Unchained - North Korean Hackers Are Winning. Is the Crypto Industry Ready to Stop Them? - Ep. 789
Episode Date: February 25, 2025$1.5 billion gone in an instant. And what’s worse, to fund a nuclear weapons program. The largest crypto hack in history just hit Bybit, and the culprit is the infamous North Korean hacking group, L...azarus. Known for some of the most sophisticated cyber heists ever, they often use social engineering tactics and start by tricking low level employees. Although they can often wait to launder funds, in the case of Bybit they started right away. How did this happen? Could it have been prevented? And what does this mean for the security of the entire crypto industry? Taylor Monahan, security at MetaMask, and Jonty, a senior investigator at zeroShadow, talk all about it. Show highlights: 2:53 Taylor’s and Jonty’s backgrounds and why they are relevant to this discussion 6:06 What the mechanics of the hack were 13:03 How Lazarus usually operates and the tactic of blind signing 17:11 Jonty’s important tips for people handling large amounts of crypto 23:45 How Bybit was able to say almost immediately that their other assets were secure 29:02 How much exchanges typically hold in each cold wallet 32:00 Why the evidence of the hack points to North Korean group Lazarus 41:01 Why North Korean hackers don’t care if their attack is linked to them 49:30 How Lazarus typically social engineers its hacks 53:48 Why Jonty thinks the industry needs a serious upgrade in terms of security 58:08 How the funds get laundered in such cases and what the industry can do 1:09:54 The chances Lazarus actually makes money from the hack 1:15:34 How DeFi protocols should approach this problem Visit our website for breaking news, analysis, op-eds, articles to learn about crypto, and much more: unchainedcrypto.com Thank you to our sponsors! Mantle Bitwise Guests: Taylor Monahan, Security at MetaMask Jonty, a senior investigator at zeroShadow Links Previous coverage on Unchained about North Korean hackers: How North Koreans Infiltrated the Crypto Industry to Fund the Regime Why North Korea Is Interested in Cryptocurrency Yeonmi Park on Why Doing Business With North Korea Is Like Buying a Ticket to a Concentration Camp GitHub - pcaversaccio/safe-tx-hashes-util: bash script that checks that the Safe transaction that you are signing is the one that you intend to sign Cointelegraph: Crypto exchange eXch denies laundering Bybit’s hacked funds Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
The other thing is that that's actually quite unique to the North Korean threat actors is that
they're operating in a very, very low trust environment, right?
North Korea on the whole, but especially within these operations, like the individual
operators, the individual like hackers or money launderers really have nobody, like their bosses
don't trust them, their peers don't trust them, right?
Like they're, I think, like Western culture around like teams and management and empowering
your team. It does not exist in North Korea.
Hi, everyone. Welcome to Unchained, your no hype resource for all things crypto. I'm your host,
Laura Shin. We are now featuring quotes from listeners on the show. Today, we have comments
responding to my interview with Coin Desk's Danny Nelson about the Libra scandal. On X, Oversider
writes, quote, the meme coin market is being deliberately crushed. The global financial system is
changing and cryptocurrency is being integrated. This circus with the characters is just noise.
Also an ex-ZenBTC says, quote, meme coins will survive anything, but the real story is
Bitcoin adoption in Argentina is inevitable. To have your comment featured, write a review of the
podcast overall, or leave a comment on our video on YouTuber X. This is the February 25th,
2025 episode of Unchained. Mantle is building the largest sustainable hub for on-chain finance.
launching three new products.
Enhanced index fund for optimized crypto exposure,
Mantle Banking for Seameless Daily Financial Experience,
and MantleX for AI-powered innovation.
Learn more at group.mantle.xy.
Crypto moves fast.
It's why Bitwise launched the weekly CIO memo,
a jargon-free summary of what's moving crypto markets
written by one of the best in the business,
CIO Matt Hogan.
Get up to speed in five minutes or less.
Check it out.
at bitwiseinvestments.com slash CIO memo.
Carefully consider the extreme risks associated with crypto before investing.
Today's topic is the $1.5 billion buy-bit hack.
Here to discuss are Taylor Monaghan, security of Metamask, and John T, a senior investigator
at Zero Shadow.
Welcome, Taylor and John T.
Thanks for having us, Laura.
Thank you, Laura.
Thanks for inviting us on.
And just a heads up for video watchers, John T is not on camera for reasons that
we will get into in a moment. So on Friday, crypto exchange bybit was hacked for just over 400,000
eth, which was worth, so the ETH itself was worth $1.1 billion. And then when you throw in the other
types of ETH, including, for instance, Staked Ether or M-Eath, that totals $1.5 billion.
This was the largest hack in crypto history. It also appears to be the largest hack ever in
all history. Before we dive into the details, let's start with
both of your backgrounds and your roles. So why don't you tell us a little bit about your history,
working in crypto security, how you came to know of the hack, and then what role you've played
in the aftermath? Taylor, why don't we start with you? Yeah, thanks, Laura. So I've been in crypto for
a while. I've been building wallets for a while. My official job is security at MetaMask. So I do all
sorts of stuff with the security teams to make sure that our product is secure, improve the product
for end users so that they can be more secure, that sort of stuff.
A large portion of my role these days focuses on tracking the threat actors and following them,
understanding them, and hopefully trying to get better outcomes, not just for our users,
but for the entire ecosystem.
And in the last couple of years, I've really focused on what I consider to be the largest threat,
which is Lazarus Group or DPRK, we kind of call them.
And so these are North Korean state backtackers who are incredibly prevalent.
in the crypto industry, do a huge amount of damage, and they're a bit of a unique threat,
which we'll get into. And so I end up doing a whole bunch of incident response, meaning that when
something bad happens, we help out the teams. And I also do a lot of tracing and tracking to
understand what they're doing. And I've worked with John T, specifically on like the Lazarus group,
their thefts, their tactics for a couple of years now. So it's
been a bit.
Yeah, so my name's John T. I work for a company called Zero Shadow.
We're a Web 3 security and instant response company.
So we help crypto companies around the world firstly prevent, but also respond to
incidents like the Bidit incident the other day.
And really, as an investigator there, my role is to track, trace, recover assets,
working very close collaboration with all sorts of industry partners to warn the
of funds that potentially they're handling related to specific incidents, and then also work
with law enforcement to actually recover those funds for victims. Victims are very wide-ranging,
as Taylor just mentioned, working in crypto incident response, there is a massive overlap with
the activities of DPLK, North Korea, because some of the largest hacks in this industry originated
from there. So I've been looking at North Korea for a number of years now. I used to work for a
company called Elliptic, and it's an endlessly fascinating threat actor that I guess the one point
I will get into is everybody in this industry should be worried about. Yeah, I think I've said this on
the show, but also my ancestors are from North Korea. I got very, very interested in North Korea
about 15 years ago, a random friend of mine who is not Korean in any way, just decided to give me
this book that's about North Korea. And I became kind of obsessed with the country after that.
So, all right, let us now get into what happened here with his ByBit hack.
Why don't we just start with, like, what ByBit's security setup was and how they normally
signed transactions. And then from there, we can go into, like, what actually happened.
Okay. So exchanges operate by, they basically have a large amount of,
amount of infrastructure. Some of it's automated, right? When you deposit into the exchange,
those deposits are swept into the exchange's wallets. Over time, the industry has actually improved.
It used to be that all of the funds would just be stored in this one wallet. Over time,
we realized that that might be a bad idea. And so today, most exchanges have sort of a variety
of different wallets. They'll have what they call like a hot wallet, which is traditional, very
active. It's on the infrastructure. It's sweeping. It's holding. And today, usually they limit the
hot wallet to be B&E 5%, maybe 10% of the assets. And by the way, you said on the infrastructure,
but I think you meant on the internet. Like it's connected to the internet. Yeah. Yeah. Yeah. It's like
it's on, if they're using AWS, for example, all that, the hot wallet cluster will be on their
AWS, it'll be automated, connected. And the reason why we don't put all the money there
anymore is because if someone gets access to the AWS, it's relatively easy for them to
just take the entire hot wallet, for example. And so as sort of in response to the years of
hacks against this industry, today you have the hot wallet, which has a certain amount of
funds, you'll have cold storage, which is sort of like reserves, and it's not touched as much.
