Sky Mavis recovers $5.7M from Ronin Bridge hack

June 7, 2024 Coin Telegraph

North Korea’s Lazarus Group masterminded $100M Harmony hack: FBI confirms

January 24, 2023 Coin Telegraph

<div>North Korea's Lazarus Group masterminded 0M Harmony hack: FBI confirms</div>

The FBI also confirmed earlier reports this month by figures such as ZachXBT that the hackers had started moving a large chunk of the funds around via privacy protocols.

The Federal Bureau of Investigation (FBI) has confirmed the Lazarus Group and APT38 as the culprits behind the $100 million Harmony Bridge Hack from June 2022.

The North Korea-linked cyber group had long been suspected of being behind the attack but their involvement hadn’t been confirmed by authorities until now.

According to a Jan. 23 statement, the FBI noted that “through our investigation, we were able to confirm that the Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $100 million of virtual currency from Harmony’s Horizon bridge.”

The Harmony Bridge hack in 2022 was the result of security holes in Harmony’s Horizon Ethereum bridge which allowed the cyber attackers to swipe a number of assets stored in the bridge via 11 transactions.

The FBI also outlined that the North Korean hackers started shifting around $60 million worth of the stolen funds earlier this month via the Ethereum-based privacy protocol RAILGUN. Blockchain sleuth ZachXBT previously highlighted such via Twitter on Jan. 16.

Notably, Binance also detected the hackers were trying to launder the funds through the Huobi crypto exchange, and then promptly assisted it in freezing and recovering the digital assets deposited by the hackers, according to CEO Changpeng Zhao.

“On Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder over $60 million worth of Ethereum (ETH) stolen during the June 2022 heist,” the FBI stated, adding that “a portion of these funds were frozen, in coordination with some of the virtual asset service providers. The remaining bitcoin subsequently moved to the following addresses.”

In its statement, the FBI said its cyber and virtual assets units, as well as the U.S. Attorney's Office and the U.S. Justice Department's crypto unit, have continued “to identify and disrupt North Korea’s theft and laundering of virtual currency, which is used to support North Korea’s ballistic missile and Weapons of Mass Destruction programs."

The Lazarus group is a well known hacking syndicate that has reportedly had a hand in a number of key exploits in the crypto industry, and has alleged to have been behind the $600 million Ronin Bridge hack from March last year.

In April 2022, the United States Treasury Department Office of Foreign Assets Control indicated as such, by updating its Specially Designated Nationals and Blocked Persons (SDN) to include the Lazarus Group following the hack.

That same month, the FBI and Cybersecurity and Infrastructure Security Agency also fired off a warning alert concerning North Korean state-sponsored cyber threats that target blockchain companies in response to the Ronin Bridge hack.

Polygon CSO blames Web2 security gaps for recent spate of hacks

September 8, 2022 Coin Telegraph

Coin Telegraph

Polygon's chief of security says his department now employs 10 experts to ensure top-notch cyber security practices are adopted, recommending other crypto firms do the same.

Polygon Chief Security Officer Mudit Gupta has urged Web3 companies to hire traditional security experts to put an end to easily preventable hacks, arguing that perfect code and cryptography are not enough.

Speaking to Cointelegraph, Gupta outlined that several of the recent hacks in crypto were ultimately a result of Web2 security vulnerabilities such as private key management and phishing attacks to gain logins, rather than poorly designed blockchain tech.

Adding to his point, Gupta emphasized that getting a certified smart contract security audit without adopting standard Web2 cybersecurity practices is not sufficient to protect a protocol and user's wallets from being exploited:

“I've been pushing at least all of the major companies to get a dedicated security person who actually knows that key management is important.”

“You have API keys that are used for decades and decades. So there are proper best practices and procedures one should be following. To keep these keys secure. There should be proper audit trail logging and proper risk management around these things. But as we've seen these crypto companies just ignored all of it,” he added.

