptocurrency over the last five years. 

The FBI has previously provided information to the public regarding the DPRK’s attacks against Harmony’s Horizon bridge and Sky Mavis’ Ronin Bridge and put out a cybersecurity advisory on TraderTraitor. In addition, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the Lazarus Group in 2019. 

The FBI's recent spate of public announcements, confirming North Korean involvement in a series of hacks, are part of a larger effort by the US government to arm industry with the knowledge necessary to reject, block, and freeze crypto assets under North Korea's control. By publicizing exactly which addresses North Korea is known to control, the FBI is making it vastly easier for compliance professionals to identify and block suspicious deposits by North Korean hackers.‍

North Korean cybercriminals continue to evolve‍

Even in the last year, North Korea’s laundering tactics have shifted. In 2022 North Korean actors tended to move stolen funds quickly to Ethereum based mixer Tornado Cash as the majority of hacks occurred on Ethereum or other EVM blockchains. Funds were then bridged to Bitcoin via the Ren Bridge, where they were laundered again via ChipMixer, a then-popular Bitcoin mixing service. 

However, Tornado Cash was the target of OFAC sanctions in August 2022 and ChipMixer was taken down by law enforcement earlier this year making it more difficult for Lazarus Group to use those mixers. After the Tornado Cash sanctions, earlier this year we saw funds from the Harmony Bridge hack - dormant since their initial laundering through Tornado Cash in the summer of 2022 - suddenly move through a variety of services and offloaded to apparent OTC brokers. This new laundering model essentially involves the bridging of funds to Bitcoin via the Avalanche Bridge - a much lower cost and still-functional alternative to the Ren Bridge - then laundering through Sinbad, a Bitcoin mixer that has emerged as the go-to mixer for North Korean cybercriminals. From there, North Korea’s hackers typically then move funds back to a chain like Avalanche, as we saw in the Stake.com hack, with possible detours to other, more obscure chains like BTTC, before ultimately ending up on the Tron blockchain via the SWFT Bridge, a Tron bridging service most popular with Chinese-speaking crypto users.

Once on Tron, the stolen funds, which have almost always already been converted to USDT, are then apparently liquidated with high-volume, high-value addresses that appear to be most likely be Over-the-Counter brokers, likely servicing illicit Chinese crypto traders.

‍The Role of Blockchain Intelligence in Following North Korean Stolen Funds‍

The Stake.com hack, and the post theft movement of funds, is another example of North Korea’s evolved obfuscation techniques in a multi and cross-chain ecosystem. Blockchain intelligence – blockchain data enriched with open-source and proprietary threat intelligence – as represented by TRM Forensics, enables investigators to follow the money in cryptocurrency to ultimately identify threat actors and seize illicit funds including funds stolen and laundered by North Korea.

In 2019, in response to the growing number of blockchains and the growing use of different chains by cybercriminals, TRM Labs introduced cross-chain analytics in TRM Forensics, our flagship tracing tool. This enables investigators to trace funds from multiple blockchains and multiple assets in a single visualization. 

In 2022, TRM identified the growing use of chain-hopping as an obfuscation technique, and  introduced TRM Phoenix, the industry’s first solution for automatically tracing the flow of funds across blockchains through bridges and other services.

As North Korea continues to attack the growing crypto ecosystem, the ability to follow stolen funds is more critical than ever, and, as North Korea’s laundering methodologies evolve so must the tools investigators rely on.

Addresses identified in the FBI release:

0x94f1b9b64e2932f6a2db338f616844400cd58e8a     

0xba36735021a9ccd7582ebc7f70164794154ff30e  

0xbda83686c90314cfbaaeb18db46723d83fdf0c83  

0x7d84d78bb9b6044a45fa08b7fe109f2c8648ab4e  

0xff29a52a538f1591235656f71135c24019bf82e5  

0x0004a76e39d33edfeac7fc3c8d3994f54428a0be

0xbcedc4f3855148df3ea5423ce758bda9f51630aa   

0xe03a1ae400fa54283d5a1c4f8b89d3ca74afbd62   

0x95b6656838a1d852dd1313c659581f36b2afb237   

0xa2e898180d0bc3713025d8590615a832397a8032   

0xa26213638f79f2ed98d474cbcb87551da909685e   

bc1qfesn3jj65fhmf00hh45ueql8je8jae6ep3qk84  

bc1qtalh4l8qc0p2qw70axxjhwu9z7rm93td5sgsl3  

bc1qlq3s8hgczfe62yt94xqasdr5ftuuyrc5kgvpwr

bc1qy78e6ml7f3p438jqrrlzsewx625y0sr7jsesa7

bc1qqa682d2q0wtx5gfpxh4yfl9s4k00ukakl5fpk5

bc1qmqgkxzzfzjqepptw9xzxy03672xg55q559fmvr

bc1qdjmwm8q74r0yx99nghaeu33xdmz3lqnt2uspqv

bc1qrqv5f7jxhp67jcgk9wv5jx4795wlntvhdz2a7j

bc1q82gvk20m08uctmmr97p2mqyxtyh6xf68rwe0t9

bc1q8y9wc2p9444y8r77xtmswxm9qqw90nrpufkx47

bc1qqvpjgaurtnhc8smkmdtwhx9c8207m0prsyxyjx

bc1qfcl8a4ck7uu3phgg5fj6g9servp6f85j3frcd3

bc1qqydp9muxtnxyet3ryfqc467wjtm23f0r7eh5aa

bc1qe4n22sduyylws74aewc6y6g32nglvglqu7hted

bc1qy0ggpxu8f6lta6vf44vervr4py2uu829grj8yh

bc1q32dzmf4t5a3xxvyxn07scgpmjznnz3kwjhw8uc

bc1qkrkxgvp2te3xhgn74c2azt4flf9u05y56kh3a9

bc1q6w7qlaj3mfkgfrxwtvhw45cu86wew7xpjfqcmy

bc1qc593a4d2hznk2ext3k2zmpdrqazlhhh80m4xas

bc1qtnuzecpqaakj0dt855n24dv7u5pme7vyct2cf2

bc1qvjpgxa2g3nvyw2hnclptextllu9dr4vkew8jfp

bc1qg0qygyv3qfp8cjyy99ch9vc9dp876vl8wys67u

‍