Ideally, it's completely offline and completely segregated from the network, and it's very
limited access. And a lot of stuff has to, a lot of things have to happen for, for money to, like,
move from the cold wallet. And then you'll also hear a term today, which is a warm wallet,
which is a, it's usually a wallet or wallets that are not necessarily kept completely offline and
completely segregated. However, it's not, it's also not like deeply integrated into the hot
infrastructure. It's not always connected to the internet. It's not accessible everywhere.
And so how the exchange generally works is that the hot wallet is processing all the transactions
at a rapid clip 24-7 in an automated fashion.
And then the exchange will have processes to move when they need, like, certain funds or
certain asset, they'll move from hot to warm.
They'll move from warm to hot.
They'll move from cold to warm.
They have all different processes for this.
And in the case of Bybit, some, like some of the warm slash cold wallets were using
Noses Safe multi-sigs, which were backed by hardware.
wallets. And that's where a huge amount of money was in this case, that the wallet that was,
had the fund stolen, had $1.5 billion in it. They also have other wallets that were not compromised
that have many more billions of dollars in them. And so basically what happened was that as they
were attempting to move money from one wallet to the next as part of their operations, this was like
a human process. They were part of multiple signers.
due to Lazarus being, I guess, inside their devices or systems, when they attempted to make that move,
instead of it going where it should have gone, they signed a transaction that actually just gave Lazarus control
of that multisor's control of that multisig, which held all those funds.
And then ultimately, Lazarus was able to take those funds, obviously, for themselves.
Oh, my gosh, yeah, the whole thing is just so breathtaking.
When you say it was a multi-sig, so normally multisigs have some subset of, of, of,
signers amidst a larger potential number of signers. So like a three of five situation or,
you know, one of three or, you know, whatever. But do you know what the numbers were for
their multi-sick? It required three distinct signers. I don't know what the total number was,
but it was likely like a three of five or maybe a three of six. But there were three separate
individuals who signed the transaction. We do know that. Okay. So how common is this setup? Like,
was there any part of it when you're looking at it? And I know, so,
so, Jonti is actively, like, working on some of the investigation. So I don't think he can
talk to specifically about Bibett itself. Although, I guess, Jonti, you can, you can tell me, you know,
whenever you can't answer something. But I wondered, is there anything about the setup that,
you know, looks to you like, oh, like, actually, you know, it differs slightly from best
practices in this or that way? So I can't talk about Bidit specifically as,
As you say, Zero Shadow is involved in that investigation.
It's ongoing and I don't want to prejudge anything there.
But just talking generally about how North Korea hacks exchanges,
actually often the issues are the humans,
not the infrastructure or the security, actual technical security they have in place.
The operational security and the practices, not just exchanges, but protocols, etc.,
is often the point of fault that DPRK find to hack these large amounts.
Certainly it's very common to see that sort of cold, warm, hot wallet structure at most major exchanges.
But the difference between exchanges that have what I would refer to as very high-grade security
and exchanges that maybe could improve is how they actually interact with those systems more often than not.
Obviously, there are cases where your actual technical security can be improved,
but I'd say where you see very large exchange hacks like the case of Bybit or other
sort of hacks that have been attributed to North Korea in the past.
It's often a human at the end that has been socially engineered or made some mistake
that has resulted in.
Yeah.
Well, actually, there's one analogy I meant to give earlier to help people understand the
cold, warm, and hot wallet analogy, which is you could think of the hot wallet as being similar
to your checking account. The wallet is being similar to savings. And then the cold wallet is
being similar to a vault or something like that where, you know, for the vault, there would
be like a time delay and like, you know, moving the money out, et cetera. Savings, easier access.
But yeah, not as readily accessible as you're checking. So hopefully that helps because I did see
questions about that. So one other question before we dive into more details on this particular hack,
do you think that other groups that use nosis safe multi-sig should be concerned? Or I guess, yeah,
it is. If the actual attack vector was more social engineering, then it maybe isn't even just
NOSIS-safe. It's like literally any multi-sig. Or? Yep. Yeah. So whenever there's a large
hack, I think people are very quick to look at the specific products,
specific structure, the specific wallets. But in general, especially with Lazarus, it really doesn't
matter. You can use any wallet. You can use any setup. One of the things that they do is that when they
get that initial access to like the humans device, they'll just sit and watch you and they'll
first understand your operations and what you're doing. And so there's not a, there's not a single
product out there that will like perfectly save you.
they're just going to watch how you use it.
They're going to watch what the structure is.
They're going to understand your systems.
And then they're going to come up with a very custom plan that they've really like tailored to you.
And so in the case of Radiant, for example, they were all of the signers were using different devices.
They were using both treasers and ledgers.
They were using frame and rabbi.
Like they were all different.
And it really didn't trip up Lazars whatsoever.
They just were like, oh, okay.
So these are the wall.
that we need to figure out how to maneuver around.
In the case of buy-bit, they have hardware wallets, and then they have the NOSIS safe, which is the
industry standard for Ethereum for a multisig.
There are some, I guess, difficulties or challenges with specifically, I guess, like the NOSIS
safe structure, or it's not even really the NOSIS safe, though, right?
It's how the EVM works.
And when you're signing a transaction, it's not always clear what you're signing.
There's a lot of strings and bits of data that are not human readable.
There are just like these numbers and letters.
And so ultimately, in my opinion, it's not necessarily like the nose is safe that should worry people.
It's the fact that even today, it's very hard to have like full confidence and full knowledge in what you're signing.
And so if your device is compromised, even though you have your hardware wallet that's separate,
it if you can't see, if you can't understand what you're signing on that hardware wallet screen,
it doesn't, they can basically trick you into signing anything.
And you'll just kind of, you just have to grit your teeth and sign it because there's,
what else are you going to do, right?
And I think that's one, one area that not just knows it's safe, but all of us need to
work together to improve to make sure that we're not setting people up for,
failure. We have proper product integrations at every layer of the stack where you can see,
right, your hardware world is going to tell you what you're signing and you're going to
understand the implications of that. Could there be some kind of Ethereum improvement proposal
to address that issue about how, so basically this attack as far as I understand it, is called
a blind signing attack where you think you're signing one thing, but you're actually signing
something else under the hood that you can't see. But could Ethereum change it by doing some
of upgrade to address that problem?
Yeah.
So it's, it's sort of at this in-between layer where it's not necessarily fully at the core
of Ethereum.
It's almost like an interoperable standard between, you know, all the wallets and all the
different daps and all the different multisigs and stuff sort of agree on.
Like this is how we're going to pass data back and forth to one another.
And these are the controls.
I think that that is, I think the EIP layer is probably like a new.
EIP that really figures out the best way to do this and builds on the prior EIPs that we have
for signing is probably a good idea to get on sooner rather than later in my opinion.
I'd say just to add to this, I think there's actually a lot of very simple steps that people
can take to sort of mitigate attacks in this way.
One thing I'd like to call out on this podcast for anybody who's listening, who is potentially
a signer on NOSIS safe or is self-custodying a large amount of crypto.
Pascal, the leader of Seal 911, has created a very helpful utility that's open source and
public on his GitHub, completely free to use.
And it's essentially a bash rip that checks that the safe transaction that you are signing
is the one that you intend to sign.
I would highly encourage anybody who is signing transactions involving nosest,
and large amounts of money, uses that utility before they press the two button.
In many cases, that tool alone is enough to realize something is wrong and not press those
two buttons that could spell the end of your protocol exchange, whatever.
And so just to understand that tool, if Bybit had used such a tool, then would it have
revealed that actually they were signing the ability for this other actor to change the
code of the contract because that's that's essentially what happened right when they signed it
instead they they changed the smart contract in some way is that should I say not not just in
the by bit case but there are many cases where alerts could have been raised using tools like this
which could have meant that people chose a different course of action and didn't sign the malicious
transaction.
Yeah.
It throws a couple of red flags.
One is it's not necessarily that the tool is going to like reveal exactly what you're signing,
but it's going to reveal that there's some mismatches, right?
Like what you're seeing on the hardware wall, it doesn't match what you're seeing on your
computer screen, which is a red flag in itself.
