I think crypto has made it easier for them to steal money. I would be curious to see how much money oppressive regimes were able to steal and use before crypto to after
Yeah that's the part of the equation I'm curious about, so they stole "$1.7B" of crypto but were they able to actually get anything they can use out of it or does Kim Jong Un just really want to take part in the pay-to-play bored ape sewer game or whatever.
Years ago, I heard that the top industrial export from North Korea was counterfeit $100 bills. When traveling in the surrounding countries, people treat that denomination with more skepticism as you get closer to North Korea. Special paper-protecting and flaw-spotting techniques that I have never seen inside the USA.
The DPRK is often portrayed as incompetent, helpless state purely able to eke out an existence by the grace of China (to whom it is useful only as a sort of attack dog cum buffer state). So the fact that they've managed to run an operation that can steal this much crypto may come as a surprise to many. I don't imagine their intelligence agencies are quite on the same level of electronic warfare capabilities as USA, UK, Israel and friends, though.
> That money (in any form) can be stolen by a malevolent state?
Right but as we repeatedly saw in the last couple of years, a North Korean hacker could swindle some dope out of their $10k ape jpeg from across the globe at relatively little cost. They'll have a bit of a tougher job stealing that same $10k from someone's bank, from a safe deposit box, or hell even from a box under their bed. It requires another level of sophistication entirely and the costs and risks would be prohibitively high. I am sure if the North Korean state took issue with me personally and wanted to empty my bank account, they could probably make some headway ... but they'd likely get caught and they'd spend more time and effort doing so than they'd actually be able to retrieve.
It's not really surprising. NK is able to outsource their education to Chinese universities, and with a division that can yield $1.7B in revenue, it's not surprising they invest in this skillset, even if the country at large is destitute and backwards.
It is a surprise for those who take the common portrayal of the country at face value. We know it's not quite the "hermit kingdom" it's often described as, but most do not.
There are probably no good sources for what your average North Korean's life is currently like. There are a handful of famous accounts from a few of those who escaped the country and they're obviously pretty grim (particularly those describing prison camp life) but the stereotype is of this primitive country, which is backwards both ideologically and technologically. I'm not an idiot, I don't believe there's a little hidden Wakanda going on there. But we can at least observe that if they're able to hack that quantity of crypto there is some kind of tech operation going on there, however small it might be. So they're not entirely shut off and they're able to penetrate at least a bunch of western crypto-startups.
If you're motivated, don't mind a very on-rails, restricted and relatively pricey tour, you can actually visit yourself: https://koryogroup.com - I've wanted to for a while, but I've spent less money to travel in other interesting places with fewer restrictions for longer, so it's hard to justify the expense.
An interesting read you might like is by a couple of Austrian guys who decided to hop on a train there, confusing and irritating border officials who didn't expect an invasion from the northern direction :) http://vienna-pyongyang.blogspot.com
Probably the most accessible and interesting thing though, is a podcast series called "Blowback" (it's Season 3, the previous two were on the Cuban revolution and the Iraq war). Now obviously this isn't the current day but it presents a slightly more balanced view of the events leading up to and throughout the Korean War than your average American or Brit might have picked up through osmosis. It's fascinating, well-produced, well-sourced and has a very good soundtrack. Here's ep 1: https://www.stitcher.com/show/blowback/episode/s3-episode-1-...
As I said, there will be no good way to get any kind of verifiable account of how awful or how ok-ish is it is there. And I'm deliberately putting "ok-ish" as the upper limit because while I'm sure that all the ~20 million inhabitants aren't all living the prison camp lifestyle, I don't imagine your average North Korean has a particularly pleasant life.
Sorry, maybe not the answer you were hoping for but I hope you enjoy any or all of the things I suggested :)
I'm sorry, but any society that has 60% living below the poverty line, and is ran by a totalitarian regime with minimal respect for basic human rights is absolutely backwards. South Korea, one of the most advanced societies in the world, is basically what North Korea could be if not for its brutal dictatorship.
I think you're missing the point here. The expectations are through the floor, people think of the country as effectively useless and laughable, and yet it's been able to stake out a niche in cryptocurrency attacks, there may be some reasonable competency in cybersecurity attacks too. It doesn't mean it's developed (it's not), it doesn't mean it's to a country to be admired (it's not), it simply means you need to look at the world with a bit of nuance, and not with the FOX News "NORTH KOREA BAD" viewpoint because it's clearly not quite that simple. If you want to boil it down that way you need to think "NORTH KOREA BAD BUT WITH SOME SURPRISING NICHE COMPETENCIES"
You're quoting articles about poverty in North Korea at me as if I'm in denial about this, which is weird because I start and end my comment talking about how shit life is probably like there. It's a bit like you read a couple of words, got excited that you spotted one of The Reds and decided to call in an airstrike
You're not making any point, you're just trying to shut down any criticisms of North Korea as not being "nuanced enough". It's a backwards country with a few niches which yes includes international theft of billions of dollars. You can find the good in anything, even a steaming pile of shit can still provide nutrition to soil. Every country has nice things about it (however few), that's stating the obvious.
I’ve tried to use the story to suggest people look beyond simple stereotypes and think about a country and a people without the prejudice we may have casually accumulated through our lives. I’ve tried to empathise a bit with the people, and I’ve shared a couple of resources that might help do the same.
I don’t know what you’re doing, feels a little bit like you’re trying to beat a statement out of me, or tell me I’m guilty of WrongThink.
> You're not making any point, you're just trying to shut down any criticisms of North Korea as not being "nuanced enough".
He is making a point: it's foolish to assume North Korea is just a bunch of starving people with no heat, living in dilapidated Soviet-style buildings.
They've built nukes. They're pretty successful at hacking. It has capabilities the defy the stereotype.
And I acknowledged that. We all know NK has a small social elite that does these things, no one has said otherwise. It's not an excuse to shut down their criticisms as a backwards country.
Criticizing North Korea here is like saying water is wet or something. It's so incredibly boring. People aren't trying to "shut down criticism", they're trying to have an interesting conversation, hopefully without some bore saying "you do know that water is wet, right??" over and over again.
