kucoin.md

Kucoin

Date:: September 26th, 2020

Amount Stolen:: $275,000,000

Time:: 06:49:18 PM +UTC

Laundered Via:: Wasabi, Tornado Cash, ChipMixer

Tags:: 👛

---

Details

On September 26th, 2020, Singapore-based cryptocurrency exchange KuCoin suffered a massive breach with hackers stealing more than $280m worth of various cryptocurrencies from the exchange’s hot wallets.

No details have been made public about how access was gained to KuCoin’s systems, but the exchange publicly announced on the day of the hack that it had experienced a “security incident.”13 The majority of these stolen funds were various ERC20 tokens, though substantial quantities of Bitcoin and several other altcoins were also stolen.14 This major intrusion included a range of sophisticated hacking and laundering techniques, including a professional mixing service and the use of new DeFi platforms in an attempt to obfuscate the activity.

The KuCoin hack demonstrates radical improvements in the Lazarus Group’s ability to obfuscate the origin of the stolen cryptocurrency. However, these hackers ultimately compromised their anonymity near the end of the operation, which allowed investigators to link pre- and post-mixed assets directly to the original hack.

The breadth and intricacy of laundering techniques applied in this hack indicate a dramatic increase in the Lazarus Group’s sophistication and adaptability with crypto. The laundering of KuCoin’s stolen assets diverged sharply from prior Lazarus operations. Instead of partially haphazard obfuscation efforts during past intrusions, this time North Korean hackers showed more rigor through employing several advanced techniques to try to comprehensively obscure their activity.

The Lazarus Group also used an increasingly popular set of blockchain services known as decentralized finance, DeFi. As the international community began to introduce stronger regulatory measures on the cryptocurrency industry in 2018–19, focusing mainly on the mining and trading of cryptocurrencies, the Lazarus Group showed remarkable adaptation to evolving regulations within the virtual asset space through using new platforms such as DeFi.

The use of Tornado Cash, in particular, demonstrated a notable advancement in Lazarus’ laundering efforts. Understanding how this professional mixer functions is important to identifying the strengths and weaknesses of the North Korean operatives involved in this hack. A user seeking to anonymize the movement of Ethereum can deposit the cryptocurrency into Tornado in varying increments, most commonly 0.1, 1, 10, and 100 ETH. All crypto users deposit funds of equal value, and these deposits are held in a single address, making it virtually impossible to positively link any one withdrawal with any one deposit. Therefore, the longer a depositor waits to withdraw ETH, the greater the anonymity achieved, effectively providing more cover for North Korean operatives attempting to launder the stolen ETH. Users of Tornado Cash are not required to pay any “gas”—a fee to conduct a transaction on the Ethereum blockchain—to withdraw funds from Tornado after completing the mixing process. Instead, a series of intermediary addresses called relayers supply the necessary gas for a withdrawal, significantly adding to the withdrawer’s anonymity and increasing the total level of obfuscation.

Even during this elaborate and fiscally lucrative cyber heist, the Lazarus Group seemingly chose speed over total obfuscation. The North Korean hackers elected not to use the more anonymity-preserving features of Tornado Cash, which would have required a transaction fee, likely because they sought to maintain the highest amount of stolen Ethereum for eventual liquidation. As a result, investigators were able to link the post-Tornado withdrawals together and, given the size of the KuCoin theft, ultimately connect them to the original hack.16 North Korean hackers are well trained and focused, but this misstep in the laundering process clearly signaled their involvement in the theft. This suggests that the Lazarus Group favored higher potential cash-out in a short period of time over complete, long-term obfuscation for the operation, strengthening the claim that overall speed over total obfuscation remains a main priority for Lazarus.

Chainalysis said it was able to attribute the KuCoin hack to the North Korean hacking group by looking at how the stolen funds were laundered.