The other thing is that in order for this hack to be executed,
more transactions have to like be constructed than you're aware of.
So typically if you're signing a transaction, there's like, there's just one transaction that's
sort of in the queue and you're going to go sign it.
What this tool does is it looks sort of like more deeply at all of the transactions.
And if it starts seeing multiple transactions with like the same dons, which is the sort
of unique identifier of the transaction, it's going to throw a red flag there too.
So, you know, you can imagine that.
So like the user thinks they're signing one transaction with a nonce of, say, 72, right?
Just a number.
What's happening on the background is that Lazarus has inserted their own transaction,
but it's also going to have a nonce of 72.
Normally, you can't see this, right?
However, if you use a tool, there's a more than likely chance that you will be able to at least be aware
that there's like these two transactions floating in the space.
And again, like, that is a red flag.
And it's something that this tool specifically calls out.
And again, like, it's not a perfect solution, but the idea is with the current technology
and how the products currently work, it will raise red flags.
And then ideally people, like, stop what they're doing and investigate more deeply rather
than, again, clicking the button on the hardware wallet.
because that's, yeah, that's how the hacks happen.
I think another quick thing I would say is you should be paranoid when you're making these
transactions. It might be routine and it might be something you do all the time,
but it really does have the capacity to completely new cure exchange or protocol or whatever
it is. So if things aren't adding up or you're giving errors or something weird is happening,
just stop what you're doing and investigate. It's really not worth the risk. Too many people
encounter issues and just try and brute force their way through it because it's a natural human
thing to do. I'm sure anybody who just wants to get stuff done, get home, go hang out or whatever,
will try and rattle through this. But what they don't realize is that they're potentially
putting a lot of user funds and their protocol at risk by doing so. So yeah, be paranoid or
unfortunately suffer the consequences. Yeah. So in a moment, we'll talk a little bit more.
about how it is that North Korea was able to get into the systems of by bit,
but first we're from those sponsors who can make the show possible.
Mantle is transforming the future of on-chain finance.
With a $4 billion treasury and successful products like Mantle Network and METH Protocol
and Ignition FBTC, Mantle is launching three new innovation pillars that will bridge
blockchain with everyday banking.
Enhanced Index Fund, offering optimized exposure to BTC, ETH, Sol, and USD, through
advanced staking opportunities. Mantle banking will deliver seamless blockchain-powered services.
Mantle X brings AI innovation to decentralized finance. Experience the future of finance with Mantle.
Follow Mantle on X to learn more about the next generation of on-chain finance.
Hi, I'm Matt Hogan, CIO of Crypto Asset Manager Bitwise. Look, crypto can be confusing.
There's so much noise and the space changes so quickly. That's why, every week, I write a five-minute
memo on the biggest stories impacting crypto in plain English. Why is Bitcoin up or down? What are
people missing? Where should investors look next? Get the lowdown every week. Sign up to get the weekly
CIO memo delivered straight to your inbox. Go to bitwiseinvestments.com slash CIO memo. That's bitwise
Investments.com slash CIO memo.
Carefully consider the extreme risks associated with crypto before investing.
We have more listener comments responding to the episode on the Libra scandal, in particular,
the extent of Argentine President Javier Malay's involvement.
On YouTube, Barrister M. Boler 4867 writes, Malay is no victim. He's a crook.
Also on YouTube, on-chain education says, quote,
he was a victim, in my opinion, but his original intention was probably to extract.
If you have a burning opinion or a spicy take you'd like to share, please write a review
or leave a comment on an episode on YouTube or X.
Back to my conversation with Taylor and Jaunty.
I did see shortly after the hack that Ben Zhao of the CEO of Bybit tweeted,
please rest assured that all other cold wallets are secure.
And, you know, that was interesting to me that they,
somehow had narrowed things down enough. Maybe they understood enough about how the attack occurred
in order to say that. But I don't know if you can reveal how it was that they knew so quickly
that all the other ones were secure. Because I feel like if I knew that they had been in my systems
in some way, I think I would be incredibly freaked out. But yeah, I was just curious about that.
Yeah, I don't. Okay. So to be clear, I don't know. Like, I,
I have not reviewed the full timeline and the incident response.
So some of this is going to be a bit speculative.
But the first thing to understand is that like the nature of this hack is like is like pretty, pretty dang specific.
And if so for example, if if your entire AWS just gets completely owned and all your hot wallets get owned for you to go out and say that like our AWS is secure would be a really silly thing to say.
However, in this case, due to how the attack was executed and most likely, like, you know, the preliminary investigation that the team was able to do, I think the reason that they were confident that the cold wallets were secure is that, one, they know that those wallets are actually on segregated infrastructure, like completely separate and cut out. And the other thing is that so long as they themselves don't touch it, right, don't go signing transactions, even if.
say like all the devices are compromised or all the hot devices are compromised, right?
So long as they don't go touch the cold stuff, then they are secure.
And I think that's, I mean, it's, it's, I'm pretty dang sure that that's, that was the
approach that they took, right?
Is like they, they really did just like press pause on, on doing any, like, any big transfers
as they were going through the investigation.
What I'm confused about is I thought that I heard that they had seen a 50% drawdown in their assets.
Was that the right percentage?
Do you guys know?
There were huge outflows pretty quickly.
So if the hot wallet only has like 5%, that's why I don't, I don't know if they could have gotten away without touching any of the other cold wallets.
Well, yeah.
And later on, they did have to, they did have to top up the hot wallets at one point.
However, the way, I'm not sure that they moved from coal, basically.
They've been working with a lot of industry partners and things to, you know,
both you risk the situation as the investigation, the forensics are done on their devices,
but also, you know, you want to, it was a priority for them, clearly,
to not, like, completely turn off the exchange and potentially impact, you know,
all their legitimate users.
And so they have prioritized that.
And they've been working with other exchanges and their partners and investors and people in the space to make sure that, you know, their operations are not only secure on the one end, but, you know, users are are not locked out.
Right.
Like they're not just saying like.
Yeah, you can't withdraw.
Yeah, they're allowing everybody to withdraw.
I just realized actually one other possible theory is that since it was only ether that was taken,
that they realized any other type of cold storage for other assets might be okay.
And some, you know, I'm just speculating, but like they got the bridge loan so that they could
cover any ether withdrawals.
And then, you know, maybe they realized like, oh, actually like these Bitcoin wallets or
these salon wallets or, you know, whatever the other assets are, like those are safe.
So I'm just speculating. I'm not. Yeah, I mean, I'm in in this specific area, I'm speculating as well because I don't, yeah, I don't have a full like rundout on their systems. And there are other like they have real cyber forensic incident response doing like full forensics on the devices. They're going to find the full intrusion set. They're going to go through every single log. They're going to determine exactly what happened. Like if malware was used, they're going to do full malware analysis and understand.
very precisely, right? Like, when did they get access? How did they get access? Who did they get access to?
How they move through the systems? And that investigation is obviously still ongoing. It's going to take a
couple months to get the full picture. But even just initially, you know, they know their systems.
They're not, they've been doing this a while. So they can, you know, based on what happened,
based on what they know, based on their systems, you know, they do have, they do know like what,
they have some sense of what's going on and what's, you know,
a reasonable versus unreasonable risk to take given the situation.
So there is one question that I did also have about the setup, which is I heard Ben say in,
I think this was a spaces that he did.
I know that Ron Neuner was the host, but I can't remember which group hosted the space,
but we'll put this in the show notes.
I did hear him say that they had 70% of all their clients' eth in that one cold wallet.
And that to me was, you know, I was like, wow, I'm not even an exchange person, but I don't know if I would ever put 70% of any type of asset in one cold wallet.
Because basically, so the transaction that they thought they signed was to only move 30,000 eth from the wallet.
But like I said, the hackers changed the contracts so that they were able to obtain more than 400,000 aeth.
So I wondered, is there some kind of standard about what is a reasonable amount to put in one wallet?
Well, the standard used to be all of it in your one hot wallet.
Well, that was probably abandoned a very long time ago, right?
Yeah.