While blockchains are often decentralized on the backend, “users interact with [applications] through a centralized website,” so implementing traditional cybersecurity measures around factors such as Domain Name System (DNS), web hosting and email security should always “be taken care of,” said Gupta.

Gupta also emphasized the importance of private key management, citing the $600 million Ronin bridge hack and $100 million Horizon bridge hack as textbook examples of the need to tighten private key security procedures:

“Those hacks had nothing to do with blockchain security, the code was fine. The cryptography was fine, everything was fine. Except the key management was not. The private keys [...] were not securely kept, and the way the architecture worked was if the keys got compromised, the whole protocol got compromised.”

Gupta suggested that the current sentiment from blockchain and Web3 firms is that if “you fall for a phishing attack, it's your problem,” but argued that “if we want mass adoption,” Web3 companies have to take more responsibility rather than doing the bare minimum.

“For us [...] we don't want just the minimum safety that keeps the liability away. We want our product to be actually safe for users to use it [...] so we think about what traps they might fall into and try to protect users against them.”

Polygon is an interoperability and scaling framework for building Ethereum-compatible blockchains, which enables developers to build scalable and user-friendly decentralized applications.

With a team of 10 security experts now employed at Polygon, Mudit now wants all Web3 companies to take the same approach.

Following the $190 million Nomad bridge hack in August, crypto hacks have now surpassed the $2 billion mark, according to blockchain analytics firm Chainalysis.

Ronin hackers transferred stolen funds from ETH to BTC and used sanctioned mixers

August 22, 2022 Coin Telegraph

Coin Telegraph

The hackers continue to spread out the stolen funds using Bitcoin privacy tools as a means to remain anonymous, despite the identity of the hackers believed to be a North Korean cybercrime group.

The hackers behind the $625 million Ronin bridge attack in March have since transferred most of their funds from ETH into BTC using renBTC and Bitcoin privacy tools Blender and ChipMixer.

The hacker’s activity has been tracked by on-chain investigator ‘₿liteZero’, who works for SlowMist and contributed to the company’s 2022 Mid-Year Blockchain Security report. They outlined the transaction pathway of the stolen funds since the Mar. 23 attack.

The majority of the stolen funds were originally converted into ETH and sent to now sanctioned Ethereum crypto mixer Tornado Cash before being bridged over to the Bitcoin network and converted into BTC via the Ren protocol.

I've been tracking the stolen funds on Ronin Bridge.
I've noticed that Ronin hackers have transferred all of their funds to the bitcoin network. Most of the funds have been deposited to mixers(ChipMixer, Blender).

This thread will illustrate the tracking analysis procedures. pic.twitter.com/yrazcJ22xF
— ₿liteZero (@blitezero) August 20, 2022

According to the report, the hackers, who are believed to be North Korean cybercrime organization Lazarus Group, initially transferred just a portion of the fund (6,249 ETH) to centralized exchanges including Huobi (5,028 ETH) and FTX (1,219 ETH) on Mar. 28.

From the centralized exchanges, the 6249 ETH appeared to have been converted into BTC. The hackers then transferred 439 BTC ($20.5 million) to Bitcoin privacy tool Blender, which was also sanctioned by the U.S. Treasury on May. 6. The analyst wrote:

“I've found the answer in Blender sanction addresses. Most Blender sanction addresses are Blender's deposit addresses used by Ronin hackers. They have deposited all their withdrawal funds to Blender after withdrawing from the exchanges.”

However the overwhelming majority of stolen funds — 175,000 ETH — was transferred Tornado Cash incrementally between April 4 and May 19.

The hackers subsequently used decentralized exchanges Uniswap and 1inch to convert around 113,000 ETH to renBTC (a wrapped version of BTC), and used Ren’s decentralized cross-chain bridge to transfer the assets from Ethereum to the Bitcoin network and unwrap the renBTC into BTC.