Reread the original conversation. It was about how North Korea was able to achieve some rather impressive technical achievements. It wasn't until the conversation was derailed by a "well akshually NK is not that bad" that we started having to go in detail on why NK is a, yes, poor and backwards country. I didn't want or expect to have to discuss this, but if someone wants to challenge the notion, I'm going to respond.
> But we can at least observe that if they're able to hack that quantity of crypto there is some kind of tech operation going on there, however small it might be. So they're not entirely shut off and they're able to penetrate at least a bunch of western crypto-startups.
Also, North Korea also has an elite. IIRC, a significant chunk of North Korean imports are luxury goods and modern consumer products to keep this elite happy.
I’m not sure it’s out of line with the normal news media portrayal: for decades, it’s been understood that there’s an elite which has access to many things which the average citizen is prevented from doing, and this seems more in keeping with that since ransomware doesn’t require unusual levels of skill as much as legal immunity. This seems in line with the level of resources and skill they’d need to do things like the kidnappings and assassinations: a modest number of people and resources, but not remotely near the level they’d need to field a modern army or high-tech economy, and nothing like the ability to hit a hard target.
What limited that before were the protections built in to the real banking system. Stealing a billion dollars and actually getting away with it was hard until cryptocurrencies were introduced with far fewer safeguards.
North Korea's internet access is through a fibre optic connection from China, you know that place with the supposed great firewall of china, whilst the likes of the UK hides the fact and 5eyes hides the fact its got total oversight of the internet including Tor!
The crypto currency world is hyper focused on stopping this, considering it is one of the main avenues that statists attack crypto with now that the environmental nag is gone since the switch to Proof of Stake.
I would say, conservatively, the traditional banking and real estate markets are 10,000x worse than crypto markets, but are un-policed because it's hidden, unlike the public blockchain networks. The few scams that are exposed, like the HSBC money laundering scandal, dwarf all of the crime every committed via crypto. But we didn't even put HSBC out of business or put a single employee in jail!
That 10,000x worth sounds like its using specific numbers as opposed to hand wavy arguments for which crypto is predicated on. Glad you brought real numbers to the table.
> The crypto currency world is hyper focused on stopping this
Can you explain how?
I'm super curious because the whole point of crypto is you can't reverse transactions, and therefore crypto is only ever as secure as computer security generally, and there's nothing crypto can do about computer security generally.
Or are people coming up with some new paradigm here that fixes this somehow?
Why 'generally'? Why can't crypto systems be designed to be more secure than other software given what is at stake (e.g. by making the effort to formally verify systems/applications). Not saying it will happen but don't see why it is impossible.
There's a fair amount of work on key security, such as via multi-party computation, Shamir's secret sharing, etc. These let multiple parties combine to give access to a key. Some cool stuff here are companies like https://web3auth.io/ and https://magic.link/.
This stuff is useful outside of blockchain as well.
The state of user protection in crypto right now is definitely bad, but there is a lot of work and research being done to improve it.
EDIT: I think I'm actually making the same point you made, but anyways here's a couple cool links and things to google for secret security :)
Money laundering is a crime, but not a scam. Besides, there's some nuance here: HSBC were fined for not doing enough to prevent it as required by law. You know, the kind of laws that don't even apply to crypto. "They are breaking rules but we are not!" is an easy claim to make if you have no rules but the others do.
Bitcoin is slowly losing dominance - its legacy technology, and bitcoin maxis/satoshi purists refuse to recognise that tech must evolve over time.
Its fucking insane to me how "The White paper" has become a holy text among Bitcoiners. Its made it almost fucking impossible to make any improvements to the protocol - hence forks, altcoins, etc.
Size isn't everything when it comes to armies. See: Russia and Ukraine, USSR and the US in Afghanistan, Afghan army and Taliban, Boudica and the Romans, etc.
Nuclear weapons and the fortified long-range artillery that can shell Seoul are the main point of concern, which are essentially a small-scale version of cold war era mutually assured destruction. The number of people in the army as such? I'm not so sure that's really something that's all that meaningful.
The US mass produced warheads and icbms like they were candy canes. The unit costs for NK are probably higher, though maybe not dramatically so with newer tech to help.
Take the US Trident 2 [1]. Wikipedia lists a cost of $31 MM, in 2019 dollars, which would be about $37 MM today. With $1.3 BN you could buy 35 of those.
But the North Koreans are not buying their missiles from Lokheed-Martin. They are building them in house, so you'd expect them to pay much less for labor and materials.
Arms procurement costs are very hard to pin down due to the cost of R&D and the cost of logistical packages. The same system can "cost" X but also 3X, 4X or sometimes even more if all of the real costs are properly included.
Also, US strategic rocket weapons (ICBMs) are actually not the best in their class, as a result of post-soviet partial denuclearization. Many aren't even MIRV. This doesn't apply to submarines and bombers, those are top notch. Especially bombers, many decades ahead.
I’d like to think that if it was from NK, it would likely be MAD of NK, but not all of Asia. If China was attacked for instance, they have the capabilities to ensure MAD of any other nation or all of them, via a network of nuclear armed submarines - from undetectable locations - even after the nuclear destruction of their mainland. This makes it pretty unlikely for another nation to fire nuclear weapons into China.
When you see an economist.com submission on HN, typically the top comment is a morally dubious but ever so helpful archive link to get around the paywall.
As a blockchain security guy, it's really easy to spot the occasional North Korean heists on Ethereum. The big tells are:
1. They hack computers not code. Their normal plan is to steal keys by compromising users and computers. This is in contrast to the normal "hack" that works by finding and exploiting bugs in code.
2. They immediately exfiltrate the stolen money back to the real world via bazillions of mule accounts that are already standing by. In contrast to the "normal" hacker who attempts to obfuscate and hide funds on-chain, and slip away with some at a far future date.
Here's a writeup from a company after the big 600 million dollar NK hack.