I don't think there's a – okay, so there's not like a hard standard that the industry has decided on.
it's up to the exchange and their operations to understand how much they can can separate each
different pile out. I think that after this incident, I think both by a bit but also other
exchanges are going to reevaluate exactly what those percentages are and evaluate like
if this thing gets compromised, what, you know, what harm is done.
Actually, do you know for other exchanges what you, and you don't have to name any of the
exchanges, but do you just know what typical percentages are? So typically they try to limit,
like I know like the hot wallet, typically like just broadly speaking, it's like less than 10%
should be on your hot wallet. I think what makes it more complex today is that it's not like
in this case in the Wazirx case, in there was another attack on on Bitcoin DMM that was very
similar, but it was a Bitcoin only exchange. What complicates is that it used to be you had just hot and
then you had hot and cold and now you have this sort of intermediary warm. And so, you know,
even if you're saying that the hot wallet is going to be limited to say 5%, you know, if you're warm
while it has 95%, I think we've learned that that's probably not a viable position. You know,
but because everything's so rapidly evolving, there's just there's, yeah, I don't think that
there's an industry standard. I think that everyone should be really deeply like looking at and
assuming that the warm wallet can be compromised and even the cold wallet can be compromised and making
sure that it's not necessarily that like it's just the hot wallet that's at risk like all the
wallets are potentially at risk let's not put a billion dollars in any anyone wallet anymore yes yes
for the good of everybody minus north korea okay so i know we have kept saying that it's north
Korea who did this hack, et cetera, but we have not gone into the evidence. So can you guys explain
what the evidence is that points to North Korea and specifically an entity within it? It's not really
within it. It's an entity that works directly for the government called the Lazarus Group.
Because basically just for people understand like everyday people in North Korea, they are not
logging onto the internet and using crypto. Like only the most elite people who benefit from the
dictatorship, get to do things like go on the internet and leave North Korea and all that. So they are
the ones who are trained to do that. They do it specifically for the government so the government
can avoid sanctions and fund their nuclear program. So that is the purpose. It is not everyday North
Koreans. Those people are oppressed. They are not even allowed to listen to a song from outside
of North Korea. They're not allowed to watch a movie or a TV show. You can be sent to prison for
consuming pop culture outside of North Korea. So yes, this is just
people who are trained by the government to do hacking on the government's behalf.
So what is the evidence that it's the last-risk group?
John, can you go into any of this broadly?
I can go into some broadly and talk about attribution in general.
So attribution is a really tricky problem, both like just in the traditional cyber world,
but also we're sort of doing slightly separate attribution, if you like,
based on how an entity a hacks a crypto company, but also B,
then subsequently launders their money.
And actually, often following the money is a good way to try and work out who is behind
a given attack.
So I think it's already very public, but in the initial stages of the laundering, the stolen funds
have been sent to wallets, which co-mingle the proceeds of other attacks.
So the attacks that have definitely commingled funds with the buy-bit attack include the Polonex
hack, the Bingx hack, and the Indodax hack.
Several of those have been previously publicly attributed to North Korea, not only by
ourselves, but also by sort of government agencies across the world.
And actually, wait, sorry, Johnty, just to ask you, you said Indodex.
Did she mean the Femex?
Femex as well, yeah.
So Femex would be another example.
But talking about exchange hacks that have been very publicly attributed to a specific
North Korean threat actor known as Trader Trader.
I'd highlight those few.
But what this means is we can say certainly the same entity that is involved in laundering
the proceeds of all of these hats.
You know, it doesn't necessarily mean that they're all the same perpetrator.
But actually what we've observed in observing this particular threat actor over the years
is that they launder only their own money.
They never really commingle funds with hacks that have been perpetrated by another source.
So that is one really big bit of evidence just by following the money you could use potentially to attribute this hack.
The other things we look at are in the traditional cyber world called tactics, techniques and procedures.
So these are sort of the ways in which a particular threat actor goes around,
It goes about their attack and sort of the subsequent laundering.
It's probably of no surprise that North Korea, and particularly trade a traitor,
is by far and away the most sophisticated crypto money laundering entity in the world.
And what that means is for an investigator like me and Taylor,
who try and track these assets all the time,
there is a particular sophistication and signature that is left by,
the launderers of these funds, but really you get to a point where the only solution is North Korea.
We also use things like device indicators and typical tactics and techniques around what services,
particularly trader-trader-trater like to use to launder their money,
but all of this is to build an intelligence picture that will allow us to attribute
with a certain degree of confidence to North Korea.
Hopefully that gives you sort of a brief.
Yeah.
Well, there was one thing that I noticed when, so Archim Intelligence put out a bounty for resolving who perpetrated the hack.
And then Zach XBT solved it and showed that the hackers sent some portion of the funds to the same wallets that had been involved in Femex, Bing X, and the Polonix hacks.
And what was interesting was, I don't know if you guys noticed this, but.
But for those transactions where they sent some amount of the funds of all of those hacks to
these same wallets, that is how he was able to connect, you know, that, okay, it's the same hackers
who did those other hacks, was the hackers sent only a tiny amount from all those hacks into
those other addresses. And looking at, you know, like, let's say they had stolen, whatever,
10,000 ether or something. Like, one of the, one of the.
hacks, the Bing X one, you know, where they had transferred that tiny bit to this other wallet,
that again had also received a tiny bit from one of the other hacks. I think it was it was by bit.
They only sent 0.00195 eth, which was about $5.25 the day of, I mean, it was only last week,
so it's very similar to the current price. But there's just something about that where I saw that.
And it made me feel like they want us to know that it's them.
and they're just putting a tiny bit of change from the hack in these wallets so that we
can connect the dots.
And somehow it felt very like foreboding or taunting.
Maybe I realize I'm interpreting a lot of this.
But what did you make of the fact that that's how they're doing that?
So I don't think they're taunting.
They actually, they don't have a ton of awareness of like the conversation about them,
surprisingly enough.
They're just, they're focused on like laundering the money.
and being efficient. The other thing is that that's actually quite unique to the North Korean
threat actors is that they're operating in a very, very low trust environment, right? North Korea
on the whole, but especially within these operations, like the individual operators, the individual
like hackers or money launders really have nobody, like their bosses don't trust them, their peers
don't trust them, right? Like they're, I think like Western culture around like teams and
management and empowering your team. It does not exist in North Korea. And so a lot of times what we
see is that, you know, when they're laundering, they will, there's a lot of like handoffs where it
seems like they're handing off the funds to like maybe their boss or to the next team or the next
shift or something. And the other thing that we see, which I call dust collection, is that a lot of
time someone comes in later after and sort of like does a sweep of all the wallets that were used
for a prior laundering and make sure that they got all the funds because again they're using like
the laundering process is like thousands of addresses a day right funds like being split up and
being consolidated and bridging and going back and forth and so a lot of times they'll send
they'll like have this this pile of money that's moving through space and time through all these
different addresses, but either like another team or maybe their boss or something is going in and
making sure that they got all of the money after the fact, right? They didn't accidentally lose an
address or, you know, leave 100th somewhere. And we call it dust collecting because sometimes
you'll see, you know, a large number of wallets if they had 0.1-eath or 0.0.0.1 or 1-eath or
whatever, those will all get consolidated sort of into a separate track. And it's very interesting,
but it's very unique to North Korea because they have a huge number of people who are doing
these operations, whereas say like your typical defy hacker is typically operating as like a lone
wolf, right? They don't have to hand off. They don't have to like, you know, and they also don't have
the ability or the, yeah, they don't have the ability to send thousands of transactions manually,
you know, at the same time, right? Like you can see these threads with the North Korean laundering
that you just, it requires a huge number of people to be each individually moving the money at the
same time. Like, meaning they don't have tools to automate that? Or what do you mean?
They automate. Jonti, do you want to go into this? Sure. So they certainly have some tools
that help them with laundering, but it's very clear that there are a large number of humans involved
in this process. It's humans using tools. It's not like some AI or whatever is doing all the
money laundering for them. Ultimately, humans do a lot of this and humans make mistakes sometimes.
Another thing I wanted to draw out, though, is a key difference between North Korea and other
threat actors is that North Korea really don't care if we work out that a hack is perpetrated
by North Korea after the fact. They're never going to get arrested. No one's going to go to Pyongyang
and put these guys in handcuffs. So really, they're optimizing for something completely different
than a lot of other hackers.
