Suspicious activity in crypto is the norm, but the last month has been especially strange. Four hacking exploits of entities or tokens associated with Justin Sun, and various withdrawals with curious timing are fueling rampant rumors online. Was it an inside job? Is Justin Sun about to ride off into the sunset? Let’s recap.
On November 10, Poloniex experienced a massive outflow of various cryptocurrencies from a hot wallet labeled “Poloniex 4.” At around 3 AM, bots carried out hundreds of unauthorized transactions, draining around $114 million in just over an hour. As such, the Poloniex hack is the second-largest attack in crypto in 2023.
The only hack that was bigger involved funds that were restored in less than one month. As of now, the Poloniex hack is the largest “black hat” attack in crypto registered in the last 12 months.
Poloniex Customer Support posted on X:
Poloniex users were jittery, accusing the platform of dissembling, which it was and which they always do. After all, you gotta disable withdrawals before you give users bad news!
Then, on November 22, hackers exploited HTX, formerly known as Huobi, which Justin Sun pretty much owns, for $30 million. But they didn’t stop there, draining another $86 million from the HECO Chain, which is also associated with Sun.
There is rampant speculation online that perhaps these hacks are connected, which is pretty obvious. However, many are wondering if Justin Sun is somehow directing them or benefiting from them.
It Don’t Matter if You’re Black or White (Hat)
On his X account, Justin Sun, owner of Poloniex since 2019, promised to fully reimburse the users affected by the breach.
“We are currently investigating the Poloniex hack incident. Poloniex maintains a healthy financial position and will fully reimburse the affected funds. Additionally, we are exploring opportunities for collaboration with other exchanges to facilitate the recovery of these funds.”
It is unknown how exchanges would collaborate on the recovery of the funds, and at press time, there are yet to be any funds recovered. To encourage the recovery, Sun offered a 5% “white hat bounty” if the hacker returned the funds within a week.
A white hat hacker, according to techtarget.com, “is an individual who uses hacking skills to identify security vulnerabilities in hardware, software or networkers,” as opposed to black hat hackers who gank other people’s money. The names are derived from the Hollywood western, in which the good guy wore a white hat and the heavy wore a black hat.
As in past cases #DisruptionBanking has written about, it was ironic that the criminals were offered millions of dollars as if they had revealed a vulnerability out of the goodness of their hearts, rather than stealing a fortune with premeditated criminal intent.
The Bug Bounty Boom
It’s another sign that the bug bounty business is booming, folks! Whether you’re hacking into government websites or virtual vaults of multinational conglomerates, the empty suits of the C-suite are more than happy to bribe hackers, rather than deal with the loss and suffer the consequences of lax security.
Perhaps Sun is simply calling the $10 million a “white hat reward” as a gesture of good faith, an olive branch extended to the hackers. But, it seems he’s grasping for straws.
In contrast, in 2022 Aurora, an Ethereum Virtual Machine paid $6 million to a white hat hacker for identifying a bug which, if exploited, could have put $200 million in jeopardy. The difference is the hacker didn’t steal the money, but merely pointed out a vulnerability.
Poloniex has an existing bug bounty program, which pays hackers to report vulnerabilities. Clearly it wasn’t all that useful in deterring the recent hack. This can’t exactly give confidence to Poloniex users.
Strangely, the hackers used various crypto tokens to pump TRON, Justin Sun’s token, which increased in value by 15%.
This may have been part of the hackers’ plan, so they could sell the principle at a high before the price crashed. It is as if the hackers were doing exactly what Justin Sun would want them to, except for stealing the funds from a platform he owned.
It’s hard to imagine a Wall Street Bank or a Fortune 500 company being hacked for $100 million and offering the hackers a reward. Old-school crypto libertarians have been so upset about TradFi gaining a growing foothold in the digital asset ecosystem, but with guys like Justin Sun in control of major platforms, maybe it’s high time that new criminals took the reins.
Justin Ups the Ante
A week later, surprise! The hackers had not returned the loot, so Justin Sun upped the offer to $10 million. This time, he put the message on-chain in Russian, Chinese, and English.
Interestingly, Sun claimed that the identity of the hackers was already known. Why didn’t law enforcement drop in and arrest them? Probably because the hackers reside in a jurisdiction where they are protected, so the police have no power. The hackers likely knew this, and so did Justin Sun.
