US Justice Department on the hunt for DeFi hackers and thieves: Report

May 15, 2023 Coin Telegraph

The US Justice Department’s top crypto cop said that it was a “pretty significant issue” given the rise of North Korean “state-sponsored hackers.”

The United States Justice Department’s crypto enforcement team is cracking down on Decentralized Finance (DeFi) hackers and exploiters, amid a four-year rise in illicit crypto activity.

In a Financial Times report published on May 15, Eun Young Choi, director of the U.S. Department of Justice (DOJ) national cryptocurrency enforcement team (NCET), stated that the department is focusing on thefts and hacks involving DeFi and “particularly chain bridges.”

Choi said it was a “pretty significant issue” for the DOJ given North Korean “state-sponsored hackers” have emerged as “key actors in this space.”

North Korean hackers stole an estimated range of between $630 million to more than $1 billion of crypto assets in 2022, Cointelegraph reported in February.

The DOJ announced Choi – a prosecutor with nearly a decade of experience in the DOJ — as the first director of the NCET in February 2022.

At the time, a statement from the department explained that the NCET will serve as a “focal point” for the DoJ in tackling cryptocurrency, cybercrime, money laundering, and forfeiture.

Justice Department Announces First Director of National Cryptocurrency Enforcement Teamhttps://t.co/PvJ6iRDQ8P
— Justice Department (@TheJusticeDept) February 17, 2022

While the DOJ highlighted that “mixing and tumbling services” would be a particular focus for the agency, it did not specifically mention anything in regard to DeFi platforms at the time.

Choi, who also recently spoke at the Financial Times Crypto and Digital Assets Summit, reaffirmed that the DOJ is after crypto firms that either commit the crime or turn a blind eye to "obscure the trail of transactions." She noted:

“The DoJ is targeting companies that commit crimes themselves or allow them to happen, such as enabling money laundering.”

She explained that by going after the source, the platform itself, it will have a “multiplier effect” in terms of stopping “criminal actors to easily profit from their crimes.”

Choi further emphasized the “scale and the scope of digital assets being used in a variety of illicit ways” has grown significantly over the last four years.

DeFi platforms have experienced a string of attacks in recent times.

*Decentralized Finance Total Value Locked (TVL). Source: DappRadar*

The biggest DeFi hack so far this year was reported on March 13, with Euler Finance facing a flash loan attack with over $196 million in DAI, USDC, staked Ether (StETH) and Wrapped Bitcoin (WBTC) stolen.

Meanwhile, in November 2022 DeFi trading platform Mango Markets saw an exploiter allegedly take advantage of their low liquidity to “drain funds.”

Essentially the hacker deposited $5 million of his own money into the platform to drive up the price of MNGO from $0.03 to $0.91 to increase their MNGO holdings to $423 million.

From there, the exploiter was able to acquire a loan for $116 million using several tokens on the platform, including Bitcoin (BTC), Solana (SOL) and Serum (SRM), as a result, the loan eliminated the entire liquidity of Mango Markets.

Magazine: DeFi abandons Ponzi farms for ‘real yield’

Allbridge to first begin repaying stuck bridge users after recouping funds

April 5, 2023 Coin Telegraph

Allbridge

The compensation process is expected to start next week, starting with users who had funds on the bridge “shortly before the shutdown.”

Users with funds stuck on the multichain token bridge provided by Allbridge are first in line to receive compensation under a recovery plan posted by the project following a recent exploit.

In an April 5 statement, Allbridge said it has already started a compensation process for users despite only “partly recovering funds” after it was hacked for roughly $573,000 on April 1.

“We will start with the bridge users whose transactions got stuck in pending due to the emergency shutdown,” Allbridge said, adding it will then compensate its liquidity providers (LPs).

We are committed to compensating our users affected by the exploit and are prepared to reveal our recovery plan.

Please check the latest announcement for details: https://t.co/h17VDKZ7H7
— Allbridge (@Allbridge_io) April 4, 2023

“We aim to fully compensate those victims of the exploit with funds available to us,” it wrote.

It noted that it enabled LPs to withdraw funds on April 2, with the majority withdrawing their assets from the pool. Some, however, could withdraw even more “due to the pool’s disbalance.“

Others could not withdraw “a reasonable amount” from the liquidity pool due to some users withdrawing more than their original balances and the hack’s impact on the pools.

An application form is currently being drafted for LPs who could not withdraw their assets, allowing them to apply for compensation and provide details of their losses.

The form is anticipated to be completed within the next two days. The compensation process is expected to commence next week, starting with users who “have used the bridge shortly before the shutdown.”

“All the affected parties by the exploit will be subject to additional rewards in the future, but compensation remains our main priority.”

The compensation plan comes after Allbridge tweeted on April 3 that 1,500 BNB (BNB), worth approximately $465,000, was returned to the project following a public proposal made to the hacker in an April 1 tweet.

The protocol’s exploiter seemingly accepted Allbridge’s offer of a “white hat bounty,” where they could keep a portion of the stolen funds in exchange for an assurance that no legal action would be taken.

Meanwhile, Ethereum-based noncustodial lending protocol Eurler Finance announced on April 4 that it recovered most of the $196 million stolen in a March 13 flash loan attack following successful negotiations.

