Start your day with intelligence. Get The OODA Daily Pulse.

Home > Analysis > The Ronin DeFi Network Hack and Blockchain Analysis Techniques for Attribution

In early April, we began our research and analysis of crypto and blockchain security initiatives which, in the case of OODA Loop, begins with tracking down the best-in-class research efforts and subject matter experts to explore how they are “framing and naming” the formative core issues surrounding the topic.  In our initial post, we explored the recent blockchain bridge heists, growing national security concerns, and The Secure Blockchain Initiative at Carnegie Mellon.

Since April, the crypto market has been described euphemistically as “experiencing significant downside pressure” or “had a very bleak May” – while most have proclaimed a full-on crash.  The WSJ declared in mid-May that $1 trillion of crypto vanished in just six months – while still others argue that the digital assets were overpriced and ripe for such a correction.  Trust is central to monetary systems, especially in ecosystems designed for the capture, storage, and transaction of value.   Trust continues to be shattered in the world of crypto, DeFi and blockchain business models across a variety of industry verticals as security vulnerabilities and hacks continue to plague the technology.

North Korean APT Targeting Blockchain

A specific attribution has emerged around the giant $618 million hack in March of the Ronin Network, in which “hackers [stole] more than $600 million worth of Ethereum (173,600 ETH) and $25.5 million of US dollar-pegged stablecoin USDC, making it one of the largest decentralized finance (DeFi) hacks to date.   The company, which is tied to the popular blockchain game Axie Infinity, said in a Substack post that they suffered a security breach on March 23. Sky Mavis, a blockchain gaming company, built and controls the Axie Infinity game.” (1)

In April, the U.S. Treasury has attributed The Lazarus Group to the Ronin Network heist.  According to ZDnet, “Lazarus is among the most prolific and sophisticated of the hacking groups with links to North Korea. The group was responsible for the destructive wiper attack on Sony Pictures Entertainment in 2014.” (2)  ZDnet has also reported that the crypto mixer Blender was sanctioned by US Treasury for involvement in the Ronin theft:  The United States Treasury has hit cryptocurrency mixing service Blender.io with sanctions, preventing transactions with US persons, off the back of it providing services for the attackers that…from the Ronin sidechain in March.  After the attack, Blender was used to process $20.5 million.  ‘For the first time ever, Treasury is sanctioning a virtual currency mixer,’ Under Secretary of the Treasury for terrorism and financial intelligence, Brian Nelson said.  ‘Virtual currency mixers that assist illicit transactions pose a threat to US national security interests. We are taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered.’

Treasury added that Blender was also involved in laundering for Russian-linked ransomware groups including Trickbot, Conti, Ryuk, Sodinokibi, and Gandcrab. ‘Blender.io is a virtual currency mixer that operates on the Bitcoin blockchain and indiscriminately facilitates illicit transactions by obfuscating their origin, destination, and counterparties. Blender receives a variety of transactions and mixes them together before transmitting them to their ultimate destinations,’ Treasury said.  ‘While the purported purpose is to increase privacy, mixers like Blender are commonly used by illicit actors.’ (3)

In early May, of Threatpost reported on the evolution of the Lazarus Groups techniques:

“Financial transactions and similarities to previous malware in its source code link a recently emerged ransomware strain called VHD to the North Korean threat actors, also known as Unit 180 or APT35.  Researchers at cybersecurity firm Trellix have been tracking attacks on financial institutions from what they believe is North Korea’s cyber army—which is typically generated by Lazarus Group—for the last few years. The group is perhaps best known for its deftness at ripping off the crypto-currency market through money-laundering schemes to raise money for the North Korean government.  However, Lazarus also appears to have been playing the ransomware game for at least a year, Trellix revealed in a blog post this week.

Researchers found that Bitcoin transactions and connections to code from ransomware previously used by the group make it likely that VHD, which emerged in March 2020, is the work of APT38, they said.  A significant precursor to linking Lazarus to VHD was an attempt by threat actors in February 2016 to transfer nearly US$1 billion through the SWIFT system towards recipients at other banks, according to the post by Trellix researcher Christian Beek.” (4)

Joint Cybersecurity Advisory Issued based on Lazarus Group/APT 38 Blockchain and Crypto Activities

Also in April, The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury)  issued Joint Cybersecurity Advisory Alert (AA22-108A), TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies:

“The U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).