> Their normal plan is to steal keys by compromising users and computers. This is in contrast to the normal "hack" that works by finding and exploiting bugs in code.
That's the primary way hacks are conducted by most hackers. Hackers are primarily social engineers, not technical. Technical hackers are extremely rare regardless of nationality.
I have no evidence for this, but my feeling was always that the highest-volume exploits were just having a bot run yesterday's Day-0 on every IP listening on a port. You can't get that kind of volume by calling people and asking for their password.
If you leave an unsecured mail server accessible to the internet, it'll start sending spam emails within 30 minutes.
On the other hand, phishing emails are also automated, and that's essentially asking for the password.
It's probably safe to say that phishing is the most common method among APTs like state intelligence agencies. It's cheap, it's easy, it works. No reason to burn zero-days unless simpler methods with less exposure don't work, and they usually do.
But we can broadly categorize security incidents into two bins: first are opportunistic attackers which broadly attempt a method that sometimes works. Two common examples are minimally-targeted phishing emails (think Best Buy invoice) and automated scanning for old versions of WordPress with known vulnerabilities. Second are targeted attacks, where the attacker chooses a target and then attempts different methods to reach success. Overall targeted attacks are far less common than opporunitistic ones, but because they involve a higher level of effort they're only attempted when there's a high level of motivation. Targeted attacks tend to result in greater financial losses than opportunistic attacks, for example, because compromising machines to add them to a botnet usually isn't worth the effort of a targeted attack, but getting banking credentials or crypto wallets usually is.
All of information security is fairly bimodal in this way. It often seems like even technical professionals like software engineers struggle to understand basic security practices, but I think this is one of the biggest causes: most people tend to think about one case and ignore the other. Unfortunately one of the things that makes security very difficult is that both cases are real and the two require fairly different practices to deter, prevent, and detect.
Social methods are far more common with targeted attacks because "true" social engineering involves a higher level of effort, like time on the phone. That said, phishing falls into an in-between where some consider it to be a social method but it is amenable to widespread automation. There's also a wide spectrum of effort in phishing. Many are tempted to try to categorize phishing activity into a binary of "phishing" and "spear-phishing" (I hate these terms), but that doesn't really reflect reality very well. In a large corporation you can usually find examples of phishing that are targeted to varying degrees of specificity: at anyone, at corporate employees broadly, at people in the industry, at employees of a company, a department in that company, and even carefully tailored to a specific employee. The frequency of course tails off as you get more specific, but then it's not that unusual for some organized crime group to run a sustained campaign of fairly closely-targeted phishing as happened recently with Twilio.
Opportunistic attacks are certainly greater in volume to the extent that some call them "internet background noise," but most think that targeted attacks probably produce greater total financial damage. Security is very faddish though, not only on the defense side but also on the offense side, so it probably varies from year to year. For example, the emergence of ransomware was a major trend that required a strategic shift in defense in many organizations since ransomware attacks were fairly low effort but also very high damage in many cases.
Mostly startups use GSuite, big traditional companies and banks still run their own. But that wasn't really my point. My point is that there are a lot of bots looking for low-hanging fruit.
In 2011 I spent hours writing a script to brute force a wifi password at a hotel because I didn't want to pay $5 a day for wifi. It worked. I was pleased with myself.
When I checked out they gave me a receipt and I went to throw it away and saw a handful of wifi passwords in the trash bin.
> 1. They hack computers not code. Their normal plan is to steal keys by compromising users and computers. This is in contrast to the normal "hack" that works by finding and exploiting bugs in code.
I'm just a 'regular security guy' but in that link you posted they detail that after the initial phishing compromise "The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes." They don't detail the bugs that got them access to the nodes but this didn't give them control of the network so "the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.
...Sky Mavis requested help from the Axie DAO to distribute free transactions ... Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked."
Sounds like a pretty classic hack to me. They got into the network, got access to some important servers (how? they should be totally segregated from the corporate network). Then found a depreciated endpoint that allowed them blindly sign transactions. This is bread and butter for any pentesting work, makes me wonder if any of these web3 orgs are hiring security firms to test their systems and not just smart-contracts.
The companies getting hacked are not the web3 ones like Ethereum or Terra. They are normally inside jobs with the founders stealing from the "decentralised" network they secretly control. It's the exchanges that are run like traditional business without the magic blockchain power.
The problem was ultimately in the bridge’s design and implementation. Even though it was sold as a decentralized system it was a multisig with very few signatories. A properly designed decentralized bridge would require the compromise of many validators, each with a different infrastructure setup. This is why you never hear about Ethereum itself getting hacked.
Instead, the Axie bridge was a multisig, and as of that wasn’t bad enough, most of the signatories were controlled by the same organization on the same infrastructure. Really demonstrated that concerns about decentralization are not just pedantic or academic.
IIRC the 9 nodes where effectively controlled by 3 sets of keys so they only had to compromise 2 to take control. And they took weeks to discover it happened. The incompetence and brazenness astonishes. Team as well as investors.
Its not a short amount of time to realize that your treasury has been looted. They should have had monitoring in place before they had a percentage of the locked up value.
I was not referring about the timeline from the breach but the timeline from the transfer of funds, which by their nature are visible by the blockchain and even with everything else failing wouldn't this be on dashboards and part of regular monitoring anywhere else?
Every once in a while I'll get a pleasantly worded email from a random address asking if I want to do 'low effort remote accounting services' to the tune of $3.5k a month.
I'm almost convinced that this is how they recruit those mule burners, since signing up for employment requires a lot of personal information that can be leveraged into opening bank accounts or other financial vehicles in that person's name.
"mixers—large digital pools where crypto owners can deposit funds to obscure their origins."
I have a quibble with articles about cryptocurrency fraud. They always get around to mixers and then they define it as if it were some relatively legitimate thing, like an odd bank. "large digital pools", "deposit funds". You have to get to the last phrase ("obscure their origins") to understand what mixers really are.
A proposed alternate definition: "mixers - international money laundering services where illegally obtained cryptocurrency can be mixed with other fraud proceeds making it harder for the legal system to trace".
