The crypto industry has been left reeling after North Korean hackers stole a combined $579 million from onchain apps in less than 20 days.
Beyond the financial damage inflicted, the latest incident, a $293 million theft from crypto app Kelp DAO, has killed morale and sparked a across many parts of the $2.7 trillion industry.
To make the attack possible, hackers from the hermit kingdom compromised an application built on top of LayerZero, a popular app for sending crypto between unconnected blockchains. This allowed hackers to send a fake message instructing the application to release the funds to them.
If that wasn't bad enough, the hackers returned days later to use LayerZero to send portions of the stolen funds to different blockchains as part of an elaborate laundering scheme.
So far, the North Korean hackers have at least $500,000 through LayerZero, onchain records show.
It’s the first documented instance in which the same app served as both the attack vector and one of the methods used to launder the stolen funds.
LayerZero did not immediately respond to a request for comment.
State-funded North Korean hackers have plagued the crypto industry for almost a decade.
But in recent years, their attacks have become more organised, sophisticated and damaging to the industry.
Last year, North Korean attackers stole an unprecedented $1.5 billion from Bybit by compromising employees at Safe, the crypto exchange’s wallet provider.
“We are seeing these actors treat exploits as standardised business operations, characterised by infrastructure reuse and the exploitation of settlement corridors with the efficiency of a global enterprise,” Matt Price, vice president of investigations at Elliptic, a crypto security firm, told DL News.
In response, crypto security researchers have urged developers to shore up their defences.
“Security is no longer just about the integrity of the protocol’s code. Operational security is now equally critical,” Yajin Zhou, co-founder of blockchain security firm BlockSec, told DL News. “If the operational rails are weak, the code's security becomes irrelevant.”
David Schwed, chief operating officer at SVRN and a cybersecurity expert who led development of BNY Mellon’s digital asset offerings, DL News earlier this week that projects need to hire seasoned chief information security officers and empower them to bring in teams of experts to build robust security systems.
Crypto security firm Halborn has also against projects that create single points of failure, which attackers can exploit with devastating consequences.