Hacker attacks remain a major cause of significant losses.

By SharkTeam

In 2023, the Web3 industry experienced over 940 security incidents of varying sizes, an increase of over 50% compared to 2022, with losses amounting to 1.79 billion USD. The third quarter saw the highest number of security incidents (360) and the largest losses (7.4 billion USD), representing a 47% increase compared to 2022. Particularly in July, there were a total of 187 security incidents, resulting in losses of 350 million USD.

Figure: Web 3 2023 Quarterly/Monthly Number of Security Incidents

Figure: Web 3 2023 Quarterly/Monthly Security Incident Losses (in million USD)

Firstly, hacker attacks remain a major cause of significant losses. In 2023, there were 216 hacker attack incidents throughout the year, resulting in losses of 10.6 billion USD. Contract vulnerabilities, private key theft, phishing attacks, and state-sponsored hackers continue to pose significant threats to the security of the Web3 ecosystem.

Secondly, Rugpull and Ponzi scheme fraud are on the rise, with a total of 250 Rugpull and scam fraud incidents in 2023, with the highest frequency of such incidents occurring on BNBChain. Fraudulent projects attract investors by releasing seemingly attractive crypto projects, provide false liquidity, and once enough funds are attracted, they suddenly steal all the funds and transfer the assets. Such fraudulent behavior causes serious economic losses to investors and significantly increases the difficulty for investors to choose the right projects.

Furthermore, the use of ransomware to collect ransom in cryptocurrency has become a trend, such as Lockbit, Conti, Suncrypt, and Monti. Cryptocurrencies are more difficult to trace than fiat currencies, making it increasingly important to use on-chain analysis tools to track and locate ransomware groups.

Finally, in these cryptocurrency hacker attacks, fraudulent extortion, and other criminal activities, perpetrators typically need to launder the cryptocurrency through on-chain fund transfers and OTC. Money laundering typically uses a combination of decentralized and centralized methods, with centralized exchanges being the most concentrated venues for money laundering, followed by on-chain mixing platforms.

In 2023, substantial developments were made in Web3 regulation, including the relaunch of FTX2.0, sanctions against Binance, and the freezing of addresses associated with Hamas by USDT. In January 2024, the SEC approved a Bitcoin spot ETF, representing deep regulatory involvement in the development of Web3.

This report will provide a systematic analysis of key topics such as Web3 hacker attacks, Rugpull fraud, ransomware, cryptocurrency money laundering, and Web3 regulation in 2023, in order to understand the security situation in the cryptocurrency industry.

I. Contract Vulnerabilities

Contract vulnerability attacks mainly occurred on Ethereum, with a total of 36 contract vulnerability attacks in the second half of 2023, resulting in losses exceeding 200 million USD, followed by BNBChain. In terms of attack methods, business logic vulnerabilities and flash loan attacks remain the most common.

Figure: Web 3 2023 Quarterly Number of Hacker Attack Incidents and Losses (in million USD)

Figure: Web 3 2023H2 Monthly Contract Vulnerability Exploitation Hacker Attack Incidents and Losses

Figure: Web 3 2023H2 Monthly Contract Vulnerability Exploitation Attacks on Different Chains

Figure: Web 3 2023H2 Contract Vulnerability Exploitation Specific Attack Methods Incidents and Losses

Analysis of a Typical Event: Vyper Vulnerability Leads to Attacks on Curve, JPEG'd, and other Projects

Taking the attack on JPEG'd as an example:

Attacker's address: 0x6ec21d1868743a44318c3c259a6d4953f9978538

Attacker's contract: 0x9420F8821aB4609Ad9FA514f8D2F5344C3c0A6Ab

Attack transaction:

0xa84aa065ce61dbb1eb50ab6ae67fc31a9da50dd2c74eefd561661bfce2f1620c

(1) The attacker (0x6ec21d18) created a contract for 0x466B85B4 and borrowed 80,000 WETH from [Balancer: Vault] through a flash loan.

(2) The attacker (0x6ec21d18) added 40,000 WETH to the pETH-ETH-f (0x9848482d) liquidity pool and obtained 32,431 pETH.

(3) Subsequently, the attacker (0x6ec21d18) repeatedly removed liquidity from the pETH-ETH-f (0x9848482d) liquidity pool.

(4) Finally, the attacker (0x6ec21d18) obtained 86,106 WETH, returned the flash loan, and profited by 6,106 WETH upon exit.

Vulnerability Analysis: This attack is a typical reentrancy attack. Upon decompiling the bytecode of the attacked project contract, we found that the add_liquidity and remove_liquidity functions verify different storage slot values. Using different storage slots, the reentrancy lock may fail. At this point, it is suspected to be a Vyper underlying design flaw.