(The definition I really would like: "mixers - services that look to hide your funds but are actually operated by intelligence agencies to track illegal activity". I imagine at least one mixer is a honeypot of sorts.)
I thought the ultimate goal was using legitimate exchanges as your mixer, since if a mixer only handles illegal crypto, chances are the funds can be traced to every destination address and the exchanges are tasked with reporting anything that comes from those addresses to federal law enforcement. The only real anonymity is in tornado cash.
Basically almost all custodial crypto exchanges and services function as mixers, as they don't separate customer funds. Using Blockchain analysis you can see that certain transaction likely belongs to certain service, but to get the details you have to file a data request, and hope that the service has done the KYC properly.
I don't understand why technology that provides a modicum of privacy must be demonized. It must be for money laundering and criminals. It can't have a legitimate use case. Is it used for nefarious activities? Of course, but not exclusively so.
If 99% of BTC mixers' volume is helping laundering international drug trade money, arms or human trafficking, it's not exactly hard to demonize mixing itself. I have no data to base this on, but I assume that privacy absolutists are a tiny, tiny drop in the pool of blood and crime.
The answe is no but they can make a trade off using something like monero. BTC's only read advantage is the network effects. As far as the tech is concerned it is mediocre compared with other ledgers.
Privacy absolutists are free to deal in cash. Whatever amounts they send and receive, criminals and dictators do orders of magnitude more and people suffer as a result.
If it wasn't so sad it would be funny that the countries with highest levels of freedom and least corruption tend to be the ones with most vocal privacy absolutists...
The most powerful states don't need to launder any money, since they can just pass a law legitimizing any action they do, with no need to hide the funds generated from any one else.
This is irrelevant. Anything putin gang does is legal in Russia obviously but being able to clean blood money is vital for them. That's the point of sanctions and why any way around it like crypto is a godsend to dictators.
You're missing my point. Your example doesn't contradict it.
My point is that the most powerful countries don't need to clean their dirty money to spend their money abroad, because they are the center of the world economy, and everything is available to them to buy. Russia is economically on the periphery and thus does need to clean it.
Making it looks like "powerful country can do shady stuff and poor country needs to clean money" is not how reality works. Try being a violent dictator and do crime at a scale acceptable in Russia but in the US and then tell me how it goes.
I think most people do feel that way about Tor, both in terms of assuming that 99% of its users are criminals and that it should be demonized. It's interesting to me because I think most of those people don't feel the same way about encryption in general, which of course enables Tor and all sorts of criminal activity in other contexts. Everyone has something to hide from someone and wants to see the green lock symbol in their browser's address bar along with other assurances of some degree of privacy. I don't know how most people decide where to draw a line.
There are some things that are perfectly legal for me to Google search, that I don’t want my ISP or Google to know about. So Tor works well for that. Tor would also be useful if governments were to crack down on free speech.
You can apply basically the same argument to money. If I have $20m in Bitcoin I don’t want my name to be tied to my wallet address (because a KYC exchange saw where the money went to) because it makes me a target, for example. And in the case of censorship or something I want to be able to do with the money what I please.
Privacy is a fundamental human right, in my opinion. We have to use cumbersome technology to get any modicum of true digital privacy. Just because people use it for illegal things doesn’t mean that the desire for privacy or the technology itself is bad. One day things we find morally just may be illegal too
Intentional consealment of illegal internet traffic isn't a crime (the crime is just the crime).
Intentional consealment of illegal financial transactions is a crime in-and-of itself (the crime is money laundering, which is a seperate offence to the original criminal activity that the money came from).
That’s just when two or more people get together to plan a crime - obfuscation isn’t the offence, the offence is the joint planning and intention to commit a crime.
Obviously you know that "demonized" is a loaded word here. What's your point in using it?
All I'm saying is that if there's something where "99% of [...] volume is helping laundering international drug trade money, distributing CSAM" that that is obviously terrible for the world and we should be asking some strong questions about who's supporting it and why. Is somebody gaining something that's more important than the lives forever ruined?
Mostly, yes. I sympathize with the goals in theory since I grew up on 90s internet dreams too but as a practical matter if you run a large website you’ll see mostly attacks from Tor, it shows up a lot in news about crime, and it’s noticeably helping people in actual repressive regimes because it’s still too easy to identify the network traffic when the stakes are high.
Is $540M considered a tangible amount? I'll let you quibble over that but I'd think most criminals would be more than happy to be able to launder $540M.
That's mixing or "anonymizing" your crpyto proceeds. To make use of this crypto, you need to convert it to the relevant currency of the country you are in. If you are based in the USA, your only option is the few regulated exchanges which will ask "lots" of questions for this amount of money. It doesn't stop there, you'll have to answer lots of questions for the banks too as you'll withdraw this money eventually.
If you made it this far, then you start the laundering process.
You can't launder money with Bitcoin because Bitcoin is not well integrated with any country financial devices in any meaningful manner.
just buy homes from individuals. or rent luxury homes and and sub rent them. there are many individuals who will turn a blind eye on their real estate for a 30% premium.
Signal is not a crypto mixer. The argument here is about the frequency a certain service is used for crime.
For example, library records generally have a fair amount of privacy. Criminals sometimes consult libraries. Crime is not the dominant use of libraries.
Mixers have a fair amount of privacy. Mixers are used by criminal, and crime is overwhelmingly the dominant use of mixers.
To rebut this you’d need to show large and innocent use cases which use mixers. Not an unrelated app.
I'm only arguing the definition shouldn't be changed to something that is explicitly negative, even if the vast majority of the time it's used for nefarious reasons.
Scenario one. Individual (while working in a startup) is receiving some tokens as a compensation. Time passes. Their remuneration being on-chain and visible is a problem when negotiating salary in the next job.
Scenario two. I want to have on-chain identity (e.g. exo762.eth domain name). To register it I need to have some ETH (gas, registration fee). If I sent this ETH directly from my "money" account, I will forever link my public identity to my money, which is like walking around with "my net worth is at least XYZ USD" banner.