If you're a Western hacker,
you've got to be worried about the FBI
coming and knocking on your door, right?
Whereas they're optimizing for speed
and mitigating the risk
that their funds are intercepted.
And the two things look different on chain.
So like if we, if we 24 hours after the fact,
I can say, oh, because of X, Y, Z reason,
they've commingled these funds,
therefore this hack is definitely North Korea.
They don't care if they've already converted
those funds to cash.
And really, it's a very different approach than is taken by other threat actors, where often laundering is very slow, methodical, and they're really trying to conceal their identity as the thing they're optimizing for versus trying to just move the bunny as quick as possible.
Okay, this is just so fascinating. I do have to, I have so many questions about Taylor. I did want to ask.
about something that you asked or that you said before, where you said they don't seem to have a lot of
knowledge of what we're saying about them. How have you figured that out? So there's always a concern
that when like myself or Zach XVT or anyone really say like tweets something, that that will
have an impact on what the threat actors are doing, you can use this to your advantage, right?
You can like tweet some things that make them hopefully like go in a certain direction. They can also
have disadvantages, right? Like if you reveal your hand in a certain way, they might, they might say
like, oh, that's a good idea. Let me go screw with them some more or whatever. Historically,
there are things where, like, certain knowledge was, or certain information was either
tweeted about or, like, made, like, sort of crypto mainstream media, right? Like, the block would do
a big article on it, or D.L. News would do a big article. Someone would do a big article on something
where you would assume that if these threat actors were reading that, they would change their
activity. It would impact how they acted. And it does with defy hackers, right? Like, you'll see
their tradecraft does evolve over time. They'll actually, like, kind of respond to each other as well.
Like, if one of the other defy hackers screws up, you'll see the next defy hacker, be very careful
not to make the same mistake. But with the North Korean, it's just different. They're
just, I think the best way to put it is like Johnty said, like they are really just optimizing
for efficiency and not having their funds frozen. They really, everything else is, is sort of just
fluffed to them. It's not, they're not trying to be clever. They're not trying to like outsmart us
necessarily. Like, you know, if they get the funds out, that's a win. If they don't, they've lost and
they don't really need to, they don't need to overthink the social conversation that's happening,
especially in the West.
I think this is not to say that North Korea hasn't evolved their tactics over time.
We are in a very different space today than we are five years ago with regards to North Korean
laundering.
And that is directly as a result of exchanges and services in the crypto industry taking
actions to mitigate their exchange protocol being abused by North Korea for money laundering.
So as a really clear example of this, you will be a really clear example of this, you will
never see trader-trader-trait
seven figures of funds
onto an exchange at any given time
because they've learned over the course
of laundering lots of money for lots of years
that if they keep lots of funds
on an exchange at the same time, we can
get big freezes. So that's
why you probably would have seen
2021-22
X, Y, Z company
has been able to recover
multiple millions
with the support of
insert other XYZ company here.
Whereas nowadays, like really, they're only keeping,
even them keeping six figures, $100,000 on an exchange at any one time,
is a lot of money for them.
So the sort of scale of the freezes that we're able to get is much smaller.
So that's one way in which North Korea changed the way in which they act.
But it's directed by what the crypto industry is doing in response,
not necessarily what Taylor and I say on a podcast like this.
Okay, okay. This is, yeah, this is all just so fascinating. Honestly, Taylor's point about how they're in a low trust environment where they can't trust anybody. You know, that definitely rings true to all the things that I've learned about North Korea where, you know, people can snitch on you and you and your family could go to prison for like three generations. Like you literally live out the rest of your days in a concentration camp. Like, or you could be executed. I mean, there's so many crazy things. So yeah, very, very, very.
low trust environment there. So I also just wanted to ask, and I don't know if this is confirmed.
I just saw people kind of like tweeting about it and some other things online, but I wasn't
sure like how, you know, what the level of confidence was in this. But people were saying that
it seemed like the hacker was this specific person named Park Jin Hyak. Do you guys have any,
do you have confidence in that? Or I was, I couldn't figure out the accuracy of that.
Taylor's shaking her head.
No.
No, so that's, he's like one of the hackers that has been identified in like public
indictments previously.
And I think there's like wanted posters of him.
That dates back to like the Sony hack era.
I.
Which wasn't a crypto.
That was 2019 or so or even earlier.
Actually, he was involved in.
They traced him and sort of have his activity, his, his very specific activity from Sony.
through Bangladesh and then into the early crypto hacks.
So I think nice hash and like the 2017, 2018 era ones, they have sort of like linked
through these like his different email accounts and logins and infrastructure and stuff.
However, it was a very different time back then.
Like their sort of hacking operations, especially their crypto hacking operations were
it was a much smaller operation where today.
it's massive. I don't, I actually don't think that we could say that anyone hack was perpetrated by like
one North Korean hacker. These are large operations. They are operating as a team. They have different
teams on different portions, right? So like the people that are doing the social engineering and messaging
and doing the research about that, that's a completely separate team than the person that,
than the team that's designing the malware and going into the devices and exfiltrating the data and doing
the observation and then writing new malware. And that's actually a complete separate
team than the team that's actually like stealing the money, right? Like it's go time,
let's go. That's a separate team. And that team also does like the very initial laundering or
swapping out of assets. So if they steal, for example, a bunch of USDT, they swap out very
quickly. That's like one. They take the money. They swap it out to usually the base asset to make
sure they don't get frozen. And then they hand off to another team, which is like the laundering
team. And so to say like this one guy is, is the hacker is just, it's not accurate, and especially
at this point. Okay. Yeah. I couldn't like for what I was seeing about it. It was like, wait,
where are people getting this? And there was something about it where I was like, I don't know where
this is coming from. So I'm glad that I asked. Okay. So let's now talk about kind of the real
vulnerability, which is the social engineering. I know at least John T. cannot talk about how it was
that he thinks or anybody at this moment thinks their system has actually got compromised. But
Taylor, I don't know if you have ideas or if you could just talk generally about like how the
social engineering works because I would imagine, you know, literally, like I know even just for my
tiny operation, like we're, you know, very, you know, we're constantly talking about like,
don't do this, don't do that. Like I would imagine if you work for a
crypto exchange, then you are very, very buttoned up about all your internet behaviors. So, like,
what are some of the ways they manage to, yeah, social engineer these people?
Yeah. So with Trader Trader specifically, I think people should understand that, one,
they have a lot of people sending a lot of messages, like a lot of different personas,
a lot of people are doing research into the companies and the people at the companies.
And then it is, it's a bit of a numbers game, right? Like they are constant.
really constantly,
aggressively sending messages
to a huge number of people.
Typically, we see them targeting engineers,
developers, system admins, infrastructure guys,
like more technical operations.
And we will see them target and message
and try to get initial access to multiple people
at the same company simultaneously.
So it's like a blanket attack on this one company.
And so they're doing this very deep research on the company and then targeting all of the people that might work at that company.
The other thing you can mind, like they're doing quite a bit of research.
So they will not just send a random fishing link and hope that you click.
They're doing research into not like the individual themselves and the company and their operations.
So they'll be like sometimes we've seen them ask about.
the specific stack.
Like, hey, you have experience with AWS and Kubernetes, right?
That's like an opening line that sort of disarms people a lot because, like,
like, they're going to like, it's a curious thing, right?
And it's not an obvious fishing attempt.
But wait, but wait.
Coming from like another compromise device, like it's from a person they think is
friendly or are they literally responding to a stranger asking that?
So sometimes it's a stranger, like a random person on like, say, LinkedIn.
Sometimes they are impersonating maybe another system admin at a different exchange.
Sometimes they use like job offers.
Sometimes they ask for help.
They're saying like, hey, like they'll act like a younger developer who needs help solving a problem with the code.
They'll really, they'll also evolve quickly based on like whether or not they're getting a response.
And they'll also be very persistent and aggressive in terms of like repeatedly messaging.
So if they don't get a response to the first day during the first time, they'll try against
six hours later, eight hours later, maybe two days later.
If the conversation falls off initially, they'll come back in a couple of days, like following up about it.
