Cryptohack Roundup: Tornado Cash in the Eye of the StormAlso: FBI Issues DPRK Alert; Incidents Affect Exactly, Harbor and Venus Protocols
Every week, ISMG rounds up cybersecurity incidents in digital assets. This week, two Tornado Cash founders faced charges in a U.S. court, while a judge separately sided with the U.S. Department of the Treasury in a Coinbase-backed lawsuit against the cryptomixer's sanctioning; the FBI identified North Korean bitcoin wallets holding stolen cash; hackers stole millions from DeFi protocols Exactly and Harbor; Venus Protocol liquidated $30 million from a hacker's wallet; Terra paused its website amid phishing scams; and Thailand threatened to shutter Meta over inaction against crypto scam ads.
The United States on Wednesday unveiled charges against a Russian national and a Washington state man for creating, operating and promoting now-sanctioned cryptomixer Tornado Cash, which facilitated threat actors such as the Lazarus Group to launder more than $1 billion.
The charges against Roman Storm, 34, and Roman Semenov, 49, include conspiracy to commit money laundering, sanctions violations and operating an unlicensed money transmitting business. They face up to 45 years in prison.
The defendants and their co-conspirators allegedly created the core features of the service, paid for critical infrastructure to operate it, and advertised it as a service that allowed anonymous and untraceable financial transactions. The prosecutors said they chose not to implement know-your-customer or anti-money laundering programs and did not implement any controls despite knowing about illicit money laundering transactions, including those by North Korean hackers.
Tornado Cash's developer, 29-year-old Alexey Pertsev, was arrested Aug. 10, 2022, in the Netherlands, his wife Xenia Malik told Information Security Media Group last September.
Separately, the U.S. District Court for the Western District of Texas ruled last Thursday in favor of the U.S. Department of the Treasury in a lawsuit asserting the government exceeded its authority in sanctioning the cryptocurrency mixer. The Coinbase-backed lawsuit, filed last year, argued the federal government had exceeded its sanctions authority and violated plaintiffs' First Amendment right to speech by closing off their ability to privately donate to social causes.
U.S. District Judge Robert Pitman said otherwise, writing that Tornado Cash is an entity that can be designated for sanctions and that the mixer has a property interest in smart contracts. As for the First Amendment claim, Pittman said the Constitution does not protect plaintiffs' right to donate money to social causes "through any particular bank or service of their choosing."
FBI Issues Alert on DPRK
The FBI on Tuesday alerted cryptocurrency companies to track transactions from newly disclosed North Korean threat actor bitcoin addresses. The bureau believes Pyongyang hackers may attempt to cash out more than $40 million worth of bitcoin. The agency said the Lazarus Group had moved about $26,000 worth of stolen crypto in the previous 24 hours. It said North Korea is responsible for dozens of high-profile hacks, including a slew of attacks in June, including a $60 million hack of AlphaPo and a $37 million heist from CoinsPaid and the theft of $100 million from Atomic Wallet. The FBI already fingered North Korea earlier this year for a $100 million theft from Horizon Bridge and the theft of $600 million from Sky Mavis' Ronin Bridge.
Hackers exploited a smart contract vulnerability on decentralized finance platform Exactly Protocol to steal millions of dollars on Friday. Security researchers initially estimated the preliminary theft figure at $7.3 million, settling at $12 million later in the day. The total value of digital assets locked on the protocol plummeted to $26 million from $36 million after the hack.
Hackers on Saturday drained an undisclosed amount from Harbor Protocol, the company said. The company is investigating the exploiters and tracing the funds, even as it tweeted a message to the hackers to "talk to find a solution that is optimal and doesn't impact users and community members."
Decentralized lending platform Venus Protocol liquidated a hacker-connected wallet containing $30 million back into its pool. Venus Protocol runs on the BNB Chain ecosystem, which is also the chain a hacker attacked last year. The attacker stole funds from BNB Chain and deposited them to Venus Protocol, where they borrowed and ultimately siphoned off $150 million worth of stablecoins.
Terra on Tuesday announced a temporary shuttering of its website to protect its users from interacting with an ongoing phishing scam on the platform. A "full resolution is still underway," despite delays with "some third-party responses," the company said. It asked users to not engage with any sites under the Terra money domain until announced otherwise.
Thailand’s digital ministry threatened to shut down Facebook parent Meta's operations in the country unless the social media giant actively works to take down cryptocurrency scam ads on its platform. The Ministry of Digital Economy and Society has given Meta a deadline of the end of this month to do so, according to its statement.