Skip to content

Latest commit

 

History

History
106 lines (53 loc) · 5.68 KB

File metadata and controls

106 lines (53 loc) · 5.68 KB

Gate.io

Date:: April 21, 2018

Amount Stolen:: $234,000,000

BTC 10,777

ETH 218,790

Zcash 3,783

Dogecoin 99,999,000

Ripple 3,043,268

LTC 11,000

ETC 175,866


Details

Rekt by Celas Trade Pro

In an April 2018 hack of Gate.io — a case in which the U.S. DOJ indicted and filed a civil forfeiture action against DPRK cybercriminals - North Korean hackers stole nearly $230 million worth of crypto assets.

An employee of the exchange was targeted with an infected file, which the employee downloaded. This led to the theft of enormous quantities of Bitcoin (BTC), Ethereum (ETH), Litecoin (LTC), Dogecoin, and several other altcoins.

An employee of The Exchange 1 communicated with a “potential client” via email which resulted in employee unwittingly downloading malware which then attacked The Exchange 1.

The hack totaled nearly $230 million dollars’ worth of crypto assets at then-prevailing prices. However, the exchange never publicly confirmed the hack, which likely delayed involvement from law enforcement, and might have hampered efforts to seize and return all stolen funds to the victims.

"The same North Korean co-conspirators registered the domain “celasllc.com.” According to its website, Celas LLC, a/k/a Celas Limited, purported to offer a cryptocurrencytrading platform, called Celas Trade Pro, which could be downloaded from celasllc.com"

"The North Korean co-conspirators who emailed The Exchange 1 malware were also engaged in a massive phishing campaign in an attempt to infect other users with malware. To provide credibility to the online personas, fake social media profiles were created. For example: a. A Twitter account was created with the name “Waliy Darwish” that made various posts related to cryptocurrency and included a link to celasllc.com; b. The same user created a LinkedIn page for “Waliy Darwish,” listing him as a business developer at Celas LLC with a bachelor’s degree from Rotterdam University."

In this specific hack, North Korean actors programmed “automated scripts to rapidly launder and reconsolidate stolen funds into exchanges before transferring them into Lazarus-affiliated wallets,” which was evident due to the large number of simultaneous transactions.

While we saw automation and other obfuscation techniques such as peeling chains — a series of smaller transactions of dispersion followed by consolidation in order to obfuscate larger transactions — the real key to this operation was to off ramp the cryptocurrency to fiat currency as quickly as possible, even at the expense of potential future attribution to the hack.

Attribution

"Exchange 1" in US v 113

  • Apr 21, 2018 12:23:58 PM e.g. txn id 6caa60f997e5792a2766108b57fea451213b1b1f61607237b6e390836b760ba7

In late 2018, IRS-CI’s Cyber Crimes Unit learned that The Exchange 1 had been hacked. The perpetrators of the hack stole nearly $250 million worth of virtual currencies (as detailed below). The intrusion and subsequent laundering involved numerous electronic communications made in furtherance of the scheme, including e-mail messages and other wire communications related to the intrusion and the submission of false Know-Your-Customer information to various virtual currency exchanges. These communications include wire communications that transited through the United States.

In mid-2018, an employee of The Exchange 1 communicated with a “potential client” via email. While communicating with the “potential client,” the employee unwittingly downloaded malware which attacked The Exchange 1.

On or about the same day that The Exchange 1 was hacked, a co-conspirator in North Korea researched The Exchange 1 and its CEO. This research, much of which was in Korean, referenced: Hacking; Gmail hacker extension; How to conduct phishing campaigns; and How to exchange large amounts of ETH to BTC.

Ultimately, the malware unwittingly downloaded by The Exchange 1 employee provided remote access to The Exchange 1 and unauthorized access to private keys controlling wallets to multiple virtual currencies.

With control of The Exchange 1’s private keys, the North Korean co-conspirators stole the following virtual currencies:

  • BTC 10,777.94 ($94,145,839.41)
  • ETH 218,790 ($131,005,511.85)
  • Zcash (ZEC) 3,783 ($1,020,809.45)
  • Dogecoin (DOGE) 99,999,000 ($560,944.39)
  • Ripple (XRP) 3,043,268 ($2,660,100.78)
  • Litecoin (LTC) 11,000 ($1,639,699.05)
  • Ethereum Classic (ETC) 175,866 ($3,304,763.96)
  • Total ($234,337,668.88)

After The Exchange 1 was hacked, 5,600.42737261 BTC was laundered into an account at VCE1 (Defendant Property 64) via 146 transactions from May 10, 2018 to July 6, 2018.

e.g. 3GHUDLzk1VjYAxZC5rV3T5aAgEWCA7QmF7

On-Chain

URLs