And over time, I think people, people, like it disarms them because I think people are expecting,
like a fishing link to be dropped.
two weeks into a conversation, they may not understand, like, what this person's game is or what they're trying to do.
But they, they're like, well, if they wanted to fish me, they would have already fished me.
And so then they sort of like, well, it's just a younger developer who's, you know, kind of annoying, but good faith.
Or, you know, wow, this guy really wants me to work for his company.
Like, maybe I should, you know, maybe I should send him my resume.
Maybe I should see if this is a real, like, legit job offer.
And it's just, it's so persistent.
And it's also very, they're very knowledgeable.
They're, they're, they're very good at what they do.
That's all I'll say.
Like, I don't, if you get on their radar, it's going to be pretty hard to, to completely
avoid it forever, in my opinion.
I just wanted to make a point about something you said at the start regarding sort of security
awareness at large crypto companies.
I would actually slightly disagree.
with what you said. And I think that
taking the
crypto industry in general,
it is at a particularly
vulnerable point where
crypto companies often have
very substantial TVL
and simply haven't
grown the security function in their
company or at that
exchange or whatever to
match that TVL. And often
this is because crypto is ever
evolving. These things happen really, really
quickly overnight. So it just hasn't been time.
or I think the real issue is that security is very much an afterthought.
People, we've said a lot on Twitter, both Taylor and I, very publicly, that security
is often something people only care about after the incident.
And as soon as you've had that big incident, then obviously your entire security posture in
the way in which you go about it changes.
But there are too many cases in crypto where really people need to start caring about
security a lot more than they currently do before the incident. And I think that this is a sort of
cultural thing that people like North Korea are exploiting massively. And it really needs to stop.
I've tweeted publicly, I think this industry needs to get serious. We're at the point where if we
want this to become like a big thing. And I very much do, right? But the way in which we're
currently going in general about about this is is just not serious, I don't think.
We talk, it sounds like a joke when I say, oh, North Korea hacks someone for $1.5 billion.
And we do make jokes about it all the time. We're very, very guilty of that.
But really, these are, there are really bad people in the world who are targeting you.
And you need to be very aware of that fact and take the necessary precautions when you're
handling billions of dollars of fun. Yeah, when when you said that that sounds like a joke,
like Taylor and I both did start laughing because it is just so bonkers. It's like, I don't know
if you've ever been in a situation where something very serious happens. And it's like so shocking,
but people kind of laugh. And it's like a little bit of a nervous laughter thing. It's like your body
needs to like release this like crazy tension and you, you do in a laugh. But like it is something,
it is so mind boggling. Like I remember in the slagher,
when somebody said, hey, like, $1.5 billion has moved out of buy a bit.
We didn't know at first what the reason was.
And when I realized it was a heck, it was like, I was just like, all caps.
I was like, oh, my God.
Like, you know, not whatever.
You couldn't imagine what I was saying.
But I was just like, this is like so big.
So one other thing that I wanted to mention about Taylor's comments about, like, how it is that
they're targeting these kind of like lower level, you know, technical people at these
different companies is it sounds so slimmer.
similar to pig butchering where it's basically like you just gain the trust over time and like
you don't go in for the kill right away and it's literally exactly the pig butchering playbook.
And the other thing that struck me in the comments was just like, and I know she she kind
of said this already in a different way, but this is just actually exploiting the fact that our,
like, outside of North Korea and probably maybe like China and I don't know, there's certain
countries where, like, you know the ones, like, people don't trust each other because they can't. But in
our culture, we can, there's some level of trust everybody has, right? So, like, they, they are
exploiting that. And it is a hard thing to, to change when you have grown up to, you know,
yeah, like to, I think especially, I mean, now, now we're going to go down a rabbit hole. But, you know,
I'm, I just want to say, like, briefly, I, you know, I do think, well, I don't know, maybe it's just
because I'm from the Midwest.
So I do think that Americans, or at least certain portions of Americans,
tend to be a lot more trusting than other cultures.
You know, I've noticed this a lot, like when I've traveled around the world.
So, you know, obviously this by a bit is they're not American,
but I do think that a lot of cultures aside from very specific countries in the world
are more based on trust.
So the one thing that I wanted to ask was like, obviously for such a huge amount of crypto,
like how can they launder this?
And why don't we start with how they typically launch?
and then we can, you know, look at this question of how they could launder this amount.
So I guess if we're talking specifically about North Korea, their ultimate goal is that they
want cash. Crypto is not very useful for them. You can't buy for parts of a nuclear missiles
with crypto yet. I mean, maybe one day, I don't know. But cash and particularly foreign cash,
you can. So things like Chinese yuan US dollar is massively helpful for them. The way in which
they go about that is firstly they have to obviously launder the funds and the reason for that is
because as you probably rightly say you're not going to find someone on a street corner who can
exchange your $1.5 billion of crypto for for cash so they have to do this through a sort of pseudo legitimate
means so North Korea will will make use of the services that you and I make use of
to launder their money.
And then ultimately, they typically use a lot of OTC peer-to-peer traders based in Asia,
particularly China, to actually swap, ultimately swap that crypto for cash.
And just earlier when you said they use the services that we typically used to launder money,
like I didn't know what that meant.
I'm certainly not laundering money.
No, they are using the same services to launch.
their money that we use legitimately.
And that's a really bad thing because it completely undermines the legitimate usage of particular
services if they don't stop this stuff.
And just to be clear, you're probably talking about something like a tornado cash, like a mixer.
Oh, not even a tornado cash.
I mean, mainstream exchanges or protocols.
I mean, right now, I can say this.
Over $100 million has been laundered through a service called EXCH.
EX is very integrated, sort of a network level with chain.
So if you look at the Thorchain volume, moving from ETH to Bitcoin in sort of the last two days,
you'll see the overwhelming majority of it is related to this hat.
And this is really bad because it completely undermines the legitimate uses of something
like Thorchain to bridge your funds from one place to another.
and we as an industry need to be really cognizant of the fact that if we don't start asking ourselves
the question, what can we do to stop this?
Then we're inviting people like US government for other governments around the world to ask
that question for her.
And I really don't want to see that happen.
All right.
Well, so at this point, they have started to launder $100 million.
But I did see that there were quite a number of.
partners who had also blocked funds. So can you tell us a little bit about those different partners
who they are and how much has been blocked or frozen? Yeah, absolutely. So the biggest freeze so
far was the Mantle team. So actually they, as part of the proceeds, they store some
mantle stake fee. Mantle was able to work very quickly to ensure that they weren't able to
unstate those funds and ultimately five, it will recover those funds. In terms of other freezes,
I mean, private is called being calling them out on their Twitter, but North Korea have been
using some exchanges, particularly instant swap exchanges to move funds from one chain to another,
and we have been able to intercept some of those movements of funds. But honestly, the numbers
are really small. Like, compared to the amount that's being laundered, it's very small. And the reason
for that is that they're primarily currently using this service EXCH, which is
non-compliant and doesn't cooperate with us or law enforcement. And really, there's nothing
we can do to stop that. This doesn't mean to say that they are cashing out the funds, I'd like to
point out. This is just sort of the first stage of a very long, sort of multiple stages of laundering.
But at present, that's where the funds are moving. And there's little we can do to stop it.
And just to understand how it is that the partners block the funds. So let's say, like for instance,
something like a tether or a circle, they need to wait for the funds to be swapped into their stable
coin before they can freeze them. So are they watching for any conversion whatsoever from that
address? Because like, what if, so here's just like some kind of thought experiment. So, you know,
I don't know how this would happen, but let's say that they convert into that stable coin and then
they're somehow able to cash out before tether or circle notices or.
Like, is there some way where, like, they could do the swap into the stable coin and then within, you know, like 30 seconds or something, swap out and, like, manage to hop through without getting, without getting the funds frozen? Or can you, can they somehow right away freeze those funds just once they exist?
So, like, every, every single exchange, insoswopper, stablecoin, DFI protocol, C5 protocol, they're all different. And like, one of the things that myself and John T and people like Zach do,
is figure it out, figure out what's possible, what people are willing to do, what their processes are.
So, for example, in this actual case, they did swap into Tether momentarily.
