North Korean Hackers Stalk Crypto Startups Scrimping on Security

It’s every cryptocurrency project’s nightmare: Well-resourced hackers — perhaps backed by a rogue state like North Korea — strike out of nowhere, dismantling cyber defenses and making off with millions of dollars in customer funds.

Many crypto outfits, large and small, have suffered permanent damage this way. Yet across the industry, startups strapped for cash after a prolonged funding drought have cut security spending even as soaring digital-asset prices tempt hackers, according to firms that sift through code for weaknesses.

That leaves the cryptosphere vulnerable as the number of exploits targeting the industry skyrockets, undermining efforts to establish it as a viable alternative to traditional finance. In particular, hackers linked to North Korea, among the most sophisticated in the business, are showing no signs of letting up.

“The only way to stop exploits is to stop them from happening in the first place,” said Ari Redbord, global head of policy at TRM Labs, which uses blockchain forensics to track crypto crimes. “That means hardening cyber defenses.”

Hacks and scams cost the crypto industry an estimated $1.8 billion last year, down about 50% from 2022, according to Immunefi, which runs a platform where companies offer bounties to those who locate and flag security flaws in their software. A drop in the very biggest heists, like the roughly $600 million one related to blockchain game Axie Infinity two years ago, explains why the total value fell.

But the number of incidents almost doubled, to 319, Immunefi estimates.

Lazarus Group, associated with the Democratic People’s Republic of Korea, accounted for nearly a fifth of total losses, Immunefi data show. A separate report from Chainalysis Inc. in January showed that the number of North Korea-linked crypto hacks jumped to a record last year.

Crypto thieves have stalked the industry almost since its inception. In what remains perhaps the most famous incident to date, Japan-based Bitcoin exchange Mt. Gox was struck in 2011. Over time, the hackers made off with tokens worth billions of dollars based on the current market price. Mt. Gox eventually went bankrupt and its users have yet to recover their losses.

As the number of blockchains and projects built upon them multiplied over the following years, so too did the target surface area for hackers. Exploits mushroomed, creating a lucrative niche for security firms and “white-hat” hackers who earn bounties reaching into the millions of dollars for uncovering crypto vulnerabilities.

‘Devastating’ Outcomes

To a certain extent, the very underpinnings of crypto — decentralized systems where all transactions are governed by code — leave it inherently vulnerable. A case in point are the software “bridges” that link different blockchains, which became entry points for thieves who struck the Ronin bridge linked to Axie Infinity, as well as in exploits targeting crypto projects Wormhole, Harmony and Nomad.

Getting hit can be catastrophic.

“When you have a really big incident, when you lose customer funds — you are either well funded enough that you or your investors can bail out your customers, or you don’t reimburse your users,” said Oliver Hörr, director of operations at security firm Hats Finance. “Obviously if you don’t reimburse them, your product is dead. But both outcomes are pretty devastating.”

Despite the high stakes, many firms find themselves having to make tough choices. While there isn’t any data tracking code-auditing spending by crypto firms, executives at outfits that provide such services say demand has cooled.

Even after the cost of a typical crypto audit dropped roughly 50% since 2022 to around $20,000 per week, according to several firms, “projects are still unable to afford that,” said Hind Kurhan, who in September founded security auditing firm Thesis Defense and aims to establish an industry standard for audits.

At crypto-auditing startup Halborn, Chief Executive Officer Robert Behnke said “inbound interest” dropped 60% last year. Rates for auditing a type of smart contract built on the Ethereum blockchain fell as much as 20%, he said. Diligence, the auditing arm of ConsenSys, has seen the waiting time for its security screenings shrink.

Some companies forgoing labor-intensive manual code audits in favor of using less-precise automated tools to scan for weaknesses, security experts say.

Euler Finance Exploit

To be sure, audits are no guarantee that cyber defenses will hold. Euler Finance, a decentralized lending protocol, was drained of almost $200 million in cryptocurrencies by hackers in March last year even after being audited “at great expense,” according to founder Michael Bentley.

So harrowing was the experience that Bentley wrote a 13,000-word blog post about it, outlining in great detail the hack and its grueling aftermath.

“We worked hard and were above industry standards for the time” in terms of security, Bentley said in an interview. “So it was shocking for everyone and highlighted the challenges of building in the space.” He described the incident — which happened a few days after the birth of his second child and the collapse of Silicon Valley Bank — as a “dreadful period.”

After three weeks of working almost 20-hour days and employing lessons from game theory to negotiate with the hacker, Bentley and his team recovered all the stolen funds.

The fact that Euler got hacked even after big outlays on security doesn’t mean Bentley plans cut back on spending. For the second version of its protocol that’s in development, the company will run several code-audit competitions with “high” bounties for those who find weaknesses, he said.

North Korean Menace

Not everyone recovers from a major hack. Axie Infinity, whose meteoritic rise during the last bull market brought terms like “play-to-earn” into the popular vernacular, has seen the number of daily players plunge since before the Ronin heist, which has been attributed to North Korea-backed Lazarus.

North Korea in particular poses a formidable threat to the industry. The United Nations Security Council’s Panel of Experts said in a report this month that it’s investigating 58 suspected cyberattacks by Kim Jong Un’s regime on crypto-related companies that took place between 2017 and 2023 and were valued at about $3 billion, which “reportedly help to fund the country’s development of weapons of mass destruction.”

North Korean hacks were 10 times as damaging as those linked to other thieves, TRM said in a January report.

In June alone, Lazarus was responsible for high-profile heists targeting crypto companies Alphapo, CoinsPaid and Atomic Wallet, according to the FBI.

“Over the last few years, we have seen North Korea attack crypto projects at alarming speed and scale,” said TRM’s Redbord. “It is absolutely critical that if you are building today in the crypto space — centralized or decentralized — that cyber security is foundational infrastructure.”

Top photograph: Computer code displayed on screens arranged in Danbury, UK, on Monday, Jan. 4, 2021. Photo credit: Chris Ratcliffe/Bloomberg