With Rapid Rise in Funds Stolen from DeFi Protocols, Private Keys in Play

Massive heist begins with private keys

The March 2022 theft by the Lazarus Group, a cybercrime group run by the North Korean state, began when it gained access to five of the nine private keys held by transaction validators for Ronin Network’s cross-chain bridge, according to a report from Chainalysis.

Ronin Network is an Ethereum-linked sidechain catering to Axie Infinity’s blockchain gaming. Cross-chain bridges provide interoperability between different blockchains via a protocol that lets users port digital assets from one blockchain to another, as described by Chainalysis.

The heist by Lazarus totalled, at the time, $540 million in Ethereum currency and USDC stablecoin, which prompted sanctions by the U.S. Department of Treasury. The Lazarus Group typically carries out the attacks to fund the North Korean state.

Subsequently, more than $30 million was seized by the U.S. government with the help of Chainalysis. The seizures represent approximately 10% of the total funds stolen from Axie Infinity, Chainalysis said.

Move to DeFi services to chain hop

The Lazarus Group used the private keys to approve two transactions, both withdrawals: one for 173,600 ether (ETH) and the other for 25.5 million USD Coin (USDC) the report said. (The $540 million value cited above.)

“They then initiated their laundering process…The laundering of these funds has leveraged over 12,000 different crypto addresses to-date, which demonstrates the hackers’ highly sophisticated laundering capabilities,” Chainalysis said.  

Typical laundering techniques include stealing Ether and sending it to intermediary wallets and mixing Ether in batches using Tornado Cash. 

However after the U.S. Treasury imposed sanctions on Tornado Cash, Lazarus has moved away from the Ethereum mixer, instead “leveraging DeFi services to chain hop, or switch between several different kinds of cryptocurrencies in a single transaction,” Chainalysis said.

“Bridges serve an important function to move digital assets between chains and most usage of these platforms is completely legitimate. Lazarus appears to be using bridges in an attempt to obscure source of funds,” Chainalysis said.

Venafi’s Take: DeFi security model vulnerable

“The DeFi security model needs strengthening right away,” said Pratik Savla, a Senior Security Engineer at Venafi.

“Improper cryptographic key management is one of the biggest Achilles Heels that is opening up DeFi to a number of security risks,” Savla said.

The utilization of private keys and wallets underscores the known security risks associated with their design and implementation, according to Savla.

“This in turn, incentivizes attackers of all shades to deploy the same set of TTPs [Tactics, Techniques and Procedures] they have used to exploit in prior incidents,” Savla said.

Once the private key of the…