How are these scenarios "use cases" for a mixer and not critical flaws in the underlying system?
We're in a thread about a rogue state using the tech to steal money to fund their operations (Chemical attacks in airports, nuclear warheads, intercontinental ballistic missiles, etc.) How many nuclear detonations would you consider acceptable in exchange for the cryptobros to have their toys?
How many would you consider acceptable to have an international banking system? North Korea hackers stole $81 million from the Bangladesh central bank, and it was only a fluke that they didn't get away with over a billion from that one hack.
More prosaic wire fraud is common in real estate and B2B transactions, and if not noticed immediately the funds are often lost after being transferred internationally and cashed out. It wouldn't be surprising if NK is behind some of that, given what they managed against Bangladesh.
If you are transacting in a business environment, I think it is an added benefit if the counterparty in the transaction can't deduce information out of your transaction. Such as how much assets you have, to what other services have you been sending funds and so on. As Bitcoin does have public ledger, and if you just use single address and don't do any privacy enchancing practices, lots of information could be deductible using blockchain analysis.
I would also suspect that using data collected by governments is used for business advantage. Of course it is hard to prove quite often. Personally I think that in principle it just doesn't make sense to spread your data around, as the benefits are tiny and the potential downsides can be big.
Using Tornado was pretty common among well known/higher profile people in the space to avoid causing inadvertent market effects or leak info about upcoming projects.
Basically if you were high profile enough, people would watch your wallets to see what you were investing in/transacting with, and use that as market intelligence.
As far back as 2016 or so I recall someone specifically offering their blockchain analysis platform as a way to do this.
So you would use tornado to make the money you planned to invest/use appear "somewhere else" disconnected, to maintain privacy/security of a project.
Tornado and mixers and such become necessary specifically because all transactions are public - unlike in tradfi where transactions are opaque except to parties and intermediaries.
Similarly to how investors in tradfi tend to keep their investment strategies secret where possible.
Also, if you want to be able to create legitimate projects that are not tied to your real-world identity, you need a break between bank -> exchange -> address -> ??? -> contract deployment address.
Providing some basic financial privacy, not from the government but from the general public. Everything on chain is public. When you buy something or transfer money to a friend, you don't necessarily want the recipient to know how much money is in your account, or what other addresses you've sent money to.
Lots of good examples already mostly geared around minimizing bits leaked for the sake of alpha, but there are also instances where it is desirable to be "locally clandestine" even if you're a full throated supporter of the powers that be on the whole. Persecution does not just come by way of financial penalties or the legal system, these tools are useful for avoiding social consequences as well. A hypothetical I'd expect to play well here: paying for an abortion in a large state where it is legal, but in a small town where the local church wields an immense amount of influence.
I agree in principal, however if the vast majority of a given service's users are using it for criminal activity then maybe there's room for some added scrutiny.
Ideally we would have a world where privacy is the default and everyone has it.
Because we don’t, and there is considerable friction required to have financial privacy, most people don’t bother unless they really need it or are unusually privacy conscious. Really needing it may often mean they are doing something nefarious.
That doesn’t mean the technology to enable privacy is “bad”, it means it’s too hard to use and that as a society we have done poorly at guaranteeing people’s right to privacy.
Not so long ago you might have ben able to say the same thing about people communicating with end-to-end encryption, but thanks to a concerted effort to improve the UX of this tech. and it’s adoption by some very widely used services, it’s now commonplace. End to end encryption could no longer be argued to be mostly used by criminals.
Hopefully we will get there with financial privacy too.
NB: in neither case am I suggesting that the government should be unable to require you to provide information in some situations (or face the consequences of withholding it against, say, a court order), only that dragnet surveillance of everyone by default is never acceptable.
Smart contract based mixers like Tornado Cash are just code for encrypting transactions. The only reason that a large proportion of Tornado Cash transactions were criminal in origin is that the legitimate parties were largely scared off from using it, because of the legal uncertainty around it, with people fearing what exactly ended up happening - with OFAC sanctioning the actual code - happening.
This left only the bravest parties, and criminals to use it, leading to a high proportion of users being criminals.
If it weren't for that uncertainty about the legal treatment TC would receive from government (say if Congress passed legislation explicitly providing a right to use financial privacy technology), a huge proportion of the whole crypto economy would have been using Tornado Cash, as they should be, because privacy is an absolute bare minimum for a functioning financial system.
The conceptual treatment you're giving transaction encryption is to treat privacy as criminal. This
is an ideological outlook that promotes putting total trust and faith in a small elite in government and finance to engage in warrantless dragnet surveillance of every one's financial transactions.
"Mixers" of various kinds (even before cryptocurrency) used to seem a legitimate, if nerdy, idea for privacy.
One of the more recent difficulties with a lot of privacy technology is that the main user might not be the abused and those wanting to avoid being abused, but instead... really awful criminals.
And with anything cryptocurrency or blockchain in the last decade, it's not only the users who are criminals, but much of the technology itself is built by scamming atop scamming.
I'd quibble with any article today that mentions cryptocurrency/blockchain at all without acknowledging how sketchy the entire space is.
Pre-Web cynical cyberpunk writers were better at predicting much of the modern world, than were the optimistic techies who mostly saw tremendous opportunity for goodness.
With our current state of cybersecurity (total shambles), we worry about NK stealing rather modest amounts of money. While relying exclusively on cybersecurity to prevent SkyNet scenario.
I'm wondering how much money trafficking and theft happens in the traditional finance world. It's great that we can analyze so much of what's happening in cryptocurrencies as most are open for the world to see.
It may be a totalitarian dictatorship, but this is totally expected behavior given the sanctions in place against them. Sanctions that amount to collective punishment, which is supposedly illegal under international law. Perhaps if the sanctions were reduced/removed, they’d feel like this sort of activity was less necessary/justified to get hard currency.
How do they use the $$? I guess it's not easy to convert to USD so the only option is on black market? Some vendors say chip vendors or weapon vendors may be willing to take crypto?
