Date:: April 21, 2018
Amount Stolen:: $234,000,000
BTC 10,777
ETH 218,790
Zcash 3,783
Dogecoin 99,999,000
Ripple 3,043,268
LTC 11,000
ETC 175,866
Rekt by Celas Trade Pro
In an April 2018 hack of Gate.io — a case in which the U.S. DOJ indicted and filed a civil forfeiture action against DPRK cybercriminals - North Korean hackers stole nearly $230 million worth of crypto assets.
An employee of the exchange was targeted with an infected file, which the employee downloaded. This led to the theft of enormous quantities of Bitcoin (BTC), Ethereum (ETH), Litecoin (LTC), Dogecoin, and several other altcoins.
An employee of The Exchange 1 communicated with a “potential client” via email which resulted in employee unwittingly downloading malware which then attacked The Exchange 1.
The hack totaled nearly $230 million dollars’ worth of crypto assets at then-prevailing prices. However, the exchange never publicly confirmed the hack, which likely delayed involvement from law enforcement, and might have hampered efforts to seize and return all stolen funds to the victims.
"The same North Korean co-conspirators registered the domain “celasllc.com.” According to its website, Celas LLC, a/k/a Celas Limited, purported to offer a cryptocurrencytrading platform, called Celas Trade Pro, which could be downloaded from celasllc.com"
"The North Korean co-conspirators who emailed The Exchange 1 malware were also engaged in a massive phishing campaign in an attempt to infect other users with malware. To provide credibility to the online personas, fake social media profiles were created. For example: a. A Twitter account was created with the name “Waliy Darwish” that made various posts related to cryptocurrency and included a link to celasllc.com; b. The same user created a LinkedIn page for “Waliy Darwish,” listing him as a business developer at Celas LLC with a bachelor’s degree from Rotterdam University."
In this specific hack, North Korean actors programmed “automated scripts to rapidly launder and reconsolidate stolen funds into exchanges before transferring them into Lazarus-affiliated wallets,” which was evident due to the large number of simultaneous transactions.
While we saw automation and other obfuscation techniques such as peeling chains — a series of smaller transactions of dispersion followed by consolidation in order to obfuscate larger transactions — the real key to this operation was to off ramp the cryptocurrency to fiat currency as quickly as possible, even at the expense of potential future attribution to the hack.
"Exchange 1" in US v 113
- Apr 21, 2018 12:23:58 PM e.g. txn id 6caa60f997e5792a2766108b57fea451213b1b1f61607237b6e390836b760ba7
In late 2018, IRS-CI’s Cyber Crimes Unit learned that The Exchange 1 had been hacked. The perpetrators of the hack stole nearly $250 million worth of virtual currencies (as detailed below). The intrusion and subsequent laundering involved numerous electronic communications made in furtherance of the scheme, including e-mail messages and other wire communications related to the intrusion and the submission of false Know-Your-Customer information to various virtual currency exchanges. These communications include wire communications that transited through the United States.
In mid-2018, an employee of The Exchange 1 communicated with a “potential client” via email. While communicating with the “potential client,” the employee unwittingly downloaded malware which attacked The Exchange 1.
On or about the same day that The Exchange 1 was hacked, a co-conspirator in North Korea researched The Exchange 1 and its CEO. This research, much of which was in Korean, referenced: Hacking; Gmail hacker extension; How to conduct phishing campaigns; and How to exchange large amounts of ETH to BTC.
Ultimately, the malware unwittingly downloaded by The Exchange 1 employee provided remote access to The Exchange 1 and unauthorized access to private keys controlling wallets to multiple virtual currencies.
With control of The Exchange 1’s private keys, the North Korean co-conspirators stole the following virtual currencies:
- BTC 10,777.94 ($94,145,839.41)
- ETH 218,790 ($131,005,511.85)
- Zcash (ZEC) 3,783 ($1,020,809.45)
- Dogecoin (DOGE) 99,999,000 ($560,944.39)
- Ripple (XRP) 3,043,268 ($2,660,100.78)
- Litecoin (LTC) 11,000 ($1,639,699.05)
- Ethereum Classic (ETC) 175,866 ($3,304,763.96)
- Total ($234,337,668.88)
After The Exchange 1 was hacked, 5,600.42737261 BTC was laundered into an account at VCE1 (Defendant Property 64) via 146 transactions from May 10, 2018 to July 6, 2018.
e.g. 3GHUDLzk1VjYAxZC5rV3T5aAgEWCA7QmF7
-
BCH qrzdz534lpzgad7tdmj5decxgq9kczt7dyphxhm7g4
-
BTC 1JwgCVCnw8ziAnXA1c2VqUaMVkV4jtfDmw
-
DOGE DP5mjk9SEYtzhnhkkC24PEjxNtDN7JGRx3
-
ETC 0x3bb16a8eee705d0002e16332b94e9e736bf7f7fc
-
ETH 0x3bb16a8eee705d0002e16332b94e9e736bf7f7fc
-
ETH 0xff8e0c9cf3d7c0239ab157ec2d56bc1cfcd80757
-
LTC LdAdThWd1oEmRbDKBk1o7Ve7hxrLxUPfvo
-
zachxbt, Feb 2023: "Dormant funds left over from the April 2018 Gate $230m hack by North Korea began to move after over 4.5 years. 0xff8E0c9Cf3d7C0239aB157eC2D56bC1cFcD80757"