There has been a rapid rise in funds stolen from DeFi (Decentralized Finance) protocols. One of the most prominent attacks was on the Ronin Network, carried out by the Lazarus Group when it gained access to private keys held by transaction validators for Ronin Network’s cross-chain bridge.
Massive heist begins with private keys
The March 2022 theft by the Lazarus Group, a cybercrime group run by the North Korean state, began when it gained access to five of the nine private keys held by transaction validators for Ronin Network’s cross-chain bridge, according to a report from Chainalysis.
Ronin Network is an Ethereum-linked sidechain catering to Axie Infinity’s blockchain gaming. Cross-chain bridges provide interoperability between different blockchains via a protocol that lets users port digital assets from one blockchain to another, as described by Chainalysis.
The heist by Lazarus totalled, at the time, $540 million in Ethereum currency and USDC stablecoin, which prompted sanctions by the U.S. Department of Treasury. The Lazarus Group typically carries out the attacks to fund the North Korean state.
Subsequently, more than $30 million was seized by the U.S. government with the help of Chainalysis. The seizures represent approximately 10% of the total funds stolen from Axie Infinity, Chainalysis said.
Move to DeFi services to chain hop
The Lazarus Group used the private keys to approve two transactions, both withdrawals: one for 173,600 ether (ETH) and the other for 25.5 million USD Coin (USDC) the report said. (The $540 million value cited above.)
“They then initiated their laundering process…The laundering of these funds has leveraged over 12,000 different crypto addresses to-date, which demonstrates the hackers’ highly sophisticated laundering capabilities,” Chainalysis said.
Typical laundering techniques include stealing Ether and sending it to intermediary wallets and mixing Ether in batches using Tornado Cash.
However after the U.S. Treasury imposed sanctions on Tornado Cash, Lazarus has moved away from the Ethereum mixer, instead “leveraging DeFi services to chain hop, or switch between several different kinds of cryptocurrencies in a single transaction,” Chainalysis said.
“Bridges serve an important function to move digital assets between chains and most usage of these platforms is completely legitimate. Lazarus appears to be using bridges in an attempt to obscure source of funds,” Chainalysis said.
Venafi’s Take: DeFi security model vulnerable
“The DeFi security model needs strengthening right away,” said Pratik Savla, a Senior Security Engineer at Venafi.
“Improper cryptographic key management is one of the biggest Achilles Heels that is opening up DeFi to a number of security risks,” Savla said.
The utilization of private keys and wallets underscores the known security risks associated with their design and implementation, according to Savla.
“This in turn, incentivizes attackers of all shades to deploy the same set of TTPs [Tactics, Techniques and Procedures] they have used to exploit in prior incidents,” Savla said.
Once the private key of the administrators is obtained by a malicious actor, it opens a multitude of possibilities for bad actors to wreak havoc, he added.
Besides private keys, wallets that are used to house and manage those keys introduce their own security risks, according to Savla.
‘Embed’ security at start of the development cycle
“Wallets and private keys combined open a huge attack surface and make targeting DeFi attractive and rewarding. One approach that is strongly needed to minimize and ultimately contain multiple attack vectors is to embed security at the beginning of the development cycle. Thorough security design and architecture become extremely crucial in this casel,” Savla said.
DeFi is an example of a “high-stakes system where machine identity management can be both its strength but also its weakness from a security standpoint, if not done correctly.” Savla added.