Binance recovers $8m in stolen, disguised crypto loot from $820m mega hack

Binance was able to trace stolen funds that were initially moved from the hackers' wallet to Tornado Cash. PHOTO: REUTERS

NEW YORK (BLOOMBERG) - More than a week after the United States tied one of the biggest heists in crypto to a North Korean hacking group, digital-asset exchange Binance said it was able to recover about US$5.8 million (S$8 million) worth of the stolen loot that had made its way onto its platform in disguised form.

The details of how it achieved this serve as notice for those who attempt to cash out ill-gotten cryptocurrency gains: It may only get harder.

The US Treasury Department on April 14 tied the North Korean hacking group Lazarus to the theft of more than US$600 million (S$824 million) in cryptocurrency from the Ronin software bridge, which is used by players of Axie Infinity to transfer crypto.

The department identified an Ethereum wallet address tied to the group, adding it to its sanction list. Binance was able to trace stolen funds that were initially moved from the hackers' wallet to Tornado Cash - a service that allows for anonymous token transfers on the Ethereum blockchain - and then to its exchange by working with external firms.

"We coordinated with industry leading blockchain analytics firms and immediately froze the funds when exposure to our platform was identified," the spokesman said. The crypto was discovered in 86 different accounts on Binance's exchange, the firm's chief executive officer Changpeng "CZ" Zhao said in a tweet.

While the amount retrieved represents a small portion of the US$600 million in crypto that was swiped, the accomplishment raises hopes of recovering more of the stolen funds even as hackers continued to move them around.

In the past week or so, roughly 56,200 Ether, or about US$170 million worth of stolen cryptocurrencies was moved out of the main address on the Ethereum blockchain used by the perpetrators, blockchain data shows. The stolen funds were all sent to newly created addresses, with some of those addresses in turn transferring the tokens to Tornado Cash. All told, more than US$230 million of the crypto has moved from the wallet, according to blockchain data firm Peckshield.

Tornado Cash is designed to break the link between the sender and receiver's addresses of the transactions, making the supposedly public transactions on blockchain hard to track.

Blockchain compliance firm Chainalysis, which has experience in "unmixing" Bitcoin transactions, said Binance's ability to freeze the funds is "a win" for victims from the Ronin hack.

"Binance's freeze funds stolen from North Korean-linked hackers, despite their use of complex obfuscation techniques... was made possible by world-class investigators with the right tools and collaboration," Ms Erin Plante, senior director of investigations at Chainalysis, said.

A spokesman for the US Treasury Department said the identification of the address from the agency on April 14 will "make clear" to other virtual-currency actors that by transacting with the address, they "risk exposure to US sanctions".

On April 22, the US agency added three more addresses to its sanctions list in connection with the Ronin hack. The US government "continues to take disruptive action against entities facilitating the movement of the stolen virtual currency", the spokesman said. "We call on the crypto community to lock its digital doors."

In the wake of the Treasury's announcement, Tornado Cash signalled it was taking steps of its own to block sanctioned wallets. It announced on April 15 on its Twitter account that it is using a free compliance tool developed by Chainalysis to block crypto wallets targeted by the US Office of Foreign Assets Control (OFAC).

The tool, launched by Chainalysis in March, is a free smart contract, or a program run on a blockchain, that scans for crypto addresses that are sanctioned by several governments.

Chainalysis also provides paid products that alert their customers to indirect exposure to sanctioned addresses and other addresses they identified as linked to sanctioned entities beyond what is included on the OFAC's sanctions list.

A spokesman from Chainalysis said the firm cannot confirm Tornado Cash is using their tool because the program is not embedded on Tornado Cash's own codes, or smart contract.

According to Tornado Cash, the compliance tool was only used to block sanctioned addresses from using the user-facing decentralised application. In theory, blocked addresses can still gain access to the underlying technology of Tornado Cash by transferring the crypto to another address first. Tornado Cash founders did not respond to multiple requests for comment about the tool and its effectiveness.

On April 22, one of the addresses that received 10,129.935 Ether from the hacker's main address sent about 1,528 Ether to a second new address, according to blockchain data. That second address was sending Ether in batches of 100 Ether each to Tornado Cash.

Join ST's Telegram channel and get the latest breaking news delivered to you.