However, he is desperate to get the money back, which is likely why he’s making these threats, hoping for some leverage.
Snoops start snooping
As usual, researchers began studying the hack, and it wasn’t long before they started putting out what they discovered. Ziv Oz, of Cyvers Alerts, a security firm, said that the hackers were highly prepared, showing an impressive level of sophistication.
“Cyvers’s research team documented hundreds of illegal transactions across numerous blockchain networks and dozens of different tokens in just 69 minutes. For instance, in Ethereum alone, there were around 320 unauthorized transactions, and additional blockchain networks were also implicated.”
The platform’s co-founder, Deddy Lavid, added:
“It’s reasonable to assume that this is a pre-planned bot operating automatically. In our estimation, this is a highly sophisticated and serious cyberattack. Considering the nature of the attack, likely a private key breach, suspicion falls on the Lazarus group, known for their involvement in similar advanced access control attacks and substantial amounts of stolen funds in recent months. Analysis of Lazarus attacks since September revealed that the attackers infiltrated the system months before the actual breach was executed.”
Is Lazarus Group Behind This?
State-sponsored hackers in North Korea are perhaps the most notorious group in the world. They are suspected of stealing billions of dollars since 2007. They are believed to be responsible for the SONY hack, as well as some of the most destructive malware attacks in history and various attacks on financial institutions.
Assuming Sun’s claim that “all stolen funds have been marked for tracking and cannot be used” is true, it will be interesting to see what the hackers do. If it is the Lazarus Group behind the attacks, they aren’t gonna give two shits about a white hat bounty.
Given how much money the mysterious hacker outfit has stolen in the last decade, $10 million is a drop in the ocean. Moreover, past attacks perpetrated by the group have not always had a financial motive. Sometimes, the motive seems to be nothing more than to create chaos or humiliate someone or some organization despised by their Dear Leader, Kim Jong Un.
If the Lazarus Group is behind all three attacks, that means they brought in around $230 million in a matter of two weeks, which is equivalent to around 14% of North Korea’s entire annual trade volume for 2022, which is pretty sad, but it also goes to show how important those hackers are to the regime.
Justin Sun & Lazarus Group: Birds of a Feather
Lazarus Group operates in the shadows, maintaining their anonymity while remaining beyond the reach of Western law enforcement.
That’s not so different from the modus operandi of Justin Sun? For a time, he operated out of San Francisco, until the SEC came knocking and he fled the country, just like he fled China.
Nowadays, Poloniex is headquartered in Seychelles, an island nation in the Indian Ocean known for its beautiful beaches and complete lack of crypto regulation.
Justin Sun has multiple passports and dozens of bank accounts around the world. He has slid through the fingers of law enforcement more times than I can count, thumbing his nose at authorities of a half dozen countries where there are warrants out for his arrest. So, don’t expect accountability of any sort.
If the Lazarus Group is behind this, we may never know. If it is somehow connected to Justin Sun, we will likely find out on down the road.
For now, even before allowing withdrawals on HTX and Poloniex, Sun is offering an “epic airdrop” to those who remain on his beleaguered platforms, basically rewarding those who defied all logic and did not withdraw their funds. It’s as if he’s afraid to resume normal business, both because of the hacks and the FUD they’ve generated. I’m sure investors are afraid, as well.
Author: Tim Tolka, writer, journalist, and BI researcher
The editorial team at #DisruptionBanking has taken all precautions to ensure that no persons or organizations have been adversely affected or offered any sort of financial advice in this article. This article is most definitely not financial advice.
One Response
I noticed that my wallet had been compromised after I noticed a withdrawal of $202k worth of bitcoin was made and was not made by me, I was so curious to know what happened and retrieve my bitcoin;, it happened that my wallet phrase was stolen but still can’t explain how it all happened so quick. I quickly reached out to one of my colleagues at work who also invests in cryptocurrency, he then gave me a contact who helped him back then when he was in the same situation as me, I reached out to SYLVESTER. G. BRYANT also known as Yt7crackersz on Instagram & Yt7crackersz@gmail.com and after sending him the payment proof and negotiating, he assured me he was going to retrieve it all back and he kept to his words, within a space of 3hours he recovered back my stolen funds, I never thought this was even possible at first but with SYLVESTER. G. BRYANT I believe nothing hack-related is impossible. you can either email or DM him on Instagram…