A New Era of State-Backed DeFi Blackhats Is Upon Us

The DeFi ecosystem has already suffered $1.22 billion worth of losses due to hacks in just the first three months of 2022, according to recent Immunefi research.

Headlined by the API hack of Axie Infinity’s Ronin Network sidechain in March, which resulted in North Korean-linked hackers looting a record $615 million of user funds from the gaming platform, this Q1 milestone has nearly notched the total $1.3 billion in DeFi hack losses for 2021.

In April, the FBI attributed the Ronin Network heist to the Lazarus Group, a North Korea-sponsored cyber gang. The Treasury’s Office of Foreign Asset Control (OFAC) also issued new sanctions last month against wallets linked to the group, and which received funds from the Axie theft.

Only $154 million in DeFi losses were attributable to malicious exploits through Q1 of 2021. Compared to this year’s Q1, that represents a 692% leap in successful attacks. In a rapidly escalating period of geopolitical volatility and military tension that recalls the Cold War era, the rise of state-sponsored DeFi hackers like Lazarus is a worrisome trend.

It’s hard enough to fight off individual, uncoordinated blackhats roaming around in the dark forest. It’s even harder to fight off coordinated, state-sponsored hacking groups with lots of resources and time to attack every single part and process of your project, from individual employees, developers, and executives, to web vulns, to Discord bot hacking, to smart contract vulns, to SIM swapping, and the list goes on.

Every area of security, including physical security, is coming under attack, so it’s no longer enough just to secure smart contracts. You’ll see why near the end of this post.

Following Russia’s military invasion of Ukraine, the world’s superpowers threaten to re-polarize themselves along an axis of Cold War-style hostilities between the West on one side, and Russia and China on the other. This paradigm shift puts the DeFi ecosystem even more at risk than before, when blackhat hackers worked on their own and were thus less sophisticated.

But now, DeFi operators and their communities have become cyber-military targets. While North Korea’s Lazarus Group has been the biggest state-backed player in DeFi exploits, other cyber-powers will follow suit. This pivot is compelling for more financially motivated countries like Russia and Iran, given the sanctions levied against them.

But China also has its own state-backed hacking groups like Hafnium and APT41. Hafnium is known for executing the sweeping Microsoft Exchange Server supply-chain attack. APT41 exploited the catastrophic Log4Shell code flaw. At minimum, China’s cyber capabilities are on par with Russia’s, given the sophistication and depth of the latter’s 2020 intrusion into the SolarWinds database management platform.

The U.S. attributed the SolarWinds hack to Russia’s Foreign Intelligence Service, the SVR. But when it comes to crypto and DeFi exploits, Lazarus Group reigns supreme — for the time being at least. The following blog will discuss Lazarus Group’s history, DeFi-hacking techniques, and assess the Web3 ecosystem’s rapidly evolving threats in the wake of growing exploitation by state-aligned hacking groups.

Lazarus Group Background

According to Russian cybersecurity firm Kaspersky, Lazarus is “one of the world’s most active threat actors” and has orchestrated multiple cyber-espionage and ransomware campaigns.

The group first emerged in 2009 when they launched a sophisticated DDoS attack on the South Korean government. But it wasn’t until 2014 that the gang skyrocketed to notoriety with the hack of Sony Pictures and the subsequent dump of the film studio’s confidential data and sensitive internal emails.

In 2015, the gang took their tradecraft to new heights by compromising and stealing millions from financial institutions in Latin America, Europe, and Southeast Asia. A year later, Lazarus Group raised the bar with their compromise of the Central Bank of Bangladesh’s SWIFT financial messaging controls to steal $81 million. Then in 2017, Lazarus Group notched its first blockbuster crypto exploit with the WannaCry ransomware attack. This “unprecedented” attack infected 200 computers across 150 countries, according to Europol. Since WannaCry, Lazarus Group has been a prolific perpetrator of ransomware attacks and supply-chain hacks globally.

As for the crypto industry, blockchain forensics firm Chainalysis said in a recent report that Lazarus was responsible for most of the North Korea-linked attacks on the ecosystem last year. Lazarus also heisted the lion’s share of some $400 million stolen by threat actors affiliated with the rogue nation, according to the report. These attacks largely targeted centralized exchanges and crypto investment firms. Techniques leveraged by NoKo-affiliated hackers included a mix of “phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations’ internet-connected “hot” wallets into DPRK-controlled addresses,” Chainalysis said.

The rise of Lazarus illustrates the nature of the threat that DeFi operators now face: state-backed groups with the capacity to hack SWIFT, launch devastating global ransomware exploits that cripple the operations of multinational companies, compromise the supply chains of cybersecurity vendors and IT-asset monitoring firms, and steal over half-a-billion-dollars in a flash. For a group as seasoned as Lazarus, exploiting Axie Infinity’s poorly secured blockchain bridge, blockchain integration that connects Axie’s Ronin Network to Ethereum, was a layup.

