How Crypto Gets Hacked: Issue #1
Tornado Cash, Wormhole, & North Korea
Disclaimer: I’ll be talking about individual crypto projects in this series but this is for informational purposes only and not a solicitation to buy or sell any cryptoassets.
Do your own due diligence.
❗️❗️❗️New format ❗️❗️❗️
I’ve decided to move away from the long-form format and make a few shorter posts. Covering a range of short topics will not only help me reduce the time it takes to put a post together (crafting a narrative around a single topic is hard!) but also keep you, the reader, more informed with less of the nitty-gritty details.
If you want to go deeper on a subject, there will of course be lots of links to other content.
I hope you enjoy it!
Now let’s dive into what I’ve been focusing on:
🌪 Tornado Cash 🌪
On my last long-from post, I discussed mixers and how they are used to obfuscate a user’s transaction history. If you missed it, it goes like this:
You send your crypto into a mixer.
They mix your cryptocurrency with others.
They send the crypto back out in different amounts to all the users at different addresses, and now it’s much harder to tell who was the original owner.
Your previous transaction history is now much harder to trace back to you.
The intent was to increase anonymity on blockchains that openly record all transactions on the blockchain, such as Bitcoin and Ethereum. But oftentimes, it’s used by thieves who use it as a money-laundering service.
During the time of the original DAO hack, the hacker was trying to swap their ETH for BTC because there were no mixers for Ethereum at that time. But that has changed.
Today, Tornado.Cash is a popular mixing protocol on the Ethereum blockchain, and has been involved in covering the tracks of many recent, and very large, hacks:
And unlike the mixers I discussed last time, there is no CEO or figurehead for FinCEN or any authority to go after. In May of 2020, the creators destroyed their administrator keys and gave control of the protocol entirely over to the community (Tornado DAO).
Ok, so there’s no figurehead to go after, but aren’t they still breaking any laws? Tornado Cash has compliance tool is supposed to be there to help law enforcement if the need arises in order to comply with KYC/AML regulations. But the reality is it isn’t as useful as one might think:
For its part, Tornado Cash says it offers compliance tools like a cryptographic note that can prove the provenance of funds.
But Stephen Sargeant, an independent anti-money laundering (AML) consultant currently contracted to crypto exchange Bitfinex, questions its utility.
“The compliance tool that Tornado Cash has doesn’t help law enforcement unless law enforcement is interacting with the person that stole the funds,” he told CoinDesk in an interview. “They make it so that law enforcement can approach a person that has interacted with Tornado Cash, and they can give law enforcement a deep dive into all of their transactions.”
So if law enforcement has users of Tornado Cash in their custody, the tool is useful in the evidentiary process. But if they don’t, it’s not much help.
In my opinion, this is going to be a really big story at some point. Someone/something is going to be caught in the middle of this and whatever happens is going to set a precedent for any other crypto project that comes after it. The government isn’t going to allow something to exist if it continuously violates KYC/AML regulations, but who will they blame?
Would they go after the creators? The outspoken leaders of the DAO? The DAO itself? How about just shutting down the protocol and making it inaccessible? Is that even possible if there is no central authority?
I don’t know the answer, but I have a feeling it will change the crypto landscape.
Wormhole Hacked (sorry, “Exploited”)
Wormhole had a noble goal: integrate with different Layer 1 blockchains and make them interoperable. For example, if you have most of your wealth tied up in Ethereum, or Solana, or Terra, or any of the other popular blockchains, you could transfer and use those funds or NFTs to trade/lend/borrow on a different blockchain. They wanted to be the bridge to make the “multichain world” a reality.
Let’s see how things are going:
Not great.
Over $326 million in wrapped ETH was created out of thin air and then taken out due to a smart contract vulnerability in Wormhole. They tried to offer $10 million to the hacker as a “white hat agreement” if he/she agreed to return the funds, but to no avail.
If you want to read about how it happened, a crypto security researcher breaks it down for you here:
But don’t worry: Jump Crypto, parent company of Wormhole, jumped in to save them by backstopping the project and saving the funds of the community:
The lesson here for investors is smart contract risk should be one of your top concerns when interacting with these newer crypto projects.
North Korea Likes to Steal Crypto
I love referring people to Chainalysis’ blog and research reports if you want to learn more about what politicians and others mean when they talk about the illicit activity in the crypto space. North Korea is a frightening example of this:
North Korean cybercriminals had a banner year in 2021, launching at least seven attacks on cryptocurrency platforms that extracted nearly $400 million worth of digital assets last year. These attacks targeted primarily investment firms and centralized exchanges, and made use of phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations’ internet-connected “hot” wallets into DPRK-controlled addresses. Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out.
They’ve been stealing less bitcoin nowadays and more Ethereum:
And guess what they use to try to hide their tracks? That’s right: mixers. Both bitcoin AND Ethereum mixers.
Why mixers? DPRK is a systematic money launderer, and their use of multiple mixers —software tools that pool and scramble cryptocurrencies from thousands of addresses—is a calculated attempt to obscure the origins of their ill-gotten cryptocurrencies while offramping into fiat.
You can read more about it in the link above or on their blog, where they cover how they track hacks, malware, money laundering, regulation, and lots of other fun topics from all over the world.
That’s it for now, thanks for reading!
I like the new format. Good post.