And Tether was, and consistently is, to be honest, really on the ball.
And so the process typically looks like someone notices that the funds have been swapped into Tether.
someone works with Tether and usually with like a law enforcement counter party as well to
sort of like show the show all the pieces that need to be shown like these are these are stolen funds
they're clearly stolen funds this is a serious situation please freeze these funds again like
everyone has different processes though circles process for USC is very different than Tether's
process and then once the the sort of like I guess huge
process has been complete, right? Like, they've, they've verified and they're sufficiently
confident that they should freeze these funds. Then you actually have the technical part of it,
which is that they have to get the signers to actually sign the transactions to freeze the
funds, which is, it's multiple people have to approve of the freeze or not approve of it,
but they have to like sign the transaction for the freeze. Sometimes, like in this case,
everything just, it comes together and you're able to freeze them before they swap out. In other
cases, yeah, there's a delay somewhere or someone's not certain about the source of funds,
something that's tripped up. It's too, like, you know, things happen. And so they'll swap in.
Maybe they'll bridge it. Maybe they'll, like, they're doing something. They're usually,
they're usually trying to bridge it when they're swapping into stables. And then they'll,
they'll swap out before the freeze can land on chain. And this is like, this is super common.
And it's, yeah, it's part of what we do is trying to move fast.
And also trying to get the controls to be not quite so manual.
Right now, it really is a lot of humans doing a lot of manual tracing
and a lot of communication to make things happen,
to slow down the hackers and to intercept the funds.
Ideally, the industry over time has stronger processes and controls
so that humans don't have to run around.
notifying protocols that Lazarus just deposited, you know, $20 million into their exchange
and praying that they do something about it. Yeah, one thing that I will say is actually just
hearing you talk makes me realize I don't think things have evolved that much since, I hate to say it,
since 2016 and the Dow hack, because, and I don't remember how much of this I was able to put in my
book, so I'll have to speak vaguely in case I, you know, for various reasons, I'm not sure if I
can say what, what the, all the details are here. But let's just say when the Dow hacker was
cashing out, and again, this is on the Ethereum classic chain, because their funds were taken
from them on Ethereum, on Ethereum when it hard worked. But let's just say there was a place that
the hacker was using. And there was like a person at that place who was,
kind of monitoring and able to keep the hacker from cashing out.
But they weren't always online.
So there were times when, yes, transactions went through.
But they told me a little bit more about like the cat and mouse situation.
Yeah, I was just going to say with regards to the cat and mouse,
and this is going to sound really negative.
I don't want to be.
I'm very cruel this industry.
But in my eyes, we are certainly losing the cat and mouse game,
much like I think we need to get serious about security practices and preventing these
incidents happening in the first place. Exchanges, services, protocols also need to get serious
about the role that they're playing in laundering these funds, knowingly or unknowingly.
And it is bad long-term outlook if we don't get ahead of this laundering now.
It's not acceptable or major exchanges to launder large sums of BPRK or any stolen funds, especially when they know funds are stolen.
It's simply a process issue.
They don't have the processes or tooling in place to actively and effectively mitigate these problems.
And there's various parts that come into this.
You could point at blockchain analytics companies.
You can point that, you know, exchange compliance, people themselves.
But ultimately, it's just we need to get serious.
Like, we need to start with seeing this as a problem.
And then we can talk about, like, trying to develop the solution.
And I think we're still, like, at the, like, seeing this as a priority and a problem stage.
No one wants to invest in compliance and security.
It's not going to pump your bags, right?
Right.
I did want to ask, though, I think both of you at various times in this conversation, I've also seen online, that North Korea does not try to cash out in any hurry.
Like, they can keep funds in, you know, before they try to cash out in various wallets for years or I don't know how long, but for extended periods.
So do you, you know, do you sort of expect that they'll just kind of buy their time until either nobody's looking or whatever or they'll just grab,
laundering small bits? Or like, you know, what do you think the prospects are for them to
actually get real money out of this? I'm not, dude, I'm not, I'm not going to speak on this
because I didn't think that they would start laundering the money the night of. They literally
stole the money and 12 hours later, they immediately laundered 5,000 Eath. And then as soon as that
5,000 Eth was on Bitcoin, they did another 5,000, which is like they were moving so fast.
Johnty, you can fill in the rest, though.
Like, it's wild right now.
I genuinely think the only reason they sit on funds for a long time is, like,
volume issues.
Like, it takes a lot of personnel and manpower to launder the amount of funds that they have.
And so it's not that I'm sure that they would like the cash immediately to put towards
the nuclear weapon like program.
But it's, you know, if they're not laundering the funds that we can see, it's, I think
is fair to assume that there's some other funds you can't see that they are wondering.
And actually, when you talk about the prospects of them converting this stuff into cash,
a lot of that is entirely within our hand, like, as an industry.
I put the question back to the industry is like, how much do you want to care about stopping
this stuff?
If everybody's eyes are on it.
And actually, I think this could be a really good point.
You know, you take this horrific incident involving five bit, maybe this is the
step change that we need to like people start to care and I you know this is this is I'm making
very blanket statements here there are obviously big exceptions to to these rules and there are some
people who are doing like a really good job but I think yeah just in general it's it's it's
very much in our hands and right now I fear the probability of then getting cash is quite high
yeah I expect um like if I had a gas
So here's the thing.
The only blockers that they have to getting like sort of to cash is us.
It's our protocols.
It's our blockchains.
It's our liquidity.
It's our willingness to stop them.
So for example, if they're using insid swappers and nobody's stopping them, they will hurl 50K, 100K, 200K,000k, 300k through the insyswoppers to another chain for as long as they can, right?
Until the instance swarper stops them.
once that happens, right?
Like once they get frozen,
no longer do they do 100K, 200K, 300k,
they'll do 50K,
right? 50K, 50K, 50K.
If that gets frozen, again, they don't stop, right?
Now they do 20K, 3K, 1K,
$500, right?
They just keep getting smaller, but they'll keep bombarding.
Because even though, you know,
even though they're getting frozen one off,
they'll sort of like, you can imagine a pile of funds and a whole bunch of different addresses,
they'll just be hopping around and outrunning the different exchanges and what they can do.
The issue is that we got pretty, the centralized entities got pretty good at stopping them.
And so they eventually sort of gave up on those and have moved to specifically for this situation and recent ones, right?
EXCH and Thorchain, they can do with no risk of freeze.
Million dollars, $2 million, $3 million.
EXCH, what did we say, Johnty?
$100 million?
29,000.
North of $100 million in two days.
Yeah.
So $48 hours, $100 million has gone through XCH with no friction and no risk to the threat actors.
The same goes for a lot of the DFI protocol.
And I understand that this industry is very, very morally opposed to any idea of like censorship.
I'm not proposing that we permission our protocols, but I'm saying that if you let North Korean hackers steal money from our industry and then launder it to the tune of $100 million in two days, right, $50 million a day, that is a problem.
And that is a problem for this industry.
It is a problem for your protocol.
And yes, you should fear the U.S. government, but you should also fear the hackers, the thieves that are running circles around us because you are also incentivizing them to continue to do this.
Lazarus has pivoted their entire operations to crypto, to stealing crypto, right?
Because it is the easiest way to steal.
Our security posture is not strong enough.
and they can actually get it to cash, right?
If any of those things change, we're in a better position.
But instead of really thinking deeply about how we can come up with creative solutions
to slow them down, which does matter, right?
It matters.
If they can do 100 million versus 2 million, that's a massive difference.
That's a massive win.
Block them, create risks for them, freeze them.
Those are all like that not only slows them down,
it has an impact on the ROI.
But if we just pretend that this isn't a problem or that we can't do anything,
they are going to continue to do this, right?
And you can do the math on how long it'll be,
but they sold $1.5 billion.
They've done $100 million plus in two days.
It's going to take that long for them to finish the first stage of laundering.
There's a few more stages after that.
But eventually, inside this year, they will have 1.5, well, if I had to guess,
inside this year, if it continues on as it stands, they'll have $1.2, $1.3 billion in cash.
That's a problem, in my opinion, and we should do something to stop it.
