North Korea Suspected in Massive Hack of DeFi Project Mixin

The massive breach of a decentralized finance project bears the hallmarks of a North Korean attack, according to a senior White House official.

(Bloomberg) — The massive breach of a decentralized finance project bears the hallmarks of a North Korean attack, according to a senior White House official. 

Mixin Network, which helps blockchains handle transactions more efficiently, said it had lost less than $150 million in a late-September attack. Originally the company estimated it lost $200 million but reduced it after a final inspection. 

“The tradecraft appears to be the same kind of tradecraft we’ve seen from the DPRK previously,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, told Bloomberg News in an interview, referring to North Korea by its official name, the Democratic People’s Republic of Korea.

Read More: DeFi project Mixin suspends services after $200 million hack

Neuberger said law enforcement is still looking into the hack, which she said has “some of the same attributes” of past North Korean attacks.

The breach was caused by a compromise in the project’s cloud service provider’s database, according to blockchain security firm SlowMist, which is assisting Mixin in the investigation.

A spokesperson for Mixin declined to address allegations about North Korean hackers. Mixin is working with Mandiant, SlowMist and others as part of its investigation, the spokesperson said, adding that they had made significant progress that couldn’t be shared for security reasons. The company is also offering $20 million “as a bounty” to the hacker or anyone who can refund the stolen money, the spokesperson said.

The Department of Justice declined to comment. Mandiant, a cybersecurity firm that is part of Google Cloud and is responding to the hack, also declined to comment.

Neuberger indicated the US would seek to intervene to recover the stolen funds if possible. The FBI has previously recovered millions of dollars in cryptocurrency stolen by North Korea. In August, it warned that North Korean hackers were preparing to cash out Bitcoin worth more than $40 million.

“We’ve certainly committed to freezing and seizing money,” she said, adding it is too early to tell if the US will be successful in this case. 

The White House has spent months trying to curtail the success of North Korean hackers by going after the financial infrastructure that supports them. The US believes stolen and other funds directly assist North Korea’s missile program, Neuberger said.

Chainalysis Inc., a New York-based company that tracks and analyzes blockchain, has determined that hacking groups associated with North Korea are responsible for nearly a third of all crypto hacks so far this year, worth more than $340 million excluding the Mixin hack. Although that is far less than the 2022 high of more than $1.65 billion, it represents a huge foreign currency windfall for a country under punitive United Nations and US sanctions.

Neuberger said the White House has worked over past months to bring intelligence, law enforcement, financial and diplomatic tools to counter North Korean hackers and the country’s broader cyber operations. She said the US intelligence community this year produced a document intended to educate technology companies and others about the risks involved in hiring freelance IT workers, some of whom turn out to be working for Pyongyang, she said. 

The document from the Office of the Director of National Intelligence, a public version of which Neuberger shared with Bloomberg, lays out clues about North Korea’s cyber operations to help alert companies if they are inadvertently funding Pyongyang’s missile stash. The version shared with Bloomberg says North Korea is evading US and UN sanctions by targeting private companies to illicitly acquire income and fund the regime’s priorities, including its weapons of mass destruction and ballistic missile programs.

The document lists a range of technical red flags to help tip off companies they are being targeted. It says North Korean cyber operators rely heavily on targeted spearphishing campaigns that trick company employees into downloading malware, buy and steal cyber exploits to gain access to unpatched networks and target cryptocurrency customers.

It also says North Korean IT workers abroad pretend to be from countries. Some DPRK workers employed overseas work 12 to 16 hours a day, a potential indicator of forced labor, according to the State Department.

Neuberger said the US Treasury has brought together virtual asset service providers to educate them about the risks. She referenced a May event held jointly by State Department and South Korea’s Ministry of Foreign Affairs in San Francisco, which convened tech companies, crypto firms and others to help curb North Korea’s cyber-based revenue-raising tactics and “build alliances to combat them.”

The State Department, US Treasury and Office of the Director of National Intelligence didn’t immediately respond to requests to comment.

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.