Also, as prices falls, presumably these figures will need to be downgraded? I don't think they are cashing out this crypto, but probably most of it stays dormant in wallets. Crypto falls so fast, likely this figure will be downgraded by a magnitude of 5 or more by next year . Putting an exact figure is hard.
202 comments
[ 2.8 ms ] story [ 226 ms ] threadIt also exposes a wider problem the crypto community are not addressing.
What do you mean by supposedly?
> It also exposes a wider problem the crypto community are not addressing.
What wider problem? That money (in any form) can be stolen by a malevolent state?
The DPRK is often portrayed as incompetent, helpless state purely able to eke out an existence by the grace of China (to whom it is useful only as a sort of attack dog cum buffer state). So the fact that they've managed to run an operation that can steal this much crypto may come as a surprise to many. I don't imagine their intelligence agencies are quite on the same level of electronic warfare capabilities as USA, UK, Israel and friends, though.
> That money (in any form) can be stolen by a malevolent state?
Right but as we repeatedly saw in the last couple of years, a North Korean hacker could swindle some dope out of their $10k ape jpeg from across the globe at relatively little cost. They'll have a bit of a tougher job stealing that same $10k from someone's bank, from a safe deposit box, or hell even from a box under their bed. It requires another level of sophistication entirely and the costs and risks would be prohibitively high. I am sure if the North Korean state took issue with me personally and wanted to empty my bank account, they could probably make some headway ... but they'd likely get caught and they'd spend more time and effort doing so than they'd actually be able to retrieve.
If you're motivated, don't mind a very on-rails, restricted and relatively pricey tour, you can actually visit yourself: https://koryogroup.com - I've wanted to for a while, but I've spent less money to travel in other interesting places with fewer restrictions for longer, so it's hard to justify the expense.
An interesting read you might like is by a couple of Austrian guys who decided to hop on a train there, confusing and irritating border officials who didn't expect an invasion from the northern direction :) http://vienna-pyongyang.blogspot.com
Probably the most accessible and interesting thing though, is a podcast series called "Blowback" (it's Season 3, the previous two were on the Cuban revolution and the Iraq war). Now obviously this isn't the current day but it presents a slightly more balanced view of the events leading up to and throughout the Korean War than your average American or Brit might have picked up through osmosis. It's fascinating, well-produced, well-sourced and has a very good soundtrack. Here's ep 1: https://www.stitcher.com/show/blowback/episode/s3-episode-1-...
As I said, there will be no good way to get any kind of verifiable account of how awful or how ok-ish is it is there. And I'm deliberately putting "ok-ish" as the upper limit because while I'm sure that all the ~20 million inhabitants aren't all living the prison camp lifestyle, I don't imagine your average North Korean has a particularly pleasant life.
Sorry, maybe not the answer you were hoping for but I hope you enjoy any or all of the things I suggested :)
https://www.nature.com/articles/s41599-020-0417-4
You're quoting articles about poverty in North Korea at me as if I'm in denial about this, which is weird because I start and end my comment talking about how shit life is probably like there. It's a bit like you read a couple of words, got excited that you spotted one of The Reds and decided to call in an airstrike
I don’t know what you’re doing, feels a little bit like you’re trying to beat a statement out of me, or tell me I’m guilty of WrongThink.
He is making a point: it's foolish to assume North Korea is just a bunch of starving people with no heat, living in dilapidated Soviet-style buildings.
They've built nukes. They're pretty successful at hacking. It has capabilities the defy the stereotype.
I once read a blog post or something from someone who claimed to have gone to North Korea to teach Computer Science or something. This article sounds like it covers similar ground: https://www.vice.com/en/article/z4m8qx/how-to-teach-computer....
Also, North Korea also has an elite. IIRC, a significant chunk of North Korean imports are luxury goods and modern consumer products to keep this elite happy.
What limited that before were the protections built in to the real banking system. Stealing a billion dollars and actually getting away with it was hard until cryptocurrencies were introduced with far fewer safeguards.
https://en.wikipedia.org/wiki/Telecommunications_in_North_Ko...
I would say, conservatively, the traditional banking and real estate markets are 10,000x worse than crypto markets, but are un-policed because it's hidden, unlike the public blockchain networks. The few scams that are exposed, like the HSBC money laundering scandal, dwarf all of the crime every committed via crypto. But we didn't even put HSBC out of business or put a single employee in jail!
Here is the Danish money laundering fraud that just concluded with $2 billion in fines on $160 billion in laundered money https://www.justice.gov/opa/pr/danske-bank-pleads-guilty-fra...
Can you explain how?
I'm super curious because the whole point of crypto is you can't reverse transactions, and therefore crypto is only ever as secure as computer security generally, and there's nothing crypto can do about computer security generally.
Or are people coming up with some new paradigm here that fixes this somehow?
Keeping keys secure is no different from keeping anything else secure. That's why 'generally'.
And crypto doesn't do anything about key security. That's up to each person/org to figure out for themselves.
(North Korea didn't hack the blockchain. They hacked however people/orgs kept their keys.)
This stuff is useful outside of blockchain as well.
The state of user protection in crypto right now is definitely bad, but there is a lot of work and research being done to improve it.
EDIT: I think I'm actually making the same point you made, but anyways here's a couple cool links and things to google for secret security :)
By posting long tirades on Internet forums that surmise: "We have top men working on it right now. Top... men.."
Bitcoin is slowly losing dominance - its legacy technology, and bitcoin maxis/satoshi purists refuse to recognise that tech must evolve over time.
Its fucking insane to me how "The White paper" has become a holy text among Bitcoiners. Its made it almost fucking impossible to make any improvements to the protocol - hence forks, altcoins, etc.
[1] https://en.m.wikipedia.org/wiki/List_of_countries_by_number_...
Nuclear weapons and the fortified long-range artillery that can shell Seoul are the main point of concern, which are essentially a small-scale version of cold war era mutually assured destruction. The number of people in the army as such? I'm not so sure that's really something that's all that meaningful.
- Found my answer: https://www.brookings.edu/what-nuclear-weapons-delivery-syst...
