In 2022 alone, North Korea, or the Democratic People’s Republic of Korea (DPRK), reportedly stole over $1 billion worth of cryptocurrencies from organizations in the cryptocurrency industry through one of its main hacking groups – the Lazarus Group. That represents an increase of $400 million in 2021, and these thefts account for a third of all cyber-intrusion losses in the cryptocurrency sector this year.
More unrest in the cryptocurrency sector has already caused financial authorities to increase calls for regulation. Bankruptcies and scandals involving various companies are taking a toll on the cryptocurrency industry and value. Many of these companies are headquartered in the United States, making US regulation especially important. The country’s pivotal role in the cryptocurrency industry and efforts to regulate it — along with the industry’s current descent into chaos — make this an opportune time to focus the US government’s policy initiatives on cryptocurrency companies and products.
More about:
Technology and inovation
Cryptocurrencies and Blockchain Technology
cyber security
Given changes in the threat landscape and the financial system, the United States must alter its policy focus accordingly. “The Lazarus cryptocurrency theft dates back to at least 2017, and by the end of 2018, the group was responsible for more than half of the total losses from cryptocurrency exchange thefts. As early as 2019, the UN Security Council acknowledged that the DPRK cybercrime operations against cryptocurrency exchanges were quickly becoming a significant additional source of revenue for the regime. However, the cryptocurrency sector only surpassed Lazarus’ interest in traditional banks (such as Bank of Bangladesh) in 2020, probably due to mobility restrictions brought on by the COVID-19 pandemic and subsequent global lockdowns prevented the group from withdrawing and moving funds through money mules, a favorite tactic of Lazarus, resulting in a move into the cryptocurrency sector.
Coupled with the unregulated and vulnerable nature of decentralized finance (DeFi) protocols and organizations, the cryptocurrency sector is a high-value target. Widespread vulnerabilities in smart contracts that govern DeFi assets are increasingly being exploited, and the recent collapses of cryptocurrency exchanges like FTX have reaffirmed the instability of the sector.
Existing policies have been largely insufficient and have not addressed the broader spectrum of pre- and post-commitment considerations. Financial regulations have prioritized money laundering over theft, and existing tools such as prosecutions and Financial Action Task Force regulations have proven ineffective against break-ins and theft, as well as against money laundering.
US sanctions imposed against cryptocurrency mixers (platforms used to obfuscate the origins of cryptocurrency) such as Blender and Tornado Cash in 2022 have been relatively successful compared to other punitive measures, but hacks and cybercrime remain rampant. This left the cryptocurrency sector as a lucrative opportunity for Lazarus to exploit.
So what should US policy look like?
More about:
Technology and inovation
Cryptocurrencies and Blockchain Technology
cyber security
Of the existing policies, sanctions have shown promise against the laundering side of the ecosystem. In May, US sanctions were applied to the centralized cryptocurrency mixer Blender, due to its use by North Korean threat actors. In August, Tornado Cash was sanctioned for the same reasons, but Tornado Cash, due to its decentralized nature, has continued to operate and cannot be isolated from the financial system like a traditional organization.
Sanction services like Tornado Cash theoretically make it more difficult for threat actors to transfer or launder money from victims or use funds coming from the mixer, creating more opportunities for those funds to be recovered. The effectiveness of sanctions depends on whether they can be enforced, and threat actors are adept at finding ways around them. However, a sanctioned organization will experience a reputational impact, which may affect its use. After the sanction of Tornado Cash, the mixer saw a significant drop in transaction volume. Despite this initial positive data, there is an asymmetry between the threat and the response. New mixers will emerge in their place, and the sanctions cycle will start all over again, so sanctions directed at mixers must also cover those responsible for creating these companies.
Post-compromise solutions should also focus on victim remediation as stolen funds are moved and laundered on the blockchain. A public and transparent central ledger of engagements would allow organizations to access information about the latest heists, similar to tracking victim payments to ransomware groups through crowdfunding. When an organization loses funds, the wallets involved in the transactions are flagged in real time and can be tracked both by others in the industry and by investigators. This would increase the opportunity and likelihood of seizure and recovery of funds.
Preventative measures are even more important considering the repeated use of the same exploits as initial infection vectors. The Cyber Security and Infrastructure Agency (CISA) and the National Security Agency (NSA) are expected to issue guidance on how to develop secure smart contracts, as they have previously done for secure software development. In addition to secure coding, a product in the traditional financial sector often goes through ‘red teaming’ activities for each release before it goes public. Audits in the cryptocurrency industry can be seen as the equivalent of smart contracts to ensure greater due diligence in app releases. Auditing can be used to identify vulnerabilities and provide reassurance to users by hardening smart contracts against known methods of compromise.
While audits are gaining traction in the industry, they are not standardized, regularly conducted or mandated. Not only should the National Institute of Standards and Technology (NIST) issue a framework for conducting a certified audit, CISA and the Treasury Department should mandate mandatory periodic audits for organizations in the cryptocurrency industry. They must also certify auditors to ensure that the organizations offering the service are reputable, similar to other schemes that verify providers.
Assuming cryptocurrency is here for the long haul (although even that remains to be seen), US regulators will need to double down on sanctions against mixers, proactively track thefts, and institutionalize audits to address the issues facing the cryptocurrency industry. of cyber threat actors, and especially Lázaro.
Saher Naumaan is a Principal Threat Intelligence Analyst at BAE Systems Digital Intelligence, where he researches state-sponsored cyber operations with a focus on tracking threat groups in the Middle East and North Korea.
Opinions expressed herein are personal and do not reflect the policy or position of any entity or organization.
.
Comments
Post a Comment