KuCoin exchange issued an announcement stating that KuCoin detected large withdrawals of Bitcoin and ERC-20 tokens in multiple hot wallets in the early morning of the 26th, and the deposit and withdrawal services have been suspended. KuCoin stated that the total amount involved in the KuCoin platform accounts for a relatively low proportion of the total funds held on the KuCoin platform, and the assets in the KuCoin cold wallet are not affected. At the same time, KuCoin has redeployed the hot wallet for the first time. KuCoin officially stated that if any user suffers losses in this incident, KuCoin and its insurance fund will be fully borne by KuCoin. KuCoin has now started a comprehensive internal security review. During this period, the deposit and withdrawal services will be suspended. The specific opening time will be Further notice. Kucoin said it will announce more details as soon as possible. As previously reported, starting at 2:49 am Beijing time on September 26, Etherscan marked the address of the cryptocurrency exchange KuCoin to transfer a large number of tokens, including MKR, USDT, OCEN, etc., to a new address beginning with 0xeb31973e0f. Including 11,486 Ethereum, 19,788,586 USDT, 525,405 Gladius (GLA), 77,874 Hawala (HAT), 21,660,274 Ocean Token (OCEAN), 8,893,428 Chroma (CHR), 30,452,178 Ampleforth Network (AMPL), 198,678 Ankr (ANKR) etc. Up to now, the new address has deposited ERC 20 tokens worth about 146 million U.S. USD, and the transfer records are two, and the two transfers totaled about 50,000 USDT to the address starting with 0xc6f928cf9431

Hackers had managed to obtain private keys to their hot wallets before withdrawing large amounts of ethereum (ETH) and bitcoin (BTC), as well as Bitcoin SV (BSV), Litecoin (LTC), XRP (XRP), Stellar Lumens (XLM), Tron (TRX), and Tether (USDT)

The strategy involves sending stolen funds to mixers in structured payments of the same size — usually an amount just below a round number in Bitcoin — that can be higher or lower depending on the size of the total amount to be laundered Lazarus typically waits for each payment’s output to be confirmed by the mixer before sending a new one, allowing them to minimize losses in the event the mixer fails

Once the funds are mixed, Lazarus Group then typically sends funds to OTC brokers on one of a few exchanges

Additionally, two deposit addresses to which Lazarus Group sent stolen cryptocurrency this year also received funds stolen in the

We were able to attribute this hack to Lazarus Group due in part to the KuCoin hackers’ use of a specific money laundering strategy Lazarus has frequently used in the past. The strategy involves sending stolen funds to mixers in structured payments of the same size - usually an amount just below a round number in Bitcoin - that can be higher or lower depending on the size of the total amount to be laundered. Lazarus typically waits for each payment’s output to be confirmed by the mixer before sending a new one, allowing them to minimize losses in the event the mixer fails. Once the funds are mixed, Lazarus Group then typically sends funds to OTC brokers on one of a few exchanges. The KuCoin hackers utilized this strategy for portions of the funds stolen. This, along with other pieces of evidence we’re unable to share at this time, helped us identify Lazarus Group as the culprits. Additionally, two deposit addresses to which Lazarus Group sent stolen cryptocurrency this year also received funds stolen in the

Harvest Finance, leading to speculation that Lazarus Group may have carried out that attack as well. However, this is still unconfirmed.

On-Chain

• 15mC7zKbLyErSKzGRHpy6gyqS7GyRpWjEi
• 0x00600423c03ec4b46F9b8a28c66d42bdd1b19c36
• 0x1a98fcebebfea4ffbded5bf5e4650d71344F52ab
• 0x1c3f856719a91735ccb78506bd504b17907ac814
• 0x261985b27a12272ad96b21885fe89a1538cbe91c
• 0x34a17418cec67b82de8cf77a987941F99dc87C6b
• 0x3781e57863F00a2ebF77a8a7e47987C46474c9C9
• 0x443e285a20e5Ff1df69e9db8bca8402c176524eb6
• 0x54459d826a727393134c929ad1F4bcle16f6F021
• 0x7374b5d31beda7acedf5dd379ed864b0d63afe1b
• 0x820a7a97dd146Fd97F79881afdf4767624973368
• 0x8a6fe380ee2b274b0e01c5c89e9861cebe040745
• 0xba3271bf528ca6d63b048ff3388eb6550616ed88
• 0xbe5e1ba665d397d5304f0f546cead0ale44f242d
• 0xc48da0b07004c361081eeea3903d049271c8c81a
• 0xc787eeba9f55933ffb4c37a0284029c24444bbd4
• 0xeb31973e0febf3e3d7058234a5ebbae1ab4b8c23
• 0xf519e276958c3ef2dff£d9b6b2d87d26859526505
• 12FACbewf5Fy9nmeaLQtm6Ugo5WS8g2Hay
• 1NRsEQRg5EjmJHbPUX7YADVPcPzCQBkyU7
• 1TYyommJW3uhjhcnHhUSuTQFqSBAxBDPV
• GBM3PJWNB5VKNOFXCDTTNXPMUNBMYTLAAPYDIIKLHUGMKX7ZGN2FNGFU
• LQtFoidy5TmLrPP77MZzgMRffqPsmRfMXE
• r3mZvvHVLPtRWAujzBsAoXqH11jhwQZvzY
• TB3j1gUXaLXXq2bstiSMfjQ9R7Yh9DdDgK

Tornado Cash

Interstingly, DPRK set up their own relayers for their first forray into using Tornado Cash and thus their withdrawals are insanely easy to find as they are the only withdrawals for these relayers lol.