Not a lot...
Take the US Trident 2 [1]. Wikipedia lists a cost of $31 MM, in 2019 dollars, which would be about $37 MM today. With $1.3 BN you could buy 35 of those.
But the North Koreans are not buying their missiles from Lokheed-Martin. They are building them in house, so you'd expect them to pay much less for labor and materials.
[1] https://en.wikipedia.org/wiki/UGM-133_Trident_II
Also, US strategic rocket weapons (ICBMs) are actually not the best in their class, as a result of post-soviet partial denuclearization. Many aren't even MIRV. This doesn't apply to submarines and bombers, those are top notch. Especially bombers, many decades ahead.
It's actually the third real world use case, behind getting better drugs than from your local dealer and the entirety of the ransomware industry.
What's the trail of evidence that leads to this conclusion.
In this case: https://archive.ph/SUYp1
Each APT usually utilises a specific set of techniques to commit these heists: https://attack.mitre.org/groups/
Obviously perfect correlation is not possible but set of utilised techniques are usually enough to pinpoint the specific APT.
Seems like most of this theft is happening when people port currency between exchanges and the bridge is vulnerable.
1. They hack computers not code. Their normal plan is to steal keys by compromising users and computers. This is in contrast to the normal "hack" that works by finding and exploiting bugs in code.
2. They immediately exfiltrate the stolen money back to the real world via bazillions of mule accounts that are already standing by. In contrast to the "normal" hacker who attempts to obfuscate and hide funds on-chain, and slip away with some at a far future date.
Here's a writeup from a company after the big 600 million dollar NK hack.
https://roninblockchain.substack.com/p/back-to-building-roni...
That's the primary way hacks are conducted by most hackers. Hackers are primarily social engineers, not technical. Technical hackers are extremely rare regardless of nationality.
https://xkcd.com/538/
If you leave an unsecured mail server accessible to the internet, it'll start sending spam emails within 30 minutes.
On the other hand, phishing emails are also automated, and that's essentially asking for the password.
But we can broadly categorize security incidents into two bins: first are opportunistic attackers which broadly attempt a method that sometimes works. Two common examples are minimally-targeted phishing emails (think Best Buy invoice) and automated scanning for old versions of WordPress with known vulnerabilities. Second are targeted attacks, where the attacker chooses a target and then attempts different methods to reach success. Overall targeted attacks are far less common than opporunitistic ones, but because they involve a higher level of effort they're only attempted when there's a high level of motivation. Targeted attacks tend to result in greater financial losses than opportunistic attacks, for example, because compromising machines to add them to a botnet usually isn't worth the effort of a targeted attack, but getting banking credentials or crypto wallets usually is.
All of information security is fairly bimodal in this way. It often seems like even technical professionals like software engineers struggle to understand basic security practices, but I think this is one of the biggest causes: most people tend to think about one case and ignore the other. Unfortunately one of the things that makes security very difficult is that both cases are real and the two require fairly different practices to deter, prevent, and detect.
Social methods are far more common with targeted attacks because "true" social engineering involves a higher level of effort, like time on the phone. That said, phishing falls into an in-between where some consider it to be a social method but it is amenable to widespread automation. There's also a wide spectrum of effort in phishing. Many are tempted to try to categorize phishing activity into a binary of "phishing" and "spear-phishing" (I hate these terms), but that doesn't really reflect reality very well. In a large corporation you can usually find examples of phishing that are targeted to varying degrees of specificity: at anyone, at corporate employees broadly, at people in the industry, at employees of a company, a department in that company, and even carefully tailored to a specific employee. The frequency of course tails off as you get more specific, but then it's not that unusual for some organized crime group to run a sustained campaign of fairly closely-targeted phishing as happened recently with Twilio.
Opportunistic attacks are certainly greater in volume to the extent that some call them "internet background noise," but most think that targeted attacks probably produce greater total financial damage. Security is very faddish though, not only on the defense side but also on the offense side, so it probably varies from year to year. For example, the emergence of ransomware was a major trend that required a strategic shift in defense in many organizations since ransomware attacks were fairly low effort but also very high damage in many cases.
When I checked out they gave me a receipt and I went to throw it away and saw a handful of wifi passwords in the trash bin.
Lesson learned.
You still did well writing the brute force. How did you know the composition though?
I'm just a 'regular security guy' but in that link you posted they detail that after the initial phishing compromise "The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes." They don't detail the bugs that got them access to the nodes but this didn't give them control of the network so "the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator. ...Sky Mavis requested help from the Axie DAO to distribute free transactions ... Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked."
Sounds like a pretty classic hack to me. They got into the network, got access to some important servers (how? they should be totally segregated from the corporate network). Then found a depreciated endpoint that allowed them blindly sign transactions. This is bread and butter for any pentesting work, makes me wonder if any of these web3 orgs are hiring security firms to test their systems and not just smart-contracts.
Instead, the Axie bridge was a multisig, and as of that wasn’t bad enough, most of the signatories were controlled by the same organization on the same infrastructure. Really demonstrated that concerns about decentralization are not just pedantic or academic.
They’re called Advanced Persistent Threats for a reason.
No snark intended.
It’s been a big problem that needs fixing across the industry.
https://venturebeat.com/security/report-average-time-to-dete...
Their keys their coins.
I'm almost convinced that this is how they recruit those mule burners, since signing up for employment requires a lot of personal information that can be leveraged into opening bank accounts or other financial vehicles in that person's name.
I have a quibble with articles about cryptocurrency fraud. They always get around to mixers and then they define it as if it were some relatively legitimate thing, like an odd bank. "large digital pools", "deposit funds". You have to get to the last phrase ("obscure their origins") to understand what mixers really are.
A proposed alternate definition: "mixers - international money laundering services where illegally obtained cryptocurrency can be mixed with other fraud proceeds making it harder for the legal system to trace".
(The definition I really would like: "mixers - services that look to hide your funds but are actually operated by intelligence agencies to track illegal activity". I imagine at least one mixer is a honeypot of sorts.)
Yes.
