Binance Recovers Stolen, Disguised Crypto Loot From Mega Hack

Muyao Shen | April 22, 2022

(Bloomberg) -- More than a week after the U.S. tied one of the biggest heists in crypto to a North Korean hacking group, digital-asset exchange Binance said it was able to recover about $5.8 million worth of the stolen loot that had made its way onto its platform in disguised form. The details of how it achieved this serve as notice for those who attempt to cash out ill-gotten cryptocurrency gains: It may only get harder.

The U.S. Treasury Department last week tied the North Korean hacking group Lazarus to the theft of more than $600 million in cryptocurrency from the Ronin software bridge, which is used by players of Axie Infinity to transfer crypto. The department identified an Ethereum wallet address tied to the group, adding it to its sanction list. Binance was able to trace stolen funds that were initially moved from the hackers’ wallet to Tornado Cash -- a service that allows for anonymous token transfers on the Ethereum blockchain -- and then to its exchange by working with external firms.

“We coordinated with industry leading blockchain analytics firms and immediately froze the funds when exposure to our platform was identified,” the spokesperson said. The crypto was discovered in 86 different accounts on Binance’s exchange, the firm’s chief executive officer, Changpeng “CZ” Zhao, said in a tweet.

While the amount retrieved represents a small portion of the $600 million in crypto that was swiped, the accomplishment raises hopes of recovering more of the stolen funds even as hackers continued to move them around. In the past week or so, roughly 56,200 Ether, or about $170 million worth of stolen cryptocurrencies was moved out of the main address on the Ethereum blockchain used by the perpetrators, blockchain data shows. The stolen funds were all sent to newly created addresses, with some of those addresses in turn transferring the tokens to Tornado Cash. All told, more than $230 million of the crypto has moved from the wallet, according to blockchain data firm Peckshield.

Tornado Cash is designed to break the link between the sender and receiver’s addresses of the transactions, making the supposedly public transactions on blockchain hard to track. Blockchain compliance firm Chainalysis, which has experience in “unmixing” Bitcoin transactions, said Binance’s ability to freeze the funds is “a win” for victims from the Ronin hack. 

“Binance’s action today to freeze funds stolen from North Korean-linked hackers --- despite their use of complex obfuscation techniques...was made possible by world-class investigators with the right tools and collaboration,” Erin Plante, senior director of investigations at Chainalysis, said.

A spokesperson for the U.S. Treasury Department said the identification of the address from the agency last Thursday will “make clear” to other virtual-currency actors that “by transacting with the address, they “risk exposure to U.S. sanctions.” On Friday, the U.S. agency added three more addresses to its sanctions list in connection with the Ronin hack. 

The U.S. government “continues to take disruptive action against entities facilitating the movement of the stolen virtual currency,” the spokesperson said. “We call on the crypto community to lock its digital doors.”

In the wake of the Treasury’s announcement, Tornado Cash signaled it was taking steps of its own to block sanctioned wallets. It announced last Friday on its Twitter account that it is using a free compliance tool developed by Chainalysis to block crypto wallets targeted by the U.S. Office of Foreign Assets Control. The tool, launched by Chainalysis in March, is a free smart contract, or a program run on a blockchain, that scans for crypto addresses that are sanctioned by several governments. Chainalysis also provides paid products that alert their customers to indirect exposure to sanctioned addresses and other addresses they identified as linked to sanctioned entities beyond what’s included on the OFAC’s sanctions list.

A spokesperson from Chainalysis said the firm cannot confirm Tornado Cash is using their tool because the program is not embedded on Tornado Cash’s own codes, or smart contract. According to Tornado Cash, the compliance tool was only used to block sanctioned addresses from using the user-facing decentralized application. In theory, blocked addresses can still gain access to the underlying technology of Tornado Cash by transferring the crypto to another address first. Tornado Cash founders did not respond to multiple requests for comment about the tool and its effectiveness.

On Friday, one of the addresses that received 10,129.935 Ether from the hacker’s main address sent about 1,528 Ether to a second new address, according to blockchain data. That second address was sending Ether in batches of 100 Ether each to Tornado Cash.

More stories like this are available on bloomberg.com

©2022 Bloomberg L.P.