Intrusions begin with a large number of spear phishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms,” the alert reads. “The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications.”

A Screenshot of CryptAIS website:  TraderTraitor campaigns feature websites with modern designs advertising the alleged features of the applications.

Our friends over at The Record dive deeper into the malware applications used by The Lazarus Group:

“These cryptocurrency applications, which the government refers to as TraderTraitor, are derived from several open-source projects and masquerade as trading or price prediction tools. They’re written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework, the agencies said.  Malware payloads observed by the agencies include both macOS and Windows variants of Manuscrypt, a remote access trojan (RAT) that collects information about the victim device and can download additional payloads.  “Post-compromise activity is tailored specifically to the victim’s environment and at times has been completed within a week of the initial intrusion,” the agencies warned.  The alert provides a list of indicators of compromise, as well as mitigations that apply to critical infrastructure organizations, financial sector firms, and blockchain technology and cryptocurrency companies.”

For the full CISA report, see TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies.

Following the Crypto

In the course of our research on blockchain vulnerabilities and how to think about the threat surface, we discovered recent work by The Center for A New American Security (CNAS).  Released in February 2022, “Following the Crypto:  Using Blockchain Analysis to Assess the Strengths and Vulnerabilities of North Korean Hacker ”  is a deep dive, with specific case studies based on the same types of activities by the Lazarus Group outlined in this post.

The author, Jason Bartlett, is a Research Associate for the Energy, Economics, and Security Program at CNAS. He analyzes developments and trends in sanctions policy and evasion tactics, proliferation finance, and cyber-enabled financial crime with a regional focus on North Korea, Iran, and Venezuela.  What sets this research apart is the blockchain analysis techniques for attribution used by Bartlett and his research collaborators:  “This report provides in-depth analysis of North Korea’s demonstrated ability to exploit financial technologies, in particular, cryptocurrencies and blockchain technology, to procure funds for its illicit nuclear and ballistic weapons development programs.  This research was supported through blockchain analysis conducted in partnership with TRM Labs,  a leading blockchain intelligence firm that seeks to  monitor, investigate, and mitigate crypto fraud and  financial crime.”

Along with U.S. Domestic and Foreign Policy recommendations,  the CNAS makes the following recommendation to Private Sector Actors:  “All cryptocurrency exchanges should adopt company-wide best practices for increased cyber hygiene, such as incorporating relevant CISA guidelines on cybersecurity and executing mock email phishing campaigns for all employees.”

OODA Recommendations for Reducing Risk in Cryptocurrency Communities

  • Work to raise defenses and reduce risk, but adapt a hacker mindset for continuous critical examination of what matters most. This was examined in our recent post titled Web3 Security: How to Reduce Your Cyber Risk, which leverages OODA’s deep DNA in red teaming and cryptocurrency experience to provide actionable recommendations.
  • In the case of mitigations against the DRPK threat, pay particularly close attention to the protection of user credentials and strongly endorse multi-factor authentication. This is always a best practice but is worth mentioning again here because, as CISA notes, North Korean malicious cyber actors continuously target user credentials, email, social media, and private business accounts. Organizations should ensure users change passwords regularly to reduce the impact of password spraying and other brute force techniques. CISA has done a good job providing ways to mitigate MFA interception techniques for some MFA implementations and monitor for anomalous logins.
  • North Korean actors rely heavily on social engineering, leveraging email and social media platforms to build trust and send malicious documents to unsuspecting users. User training should include how to identify social engineering techniques and awareness to only open links and attachments from trusted senders.
  • In keeping with our Web3 Security guidance, exercise and evaluate. use external resources to conduct third-party red teaming. OODA can help here.
  • Additionally, although this particular report focused on threat actors from DPRK, cryptocurrency projects and companies working to field Web3 solutions should also make use of the extensive lessons from all major cryptocurrency incidents. For insights see the OODA Cryptocurrency Incident Database.

Stay Informed

It should go without saying that tracking threats are critical to informing your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.