From there, approximately 6,631 BTC was distributed to a variety of centralized exchanges and decentralized protocols:

*Platforms the hackers used to transfer BTC to. Source: SlowMist.*

The report also stated that the Ronin hackers withdrew 2,871 BTC (of the 3,460 BTC) ($61.6 million as of Aug. 22) via Bitcoin privacy tool ChipMixer.

*BTC balance on platforms after the hackers withdrew funds. Source: SlowMist.*

₿liteZero concluded the Twitter thread by stating that the Ronin hack remains a “mystery to be investigated” and that more progress is to be made.

Battle-hardened Ronin bridge to Axie reopens following $600M hack

June 29, 2022 Coin Telegraph

Battle-hardened Ronin bridge to Axie reopens following 0M hack

Axie Infinity

The Ronin bridge tied to Axie Infinity is back up with a new design after Sky Mavis introduced a circuit breaker system and daily withdrawal limits.

Sky Mavis, developers of the popular play-to-earn (P2E) NFT game Axie Infinity have announced that the Ronin bridge is back online three months after it was hacked for more than $600 million.

The Ronin bridge is an Ethereum sidechain built for Axie Infinity, and it enables users to transfer assets between the sidechain and the Ethereum mainnet.

On March 29, 173,600 Ether (ETH) and 25.5 million USD Coin (USDC) was drained from the bridge after hackers managed to gain access to private validator keys. The hack was worth more than $620 million at the time.

According to the June 28 announcement from the Sky Mavis team, the Ronin bridge is back online after three audits (one internal, two external), a new design and full compensation of users' stolen assets.

“All wETH and USDC owned by Ronin Network users is now fully backed 1:1 by ETH and USDC on Ethereum, as promised. All users’ have been made whole.”

In total, Sky Mavis has now reimbursed 117,600 ETH and 25.5 million USDC by providing the ETH liquidity to back users’ wrapped ETH (wETH) on the Ronin network.

In April, around 46,000 of that ETH had already been compensated after Binance provided a bridge to its exchange so that users could swap out wETH for ETH. Liquidity was sourced from the Axie Infinity balance and founders' funds to support the move. Binance also led a $150 million funding round to help Sky Mavis repay Axie Infinity users.

The remaining 56,000 of the total stolen ETH belongs to the Axie DAO Treasury and will remain uncollateralized as Sky Mavis “works with law enforcement to recover the funds.”

good job.
— CZ Binance (@cz_binance) June 28, 2022

As part of the revamped bridge design, Sky Mavis has updated the smart contract software to enable validators to set daily withdrawal limits, with the initial amount set at $50 million at this stage. The team also introduced a circuit breaker system that breaks down the monetary value of withdrawals into three tiers.

Tier 1 is for withdrawals less than $1 million, and requires 70% of validators to sign off, and tier 2 is for amounts greater than $1 million and requires 90% of validator signatures. Tier 3 is for withdrawals greater than $10 million and requires a 90% validator sign-off, a small transaction fee and a seven-day review process.

“The new bridge design includes a circuit-breaker system as a contingency plan which increases the security of the bridge by halting large suspicious withdrawals.”

Sky Mavis admitted in a postmortem report in late April that its lack of decentralization had made the Ronin bridge vulnerable to the hack. At the time it had just nine validator nodes, with employees having access to four of them.

After promptly raising the number of node to 11, Sky Mavis outlined intentions to raise the count to 21 within three months of the postmortem, with the long-term goal of surpassing 100 total nodes.

The team did not provide an update on how many validators nodes the Ronin network now has in the latest announcement however.

Axie Infinity has seen its monthly NFT sales volume tank dramatically in 2022, with data from CryptoSlam showing that the game went from generating $126.4 million in January to just $2.8 million in June.

Sky Mavis Raises $150 Million in Financing Round Led by Binance to Refund Users Affected by the Ronin Bridge Exploit

April 9, 2022 Bitcoin.com

ronin bridge hack