The attacker managed to steal millions worth of Dai (DAI), USD Coin (USDC), staked Ether (stETH) and wrapped Bitcoin (WBTC) in the largest hack of 2023 so far.

Magazine: Crypto winter can take a toll on hodlers’ mental health

Euler Finance to enter talks with exploiter over the return of funds

March 21, 2023 Coin Telegraph

chainalysis

The flash loan exploiter claims they have “no intention of keeping what is not ours” and wants to “come to an agreement” with Euler Finance.

Ethereum-based lending protocol Euler Finance could be a step closer to recovering funds stolen in a $196 million flash loan attack last week, with private discussions now initiated with the exploiter.

In an on-chain message to Euler on March 20, days after sending funds to a red-flagged North Korean address, the exploiter claimed they now want to “come to an agreement” with Euler.

“We want to make this easy on all those affected. No intention of keeping what is not ours. Setting up secure communication. Let us come to an agreement,” said the exploiter.

*The hacker’s most recent public on-chain message to Euler. Source:* *Etherscan*

Hours later, Euler replied with its own on-chain message, acknowledging the message and asking the exploiter to talk “in private,” stating:

“Message received. Let's talk in private on blockscan via the Euler Deployer address and one of your EOAs, via signed messages over email at contact@euler.foundation, or any other channel of your choice. Reply with your preference.”

*Euler’s latest public on-chain message to the hacker. Source:* *Etherscan*

Euler had previously tried to cut a deal with the exploiter after the exploit, insisting that they return 90% of the funds they stole within 24 hours or potentially face legal consequences.

There was no response, and 24 hours later, Euler launched a $1 bounty reward for any information that could lead to the exploiter’s arrest and return of the funds.

While the identity of the exploiter is not known, the recent language used by the exploiter could suggest more than one person is involved.

In a March 17 tweet, blockchain analytics firm Chainalysis said the recent 100 Ether (ETH) transfer to a wallet address associated with North Korea could mean the hack is the work of the “DPRK” — the Democratic People’s Republic of Korea.

However, this could also be an attempt to intentionally misdirect investigators, the firm said.

Other transactions from the exploiter’s wallet address include 3000 ETH, which was sent back to Euler Finance on March 18, along with funds sent to crypto mixer Tornado Cash and even an apparent victim of the exploit.

https://t.co/4OBksAu9od pic.twitter.com/Zb3MIyex2f
— PeckShield Inc. (@peckshield) March 18, 2023

On March 20, another address reached out to Euler on-chain, claiming to have found a “solid string of connections” that could help them find out who and where the exploiter was.

Cointelegraph reached out to the Euler Foundation for comment but did not receive an immediate response.

Euler hacker seemingly taking their chances, sends funds to crypto mixer

March 16, 2023 Coin Telegraph

blockchain analytics firm

Before the move, the hacker apparently refunded at least one victim, leading to a slew of on-chain messages from other purported victims.

The hacker responsible for the $196 million attack on Euler Finance has begun moving funds into crypto mixer Tornado Cash, only hours after a $1 million bounty was launched to uncover the hacker's identity.

Blockchain analytics firm PeckShield tweeted on March 16 that the exploiter behind the flash loan attack on the Ethereum noncustodial lending protocol was “on the move.”

The exploiter transferred 1,000 Ether (ETH), approximately $1.65 million, through sanctioned crypto mixer Tornado Cash.

#PeckShieldAlert @eulerfinance exploiter on the move
~1,000 $ETH into Tornado Cash through intermediary address 0xc66d...c9ahttps://t.co/LAkY66YpoF pic.twitter.com/0XhQV1nbgn
— PeckShieldAlert (@PeckShieldAlert) March 16, 2023

It comes only hours after Euler Labs tweeted it's launching a $1 million reward for information leading “to the Euler protocol attacker’s arrest and the return of all funds.”

Just a day earlier, Euler sent an on-chain message to the exploiter's address on March 14 warning it would launch a bounty “that leads to your arrest and the return of all funds” if 90% wasn't returned within 24 hours.

The movement of the funds to the crypto mixer could indicate that the hacker is not being swayed by Euler's amnesty offer.

Peckshield noted that around 100 ETH, worth $165,202 at the time of writing, was sent to a wallet address that is likely owned by one of the victims. An on-chain message sent by the wallet address had earlier pleaded for the attacker for the return of their "life savings."

WOW!@eulerfinance Exploiter returned 100 $ETH to some guy who begged him for the money back as it was his life savingshttps://t.co/Gz9aCUZB0H pic.twitter.com/DhZBenqtuS
— Wazz (@WazzCrypto) March 16, 2023

This led to a slew of other victims sending messages to the address in hopes of also getting their funds returned.

One message stated they “are twenty-six families from jobless rural areas,” who lost “a million USDT in total,” adding their share of funds in the protocol was the “life-savings from our past decades of work in factories.”

Another apparent victim messaged the attacker congratulating them on the “big win” and said they invested funds into Euler they “desperately needed” for a house.

“My wife is going to kill me if we can’t afford our house [...] Is there anyway [sic] you can help me? I have no idea what to tell my wife,” they wrote.

According to on-chain data, the $196 million stolen from Euler consisted of Dai (DAI), USD Coin (USDC), staked ETH and wrapped Bitcoin (WBTC).