On October 24, hackers stole $20 million from a wallet owned by the US government. The stolen funds included funds previously seized from the Bitfinex Hack in 2016. The timing was curious as the Department of Justice had just recommended sentences to perpetrators of the Bitfinex Hack, Ilya Lichtenstein and Heather "Razzlekahn" Morgan one week earlier on October 17.
Interestingly, the hacker from the US government hack may be trying to escape with lighter sentencing than the perpetrators of the Bitfinex hack. After successfully stealing funds in AUSDC and USDC amounting to $20,679,771.58, the perpetrator had a change of heart and sent the bulk of the funds back to the hacked address in three separate transactions just a day later, on October 25.
The hacker sent 1,899.3124 in ETH (US$4,794,061.880) and 508.9991 in ETH (US$1,284,766.66) in another transaction. The bulk of the return was in a deal worth a whopping 13,196,661.301 in AUSDC (US$13,230,507.83).
Curiously, instead of returning all the funds, the hacker made nine transactions, transferring ETH amounting to $345,231.81 to an address associated with Binance on the same day of the hack.
This hack is of interest for two reasons: 1) Why did the hacker choose to return the bulk of the funds? 2) Why did they send the funds to Binance, which has robust KYC measures that allow investigators to identify a suspect quickly?
Return of the funds
When funds are usually recovered, it is typically done through the actions of law enforcement agencies, often in cooperation with blockchain analytics firms like Merkle Science. In some cases, the funds are returned by the hackers, who claim to be a white-hat hacker merely out to expose a vulnerability.
Such return of funds have occurred throughout crypto history and vary widely in value. For example, in the Poly Network hack of August 2021, the hackers returned $260M out of the $600 they stole, stating that their goal was merely to expose security vulnerabilities in the network. This is part of a growing trend of white hat hackers who make off with funds and then negotiate a "bounty" for their efforts, as occurred with the Prisma Finance hack for $11.6 million.
In some cases, the impetus to return funds could be due to legal pressure. In the Poly Network attack, for example, some analysts speculate that the hackers returned the funds not out of goodwill but to reduce the intense pressure from law enforcement agencies and lessen their punishment in the event of capture.
Returning the bulk of the $20 million in funds to the US government could be a similar maneuver. If the hackers are apprehended, they want to show some sign of good faith: they absconded with only a portion of the total funds they could have taken.
Why Binance?
The final curiosity with this hack is why they sent the $345,231.81 in funds they kept to an address associated with Binance, which has sophisticated KYC processes in place. We can think of several possibilities:
- The hackers are money laundering neophytes. They may have the technical sophistication to exploit a vulnerability in the government-controlled wallet but not the expertise to launder money with more advanced evasion and obfuscation techniques, such as chain-hopping or coin mixers.
- The wallet on Binance may be compromised. The wallet on Binance may belong to a legitimate user that the hacker may have also gained control of. The hacker could thus use this wallet as a funnel to an account outside of a centralized exchange like Binance that they truly own.
- The hackers may have used a shell account. It would be difficult for ordinary people to create a fake account on a centralized exchange like Binance. However, sophisticated criminal groups, such as cybercrime groups, terrorist organizations, and ransomware operators, have the means to create shell accounts on legitimate exchanges. With specialized software and other tools, they could dupe the various parts of a KYC process, such as validation of the IP address, the person's documentation, and even facial recognition. The funds could have been sent to a shell account on Binance, and at this point, the illicit funds would have been laundered further toward an exit node.
Key takeaways
If even the US government can be hacked, no organization is safe. Enterprises must invest in their cybersecurity, the most essential tool of which will be blockchain analytics, like Merkle Science's Tracker.
Raising awareness that the organization, law enforcement, and third-party blockchain analytics providers are hot on the perpetrators' tails may create fear. Feeling the "heat," they may return some or all of the funds, as we have seen in past hacks, where there has been an outpouring of public and private support to pursue the perpetrators.
Finally, using a tool like Tracker will enable organizations to determine what steps to take next. For example, with the discovery that a portion of the stolen funds from the US government attack is now with Binance, the funds can be frozen, and the perpetrator can be identified.
To learn more about Tracker, contact Merkle Science for a free demo.