Axie Hack

On March 29, Axie discovered that the Ronin bridge had been “exploited for 173,600 Ethereum and 25.5M USDC” on its blog. These digital assets were drained in two transactions that took place on March 23, meaning it took them six days to discover the hack. The Ronin Network is a sidechain, which is a Layer 2 (L2) blockchain built on the Ethereum Layer 1 (L1) ‘mainchain.’ Sidechains like Ronin are also encoded with their own validator nodes and consensus mechanisms for adding new transaction blocks.

A validator node is an assigned permission to a server that gives stakeholders in a distributed ledger the right to participate in ‘consensus.’ Consensus is a foundational feature of distributed ledger technology (DLT), which gives select nodes the right to validate, vote on, and maintain a record of transactions on a blockchain. We’ll get to why this concept is so vital to understanding the Axie hack in a moment.

Meanwhile, bridges are L2 connections that enable the “transfer of tokens and/or arbitrary data from one chain to another,” according to the Web3 Foundation, which conceived the Polkadot blockchain. Lazarus managed to obtain private keys for four Ronin validator nodes assigned to Sky Mavis, the game developer that makes Axie, according to Ronin’s incident report. The group also stole keys from a third-party Ronin validator node operated by Axie DAO.

With five out of nine validators, Lazarus had compromised enough validators to approve the massive withdrawal of user funds locked into the Ronin Bridge. Lazarus compromised the Ronin Network by exploiting a backdoor in the sidechain’s “gas-free RPC node,” according to their blog post. IT educational publisher TechTarget defines Remote Procedure Calls (RPCs) as API protocols that enable a program on one computer to request a service from a program on another computer “on a network without having to understand the network’s details.”

In blockchain systems, RPC node APIs enable users to “read blockchain data and send transactions to different networks,” according to dApp infrastructure provider Moralis. Lazarus was able to compromise Ronin’s RPC node because the Axie DAO did not revoke the transaction signing privileges it had temporarily granted to Sky Mavis during a time of “immense user load.” While the signing privileges were discontinued by Axie DAO in December, the system neglected to revoke the whitelist access for Sky Mavis.

After Lazarus had breached Axie’s internal network, probably via a social engineering exploit, according to the Ronin Network, “they were able to get the signature from the Axie DAO validator by using the gas-free RPC,” said their hack incident report. Given that APIs are foundational to the software supply chain, the Ronin Network hack can thus be thought of as a state, supply-chain attack like the SolarWinds Orion exploit, which was also facilitated by an API vulnerability that allowed attackers to bypass authentication.

The difference between the Ronin hack and SolarWinds, however, is that the former was financially motivated, while the latter served Russia’s cyber objectives, which prominently targeted U.S. government agencies. As for Lazarus, they are using popular blockchain mixer service Tornado Cash to obfuscate the flow of funds. In April, Tornado Cash said they were enlisting Chainalysis’ services to block Lazarus transactions.

Lessons for Web3 in the Era of State-Backed Cyber-Threats

The Axie hack is important because it illustrates the convergence of state-backed threat groups, supply-chain attacks, and DeFi. Given that over 90% of breaches begin with an unsuspecting user engaging with a compromised email or web link, Axie’s claim about a social engineer attack vector is likely correct. Beyond network infilitration, however, is Axie DAO’s failure to update their RPC node API security controls after discontinuing permissions to Sky Mavis.

Firstly, it should be noted that APIs themselves have become increasingly popular targets for exploitation. Gartner has even forecasted that APIs will be the most common attack vector this year. Regardless, these integrations are elemental to the modern cloud-based SaaS supply chain. As the Ronin hack demonstrated, “unmanaged and unsecured APIs are easy targets for attacks, increasing vulnerability to security and privacy incidents,” a recent Gartner report on API security stated.

The very use of Ethereum RPC nodes themselves has also been criticized by dApp infrastructure firms like Moralis. Moralis insists that dApp developers would be better served outsourcing RPC node management to specialist blockchain-as-a-service firms because operating these API servers properly is overly “resource-intensive,” “time-consuming,” and “unnecessarily difficult.”

Ronin’s former consensus mechanism is also debatable, with some criticism being raised that it was too easy for Lazarus to obtain the required keys to achieve consensus. Following the disclosure of the hack, the Ronin Network stated that the sidechain needs agreement from eight validators, as opposed to the five they implemented pre-exploitation.

Aside from APIs and keys, another method of attack is via gaining privileged access to a project’s systems or code repositories. But this isn’t just happening via external attack, as many assume. Some DeFi project maintainers are reporting that they have conducted interviews with developers, who they actually suspect to be North Korean hackers based on accents, sketchy behavior, and other hints.

If true, this would mean that state-sponsored hackers are actively trying to insert themselves into developer roles across the DeFi scene. And there’s a big chance that at least one of these hackers will be hired, too, given that many interviews are not even conducted over calls, but rather are text-based. Sometimes, there aren’t any interviews done at all.

If those blackhats get a foot inside the door, the consequences will be dire.

While blockchain sleuths attempt to track the Ronin’s stolen funds, the Web3 community needs to understand that the Lazarus attack signals a new escalation in the crypto-threat environment. It’s only a matter of time before other state-backed threat target them for an easy payday. DeFi operators with poor API governance and bad email security hygiene will be particularly exposed to this new generation of cyber-military-grade crypto hackers.