Binance Recovers Stolen, Disguised Crypto Loot From Mega Hack.
- Exchange recovers assets totaling $5.8 million from a heist.
- Crypto mixers make tracking movement difficult, if not impossible.
Binance said it was able to retrieve around $5.8 million worth of stolen treasure that had made its way into its platform in disguised form, more than a week after the US linked one of the biggest crypto heists to a North Korean hacker gang. The specifics of how it did so should serve as a warning to those attempting to cash out ill-gotten bitcoin gains: it's only going to grow more difficult.
The loss of more than $600 million in bitcoin from the Ronin software bridge, which is used by players of Axie Infinity to move cryptocurrency, was linked to the North Korean hacker group Lazarus by the US Treasury Department last week. The department discovered an Ethereum wallet address linked to the organisation and added it to its list of sanctioned entities.
Working with outside organisations, Binance was able to track stolen cash from the hackers' wallet to Tornado Cash, a service that allows for anonymous token transfers on the Ethereum blockchain, and then to its exchange.
"When exposure to our platform was discovered, we worked with industry leading blockchain analytics firms and immediately froze the assets," the representative added. According to Binance's chief executive officer, Changpeng "CZ" Zhao, the cryptocurrency was identified in 86 separate accounts on the platform.
While the sum recovered is only a fraction of the $600 million in cryptocurrency stolen, the achievement boosts expectations of retrieving more of the assets as hackers continue to transfer them around. According to blockchain statistics, about 56,200 Ether, or around $170 million in stolen coins, was moved out of the criminals' principal address on the Ethereum blockchain in the last week.
All of the stolen monies were moved to new addresses, with some of those addresses moving the tokens to Tornado Cash. According to blockchain monitoring provider Peckshield, more than $230 million in cryptocurrency has been transferred from the wallet.
Tornado Cash is designed to disrupt the link between the transaction's source and receiver addresses, making purportedly public blockchain transactions difficult to monitor. Binance's ability to freeze the cash is a "victory" for victims of the Ronin attack, according to blockchain compliance firm Chainalysis, which has expertise "unmixing" Bitcoin transactions.
"World-class investigators with the correct tools and coordination made feasible Binance's action today to freeze cash stolen by North Korean-linked hackers —- despite their use of complicated obfuscation techniques...," Erin Plante, senior director of investigations at Chainalysis, stated.
The identification of the address from the US Treasury Department last Thursday will "make apparent" to other virtual-currency actors that "by trading with the address, they risk exposure to US penalties," according to a representative for the US Treasury Department. In relation with the Ronin attack, the US agency added three more addresses to its sanctions list on Friday.
The US government "continues to take disruptive action against companies supporting the flow of the stolen virtual currency,” the spokesperson said. "We urge the cryptocurrency community to close its digital doors."
Tornado Cash indicated it was taking steps to block sanctioned wallets in response to the Treasury's statement. It revealed last Friday on Twitter that it is blocking crypto wallets targeted by the US Office of Foreign Assets Control using a free compliance tool produced by Chainalysis. The free smart contract, or programme run on a blockchain, was created by Chainalysis in March and checks for crypto addresses that have been sanctioned by multiple governments.
Chainalysis also provides premium products that warn customers about potential indirect exposure to sanctioned addresses and other addresses associated to sanctioned firms that aren't on the OFAC's sanctions list.
Tornado Cash is not using Chainalysis' tool, according to a spokeswoman for the company, because the programme is not included in Tornado Cash's own code, or smart contract. The compliance mechanism, according to Tornado Cash, was only used to prevent sanctioned addresses from using the user-facing decentralised programme.
Theoretically, Tornado Cash's underlying technology is still accessible to blocked addresses by first transferring the crypto to a different address. Tornado Cash's creators have yet to react to several requests for comment on the tool's efficacy.
On Friday, one of the addresses that received 10,129.935 Ether from the hacker's main address sent roughly 1,528 Ether to a second new address, according to blockchain data. That second address was delivering Ether to Tornado Cash in 100 Ether chunks.