OFAC, the DPRK and the Tornado of Cash

Cryptocurrency thefts of less than $5 million rates little more than a mention on Web3 is Going Great.  Cryptocurrency thefts of less than $50 million are only noted in the cryptocurrency press. But a $600 million theft attributed to North Korean (DPRK) government hackers gets attention and U.S. sanctions.

But there is an additional target for the Office of Foreign Asset Control (OFAC): the mixing service Tornado Cash has already received some $100 million of the stolen cryptocurrency Ethereum and is a key feature of almost every major recent cryptocurrency theft. The Tornado Cash system needs to be sanctioned to prevent the DPRK from profiting from the theft.

On March 23, hackers now identified by the FBI as the North Korean government hacking team the “Lazarus Group,” broke into the computers controlling the Ronin Blockchain Bridge. The basic idea of the bridge is that the Ethereum blockchain is simply too congested, expensive, resource intensive and slow to support a significant number of transactions.  

As a result, the developers of the Axie Infinity “Play-to-Earn game” (really, much more of a Ponzi scheme than an actual game) created the “independent” Ronin blockchain to run their game. In order to tie the Ronin blockchain to the Ethereum network they need a bridge—a system that accepts Ethereum deposits and returns equivalent tokens on the Ronin blockchain, and which can also accept those Ronin-based tokens and return normal Ethereum. The North Korean hackers broke into the computers controlling the bridge and used this access to steal all the deposited Ethereum, which has a notional value of over $600 million.

Of course, laundering $600 million is no small task. Fortunately for the DPRK’s hackers, the cryptocurrency community generally believes that financial anonymity is a feature and so have developed mixing services, commercial services that deliberately mingle funds to hide their origins. In the past, the operators of these services have faced arrest and prosecution. So, some in the Ethereum community decided to make a “decentralized” version called Tornado Cash, under the assumption that through decentralization those responsible for developing, operating and profiting from this system won’t be arrested unlike the operators of previous mixing services.

Tornado cash operates by having a series of pools of Ethereum or other cryptocurrencies controlled by a smart contract, a program deployed on the underlying…

Read more at www.lawfareblog.com

Leave a Reply

Your email address will not be published.