Oh, yeah. I mean, if the U.S. government sanctioned tornado cash after $600 million was stolen,
and this is two and a half times bigger, like for sure. I mean, no question. But Taylor,
or either of you, what do you propose for DFI? Because you're right. Like that conversation
it's very controversial in the crypto world.
So how would you propose they block funds in Defi?
Yeah.
So in my opinion, the conversation needs to shift because a lot of times when I bring these
conversations up, they ask me, what's the solution?
I can offer solutions.
I have a lot of ideas that I can throw out there.
But I think that it is a horrible, terrible plan to invite outsiders.
into your protocol and your product's decision-making, right?
I think that I have no stake in the game.
In fact, I have opposite stake in the game.
Like, I'm chasing the bad guys that are using you.
Don't invite me to go deeply look at your protocol and find the weak points and then tell you
what to do.
I think that it's a much better plan if you invite the people that are aligned that have
stake in the game to come up with, again, these really creative solutions that don't
undermine the sanctity of your protocol, right? If you, if your end goal is to create a permissionless
protocol that like anyone can use or that, you know, empowers people, whatever it is, right?
That's, that's like the one side of this. The other side is that, hey, it turns out that when
people steal money from each other, those aren't, that's not what we want to do. That's not empowering
people. Where is the balance? What are, what are the levers? How do we de-risk? How do we make sure we
don't exclude legitimate people while still blocking out the stolen funds.
There's a huge amount of things that protocols can do without, like, turning on KYC.
But until we're ready to have that conversation, we can't come up with those solutions.
And again, stop inviting other people into your protocol.
You guys have to do it yourselves.
Like, you have to figure it out yourselves.
I'm happy to, like, give my thoughts and stuff.
but the habit of saying it's not a problem and then and then sort of like demanding an answer
from outside people who are not aligned with your protocol. Like, again, terrible idea.
But when you say that you're not aligned with their protocol, I don't, that doesn't make sense
to me because. Well, so like, for example, if you're a like a random defy protocol that's spun up
in the last two years, right, that people are using to bridge or lend or stake or whatever, right?
I don't own your token.
I don't know you.
I don't know your team.
I don't know your inner workings.
I don't know your values.
I'm not part of your culture.
I'm,
I'm, you know, somewhere between slightly annoyed and completely pissed off that you are letting Lazarus run circles through your protocol, right?
I, like, by definition, I'm not aligned.
And by the way, like, I am more aligned than, say, you know, some of the guys at the FBI who have been doing this for decades.
and look at this industry, like we're a complete joke, right?
And so that's what I mean by, you know, like, ideally the people who have designed the
protocol, who are maintaining the protocol, who are trying to improve the protocol, who own the
token, those are the people that have stake in the game.
Right now, they're just not willing to say that Lazarus laundering millions of dollars
through their protocol is a problem.
And so they're not even trying to address it.
That's, in my opinion, that's the blocker for most of Defi right now.
And if they were to say that it was a problem, in the same way that this industry has accepted that MEP is a problem, same way that this industry has accepted that smart contracts are a problem.
I think that you would see a huge amount of very creative solutions that, again, solve the problem without completely neutering the protocol.
We have to get there in the same way that we've solved other really, really, really hard problems.
Just to take a positive here.
I call out one protocol that's done a really good thing.
And I'm going to say that's Railgun.
If we look back in 2023, Railgun had a big incident whereby North Korea deposited funds stolen from the Harmony Horizon Bridge into Railgun.
And they had no controls in place, basically, to stop there.
What they have developed since, they took their protocol offline for a while.
And then they came back and they essentially introduced concept called.
private proofs of innocence.
So this is a tool that allows cryptographic assurance that tokens entering railgun smart
contracts, but not on any block lists or not known to be associated with illicit funds.
This is great because it doesn't, in my view, the permissionless, decentralized nature of
railgun, it doesn't harm its integrity, but it does allow them a lever that they can pull
when someone like North Korea starts to abuse their protocol.
And this has a tangible effect.
We haven't seen Trader Trader in volumes like that go back to Railgun.
And sure, we can have conversations about how effective it is,
how we can improve the monitoring.
But the fact that they have the tooling in place to do that
and their decentralized protocol is really cool.
And I think that's an example of a creative solution
that was thought about by a decentry.
centralized privacy protocol that wanted to solve this problem. And I'm sure, I don't know the
inner workings of every single defy protocol, but I'm sure that there are solutions for most
protocols out there if they genuinely want to go and design it. That's super interesting. I agree that
that sounds like a good solution for North Korea. I could see it being more controversial for
ones where whether or not the actor is considered bad or not is like more up for debate. So
yeah, I find it interesting. But so you guys, we're at like about an hour and a half in. So why don't
we wrap up with like any remaining tips or just thoughts that you have about what direction
the industry should go to prevent more of these hacks or to basically just, yeah, not be,
what's the word to not to be so readily exploitable by the North Koreans.
That's a perfect way to put it, actually.
Yeah, so I think I've had this opinion for a long time.
I've probably said it on this podcast before,
but like this industry at the end of the day is actually really deeply amazing.
There are so many smart people.
There are so many smart teams.
There are so many things that we have.
done that, quite frankly, should not have been possible, right? We can do anything that we want.
That's it. In my opinion, having North Korea run circles, right, and spin up new hacking teams,
right? They are now fully incentivized to just deluge this industry is a bad plan for this industry.
And so I think that we should prioritize, one, getting really serious about security, understanding that the incentive is there.
If you have a million dollars, $50 million, a billion dollars, the incentive is there for people to try to take that money.
And you need to be aware of it and take really tangible steps, right, to actually put controls on your internal systems, on your employees, on your devices.
There's huge amount of literature.
There's a huge amount of experience security professionals.
out there who will do it for you, actually do it. Don't think that it's not a risk. It really
truly is a risk. And then secondly, I would honestly just ask this industry to stop having the
debate over whether or not this is bad. Like when people have money stolen from them,
that's bad. And like for now, let's just stick to theft, right? The buy bit hack is bad.
The money was stolen. It's bad. What can we do to lower.
the incentive for them to do it again? What can we do to make it harder for them to like hack again?
But also what can we do to slow them down on the laundering front so that again,
they don't get a billion dollars to cash inside of a year, right? What can we do about that?
Let's all acknowledge that it's bad and stop having the debate over whether or not it's bad
and move on to, okay, it's not ideal. What can we do about it? And again,
get really creative with the solutions and don't undermine the values of the ecosystem.
Please, please, please, please, please do not.
Please, please, please do not undermine everything.
When we talk about creative solutions, it means accomplishing the goals, getting the
outcomes that we want without sacrificing everything that we stand for.
We have to do both.
We can do both.
We just have to put our minds to it together.
Yeah, I guess closing thoughts from me,
whilst I've made some very general statements here,
maybe not they're not always positive.
What I would say is that there are people in this industry
who care very, very deeply about security,
preventing these hacks, preventing this laundering
that are ready and willing to help you,
often for free, often or limited cost.
So let's work together on this.
We can't give you the solution to how you can,
stock your D5 protocol from being abused by North Korea, but we're certainly willing to
work with you. And if there is some solution you come up with that we can help in any way,
absolutely lean on us. So yeah, reach out to Zero Shadow, reach out to the Security Alliance.
It's something that Taylor and I both contribute to. But we can't just sit here and pretend it's not
a problem because that will just spell the end to crypto, unfortunately.
Yeah. Yeah. Okay, you guys.
this has been just so fascinating. Thank you both. Where can people learn more about each of you and your work?
I'm on Twitter, Tavano with a underscore. Yeah, DMs are always open. Feel free to reach out no matter what.
Yeah, I'm also on Twitter, Tanuki 42, with also an underscore, but you can also reach out to zero shadow at zero shadow.io.
Okay, perfect. All right, well, thank you both so much for coming on in change.
Thank you, Laura.
Thank you for having us.
Thanks so much for joining us today to learn more about Taylor,
John T, and The Bybit Hack.
Check out the show notes for this episode.
Unchained is produced by me, Laura Shin,
with help from Matt Pilchard, Wanner Vannevich,
Megan Gavis, Pam Mijndar, and Margaret Correa.
Thanks for listening.