It’s definitely usable for non nefarious activities.
Should I be demonized for having one in my house?
Probably
If it wasn't so sad it would be funny that the countries with highest levels of freedom and least corruption tend to be the ones with most vocal privacy absolutists...
Correlation or causation?
My point is that the most powerful countries don't need to clean their dirty money to spend their money abroad, because they are the center of the world economy, and everything is available to them to buy. Russia is economically on the periphery and thus does need to clean it.
If 99% of Tor's volume is helping laundering international drug trade money, distributing CSAM, etc, should it be demonized as well?
You can apply basically the same argument to money. If I have $20m in Bitcoin I don’t want my name to be tied to my wallet address (because a KYC exchange saw where the money went to) because it makes me a target, for example. And in the case of censorship or something I want to be able to do with the money what I please.
Privacy is a fundamental human right, in my opinion. We have to use cumbersome technology to get any modicum of true digital privacy. Just because people use it for illegal things doesn’t mean that the desire for privacy or the technology itself is bad. One day things we find morally just may be illegal too
Intentional consealment of illegal financial transactions is a crime in-and-of itself (the crime is money laundering, which is a seperate offence to the original criminal activity that the money came from).
Easy answer: Yes! Although I think it would be hard to call it demonizing when something is already 99% demons.
All I'm saying is that if there's something where "99% of [...] volume is helping laundering international drug trade money, distributing CSAM" that that is obviously terrible for the world and we should be asking some strong questions about who's supporting it and why. Is somebody gaining something that's more important than the lives forever ruined?
https://www.cnbc.com/2022/08/10/crypto-criminals-laundered-5...
Is $540M considered a tangible amount? I'll let you quibble over that but I'd think most criminals would be more than happy to be able to launder $540M.
If you made it this far, then you start the laundering process.
You can't launder money with Bitcoin because Bitcoin is not well integrated with any country financial devices in any meaningful manner.
For example, library records generally have a fair amount of privacy. Criminals sometimes consult libraries. Crime is not the dominant use of libraries.
Mixers have a fair amount of privacy. Mixers are used by criminal, and crime is overwhelmingly the dominant use of mixers.
To rebut this you’d need to show large and innocent use cases which use mixers. Not an unrelated app.
Scenario two. I want to have on-chain identity (e.g. exo762.eth domain name). To register it I need to have some ETH (gas, registration fee). If I sent this ETH directly from my "money" account, I will forever link my public identity to my money, which is like walking around with "my net worth is at least XYZ USD" banner.
We're in a thread about a rogue state using the tech to steal money to fund their operations (Chemical attacks in airports, nuclear warheads, intercontinental ballistic missiles, etc.) How many nuclear detonations would you consider acceptable in exchange for the cryptobros to have their toys?
We've come a long way from Mario Bros!
https://www.bbc.com/news/stories-57520169
More prosaic wire fraud is common in real estate and B2B transactions, and if not noticed immediately the funds are often lost after being transferred internationally and cashed out. It wouldn't be surprising if NK is behind some of that, given what they managed against Bangladesh.
I would also suspect that using data collected by governments is used for business advantage. Of course it is hard to prove quite often. Personally I think that in principle it just doesn't make sense to spread your data around, as the benefits are tiny and the potential downsides can be big.
Basically if you were high profile enough, people would watch your wallets to see what you were investing in/transacting with, and use that as market intelligence.
As far back as 2016 or so I recall someone specifically offering their blockchain analysis platform as a way to do this.
So you would use tornado to make the money you planned to invest/use appear "somewhere else" disconnected, to maintain privacy/security of a project.
Tornado and mixers and such become necessary specifically because all transactions are public - unlike in tradfi where transactions are opaque except to parties and intermediaries.
Similarly to how investors in tradfi tend to keep their investment strategies secret where possible.
[0] https://taler.net
Because we don’t, and there is considerable friction required to have financial privacy, most people don’t bother unless they really need it or are unusually privacy conscious. Really needing it may often mean they are doing something nefarious.
That doesn’t mean the technology to enable privacy is “bad”, it means it’s too hard to use and that as a society we have done poorly at guaranteeing people’s right to privacy.
Not so long ago you might have ben able to say the same thing about people communicating with end-to-end encryption, but thanks to a concerted effort to improve the UX of this tech. and it’s adoption by some very widely used services, it’s now commonplace. End to end encryption could no longer be argued to be mostly used by criminals.
Hopefully we will get there with financial privacy too.
NB: in neither case am I suggesting that the government should be unable to require you to provide information in some situations (or face the consequences of withholding it against, say, a court order), only that dragnet surveillance of everyone by default is never acceptable.
Unfortunately I'm a normal person with my primary/only income being my salary.
I benefit from this 100 times more than not.
I can't and won't do tax evasion. The rich and bad do.
This left only the bravest parties, and criminals to use it, leading to a high proportion of users being criminals.
If it weren't for that uncertainty about the legal treatment TC would receive from government (say if Congress passed legislation explicitly providing a right to use financial privacy technology), a huge proportion of the whole crypto economy would have been using Tornado Cash, as they should be, because privacy is an absolute bare minimum for a functioning financial system.
The conceptual treatment you're giving transaction encryption is to treat privacy as criminal. This is an ideological outlook that promotes putting total trust and faith in a small elite in government and finance to engage in warrantless dragnet surveillance of every one's financial transactions.
One of the more recent difficulties with a lot of privacy technology is that the main user might not be the abused and those wanting to avoid being abused, but instead... really awful criminals.
And with anything cryptocurrency or blockchain in the last decade, it's not only the users who are criminals, but much of the technology itself is built by scamming atop scamming.
I'd quibble with any article today that mentions cryptocurrency/blockchain at all without acknowledging how sketchy the entire space is.
Pre-Web cynical cyberpunk writers were better at predicting much of the modern world, than were the optimistic techies who mostly saw tremendous opportunity for goodness.
https://www.bbc.co.uk/sounds/brand/w13xtvg9
Fun times.
I mean it’s about what Meta spends in one and a half months on metaverse