Relayers / Callers:

• 0x23156749a0acefc8f07b9954d181d50084c1519e
• 0x82e6b31b0fe94925b9cd1473d05894c86f277398

Withdrawals:

• 0xe2667fdd51e97d68d45acfc62447326cff7ba667
• 0x0f8fe1792bde3df726dd6852853a54e98f39e16a
• 0x34e2bcdaa82efa9f79f5abe472de85b4a95c8f94
• 0xd1179286821b0fed0b113802a6f9691743f0522c
• 0x8055156e9c4645412301a9470c46477baffb8b5e
• 0x6ab4a0f8a20deac067ede6a76e3b496caf95507a
• 0x52c9f5c2c0ec3c33d8ca6804d7c9faa695c81068
• 0xa37d93b9dc244d1a97dca8eee1d032ce20d1af98
• 0x2775c458d4122fcd62ae3fbd2993f8f2ecaaf32f
• 0x342f3705514b9a702e50f9fb6d4443d960d3ac5e
• 0x472d7a47a665810d7f6965c343a506616509927f
• 0x4ac06dccfab65e6f63b0c8e3b1d455556bd33400
• 0x368d461c48be6f589b36fdc729d49a1b473fee25
• 0xf9678a8f4e30dfd3a75c7b3fc349054324b18f8a
• 0x9c67d8383f1eeb6e2ff2b0d296aa6a51ea2858a1
• 0x0cebd7d36ecbcb0fd90f0ee78fd4ae9f2b2422c0
• 0xebae3e90675e995f57dad8dc96c370261eb9b325
• 0x8476c2d3af896f7c4628793e4c4e001c44a6a0d2
• 0x6030e5367bf58aff9437cc96234cec10774fb699
• 0x6dffdfdb53f529911d214149b91741fd01b4c889
• 0x375b2ae5cf4ba137aeb69759c98ede30c10b6c78
• 0xd85203a350b741bd6b59601fc008eeaddfa44333
• 0x75a31669d05a8a166683d6a81b84a8f92a6e78ae
• 0x0001ab2fd9427a9ee06ea22294986a29a26cb307
• 0x43cfdf43b905d97fda7b41d5a33612b1472558af
• 0xcf42ca97a61335ce0d407213a28dab5d21d2039e
• 0xaa3b3105e01896ca27f2ed8198c768b6311b5a44
• 0x85f26085c66108b789aff9a600986cf551b66b33
• 0x8e0d44afc80a874b8f2413df7e28db6e17b9da76
• 0xc609b3940be560c8c00e593bea47fb6ecef6b2c6
• 0xd5bae2b1a704afd79fcc61513f5d3a7033b32f88
• 0xa4acafcb6f0fc028f524a95f717b93aa44b8922f
• 0xdc88f2867575d5e5edd824962c911e1e112bac09
• 0x4a8a97876b42f6154c612cbd60e49ce308dc3048
• 0x0e2b72150e2837f791f5bd59be20179cea79e465
• 0x0a132f482f5e00608893bca88f4649d5572bd15e

URLs

• https://blog.chainalysis.com/reports/kucoin-hack-2020-defi-uniswap/
• https://research.oxt.me/china-and-north-korea/2/preview
• https://weijiek.medium.com/deanonymising-the-kucoin-hacker-418fa5e9911d
• https://breadcrumbs.app/reports/243
• https://coindesk.com/markets/2020/09/26/over-280m-drained-in-kucoin-crypto-exchange-hack/
• https://kucoin.com/news/en-kucoin-security-incident-update
• https://quadrigainitiative.com/casestudy/kucoinhotwalletbreach.php
• https://reuters.com/article/usnorthkorea-sanctions-cyber/u-n-experts-point-finger-atnorth-korea-for-281-million-cyber-theft-kucoin-likely-victim-idUSKBN2AA00Q
• https://web3rekt.com/hacksandscams/kucoin-460
• https://cnas.org/publications/reports/following-the-crypto
• https://s3.us-east-1.amazonaws.com/files.cnas.org/documents/BlockchainAnalysisEES.pdf?mtime=20220216090240&focal=none