Hacks of crypto projects are often linked to inside information leaks. New on-chain data reveals North Korean hackers may deliberately target crypto startups, gaining trust to become employees.
North Korean hackers get a step closer to crypto exploits, by becoming the employees of crypto projects. The past six months saw a return to exploits, both against projects and individual wallets.
Also Read: North Korea backed Lazarus Group linked to $305 million DMM Bitcoin hack
On-chain investigator ZachXBT noted that North Korean hackers were also not careful about hiding their tracks. Some of them went as far as to tie their wallet actions to an ENS human-readable and well-known name.
The exploits have affected the Munchables game team, leading to a hack in March 2024. The game lost between $62M and $64M in ETH, which were later returned by the hacker.
Attacks continue to undermine the trust in Web3 features, as projects are prone to multiple types of exploits. Some Web3 projects admit volunteer developers, while others face exploits from tainted code builds.
Other vectors of attacks noted in the past few days include flash loans against protocols. The most recent exploits involved Minterest, with a $1.4M flash loan, as well as Dough Finance, losing $1.9M. The Minterest funds were immediately sent to the Tornado Cash mixer, and may not be immediately recoverable.
Additionally, the sites of several large Web3 protocols were compromised, replacing links to their normal facilities with wallet drainers. The exploit even affected Curve Finance, which has since recovered its site, though it invites further caution in interacting with Web3 links.
Even when remaining relatively anonymous, a pattern of laundering funds points to the involvement of Lazarus. Some of the funds are additionally mixed, but instead sent to a list of small non-KYC exchanges. A recent hack showed funds ended up on the Huion Guarantee market, a hub often used by Lazarus hackers.
Example 3: Holy Pengy who attempted hostile governance attacks on multiple projects https://t.co/rjoUNIeOgv pic.twitter.com/tATFCdkZhn
— ZachXBT (@zachxbt) July 15, 2024
Governance attacks affect DeFi
One of the potential attacks for valuable projects are so-called governance attacks. Those attacks can be significant, especially when it comes to redistributing liquidity.
Some of the North Korean hackers have been identified as the performers of multiple governance attacks. The DAO model, tying voting to fund distribution, has invited multiple attacks over the years.
Currently, TrueFi DAO has been trying to ensure fair governance, while raising fears of a potential malicious governance.
Some of the DAO attacks have also been identified as coming from Dark DAOs, which can afford the funds to vote. Organizations can buy the right to vote in other DAO issues, and sometimes, they are able to gain the right through regular Web3 activities, such as liquid staking.
Also Read: Ethena Discord gets hacked, users advised to not click any links
In some cases, a DAO will hold a vote to distribute a significant treasury. Imposters that have built stakes can vote and directly gain control of a large part of that treasury. Most DAO rely on smart contracts, so the process is automated.
ZachXBT noted that some of the North Korean hackers were easily identified in DAO attacks, not taking care to use various veiling technologies for vote-buying.
Huione Guarantee market raises red flags
Connections to the Huione Guarantee market are a new source of red flags for wallets and projects. Connections to this market can lead to blacklisting, as it happened recently to a Tether (USDT) wallet on the TRON network.
Huione Guarantee is not an exchange, but a peer-to-peer trading platform, offering escrow services. The company carries escrow accounts, and claims to be neutral, although it has been noted to facilitate personal scams, as well as laundering funds from crypto heists.
Huione Guarantee products resemble the abuses and hacks market on Telegram, also offering software and tools for personalized scams. The platform also relies on USDT for large-scale transfers and the laundering of hack funds. The platform has the advantage of being virtually untraceable, as the transactions are tied to small online shops, and may not stand out like pure crypto movements.
Despite this, research by ZachXBT also revealed a new list of addresses, which are tied to Huione Guarantee usage.
Cryptopolitan reporting by Hristina Vasileva