Skip to main content
banner image
venafi logo

With Rapid Rise in Funds Stolen from DeFi Protocols, Private Keys in Play

With Rapid Rise in Funds Stolen from DeFi Protocols, Private Keys in Play

defi-stolen-funds-and-private-keys
September 13, 2022 | Brooke Crothers

There has been a rapid rise in funds stolen from DeFi (Decentralized Finance) protocols. One of the most prominent attacks was on the Ronin Network, carried out by the Lazarus Group when it gained access to private keys held by transaction validators for Ronin Network’s cross-chain bridge.

Machine identity is essential for security. Find out how Venafi can help.
">
Massive heist begins with private keys

The March 2022 theft by the Lazarus Group, a cybercrime group run by the North Korean state, began when it gained access to five of the nine private keys held by transaction validators for Ronin Network’s cross-chain bridge, according to a report from Chainalysis.

Ronin Network is an Ethereum-linked sidechain catering to Axie Infinity’s blockchain gaming. Cross-chain bridges provide interoperability between different blockchains via a protocol that lets users port digital assets from one blockchain to another, as described by Chainalysis.

The heist by Lazarus totalled, at the time, $540 million in Ethereum currency and USDC stablecoin, which prompted sanctions by the U.S. Department of Treasury. The Lazarus Group typically carries out the attacks to fund the North Korean state.

Subsequently, more than $30 million was seized by the U.S. government with the help of Chainalysis. The seizures represent approximately 10% of the total funds stolen from Axie Infinity, Chainalysis said.

Move to DeFi services to chain hop

The Lazarus Group used the private keys to approve two transactions, both withdrawals: one for 173,600 ether (ETH) and the other for 25.5 million USD Coin (USDC) the report said. (The $540 million value cited above.)

“They then initiated their laundering process…The laundering of these funds has leveraged over 12,000 different crypto addresses to-date, which demonstrates the hackers’ highly sophisticated laundering capabilities,” Chainalysis said.  

Typical laundering techniques include stealing Ether and sending it to intermediary wallets and mixing Ether in batches using Tornado Cash

However after the U.S. Treasury imposed sanctions on Tornado Cash, Lazarus has moved away from the Ethereum mixer, instead “leveraging DeFi services to chain hop, or switch between several different kinds of cryptocurrencies in a single transaction,” Chainalysis said.

“Bridges serve an important function to move digital assets between chains and most usage of these platforms is completely legitimate. Lazarus appears to be using bridges in an attempt to obscure source of funds,” Chainalysis said.

Venafi’s Take: DeFi security model vulnerable

“The DeFi security model needs strengthening right away,” said Pratik Savla, a Senior Security Engineer at Venafi.

“Improper cryptographic key management is one of the biggest Achilles Heels that is opening up DeFi to a number of security risks,” Savla said.

The utilization of private keys and wallets underscores the known security risks associated with their design and implementation, according to Savla.

“This in turn, incentivizes attackers of all shades to deploy the same set of TTPs [Tactics, Techniques and Procedures] they have used to exploit in prior incidents,” Savla said.

Once the private key of the administrators is obtained by a malicious actor, it opens a multitude of possibilities for bad actors to wreak havoc, he added.

Besides private keys, wallets that are used to house and manage those keys introduce their own security risks, according to Savla.

‘Embed’ security at start of the development cycle

“Wallets and private keys combined open a huge attack surface and make targeting DeFi attractive and rewarding. One approach that is strongly needed to minimize and ultimately contain multiple attack vectors is to embed security at the beginning of the development cycle. Thorough security design and architecture become extremely crucial in this casel,” Savla said.

DeFi is an example of a “high-stakes system where machine identity management can be both its strength but also its weakness from a security standpoint, if not done correctly.” Savla added.

Related Posts

Blockchain Is Only as Secure as Your Private Keys

Extending the Benefits of HSMs for Protecting Private Keys

How Private Are Your Private Keys: Can You Rely on Your Certificate Authority for Private Key Protection?

 

Like this blog? We think you will love this.
microsoft-office-macro-ban-backtrack
Featured Blog

Microsoft Backs Off Internet Office Macro Ban [Update]

Microsoft disabled macro years ago by default

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more