Combined with the official tweet from Curve, it was ultimately determined to be a Vyper version vulnerability. This vulnerability exists in versions 0.2.15, 0.2.16, and 0.3.0, with a flaw in the design of the reentrancy lock. Comparing the older version 0.2.14 and the newer version 0.3.1, we found that this part of the code was continuously updated, and the older 0.2.14 and the newer 0.3.1 versions do not have this issue.

In the datapositions.py file corresponding to Vyper's reentrancy lock settings, the value of storageslot will be overwritten. In the ret, the first slot to obtain the lock is 0, and then when the function is called again, the slot of the lock is incremented by 1, at which point the reentrancy lock becomes ineffective.

II. Phishing Attacks

Phishing attacks are a type of cyber attack aimed at deceiving and inducing targets to obtain sensitive information or to perform malicious operations. These attacks typically occur through email, social media, text messages, or other communication channels, with attackers posing as trusted entities such as project teams, authoritative organizations, or KOLs to lure victims into providing private keys, mnemonic phrases, or transaction authorizations. Similar to contract vulnerability attacks, phishing attacks showed a high frequency and high loss status in Q3, with a total of 107 phishing attacks, 58 of which occurred in July.

Figure: Web 3 2023 Quarterly Number of Phishing Attack Incidents and Losses (in million USD)

Analysis of On-Chain Asset Transfer in a Typical Phishing Attack

On September 7, 2023, address (0x13e382) fell victim to a phishing attack, resulting in losses exceeding 24 million USD. The phishing hacker used fund theft, fund conversion, and decentralized fund transfers, ultimately transferring 3,800 ETH in stolen funds in multiple batches to Tornado.Cash, 10,000 ETH to an intermediate address (0x702350), and retaining 1,078,087 DAI in another intermediate address (0x4F2F02).

This is a typical phishing attack, where the attacker steals user assets by deceiving them into authorizing their wallet or providing their private keys, forming a black industry chain of phishing and money laundering. More and more fraudulent groups, and even state-sponsored hackers, are using phishing in the Web3 field to commit crimes, requiring increased attention and vigilance from everyone.

Based on the tracking and analysis of ChainAegis, a blockchain data analysis platform by SharkTeam (https://app.chainaegis.com/), we will analyze the fraudulent process, fund transfer situation, and on-chain behavior of the fraudster in a typical phishing attack.

(1) Phishing Attack Process

The victim's address (0x13e382) authorized rETH and stETH to the fraudster's address 1 (0x4c10a4) through 'Increase Allowance'.

Fraudster's address 1 (0x4c10a4) transferred 9,579 stETH from the victim's address (0x13e382) to fraudster's address 2 (0x693b72), amounting to approximately 15.32 million USD.

Fraudster's address 1 (0x4c10a4) transferred 4,850 rETH from the victim's address (0x13e382) to fraudster's address 2 (0x693b72), amounting to approximately 8.41 million USD.

(2) Asset Conversion and Transfer

The stolen stETH and rETH were converted into ETH. Starting from the early morning of September 7, 2023, fraudster's address 2 (0x693b72) conducted multiple exchange transactions on UniswapV2, UniswapV3, and Curve platforms, converting all 9,579 stETH and 4,850 rETH into ETH, totaling 14,783.9413 ETH.

stETH conversion:

rETH conversion:

Some ETH was exchanged for DAI. Fraudster's address 2 (0x693b72) exchanged 1,000 ETH for 1,635,047.761675421713685327 DAI on the UniswapV3 platform. Through decentralized fund transfer methods, the fraudulently obtained funds were transferred to multiple intermediate wallet addresses, totaling 1,635,139 DAI and 13,785 ETH. Of these, 1,785 ETH was transferred to the intermediate address (0x4F2F02), 2,000 ETH to the intermediate address (0x2ABdC2), and 10,000 ETH to the intermediate address (0x702350). Additionally, the intermediate address (0x4F2F02) received 1,635,139 DAI the following day.

Intermediate wallet address (0x4F2F02) fund transfer:

This address, after one layer of fund transfer, holds 1,785 ETH and 1,635,139 DAI. The DAI was dispersedly transferred, and a small amount was exchanged for ETH.

Firstly, on September 7, the fraudster conducted 10 transactions to transfer 529,000 DAI. Subsequently, the first 7 transactions totaling 452,000 DAI were transferred from the intermediate address to 0x4E5B2e (FixedFloat), the 8th transaction was transferred from the intermediate address to 0x6cC5F6 (OKX), and the last 2 transactions totaling 77,000 DAI were transferred from the intermediate address to 0xf1dA17 (eXch).

Secondly, on September 10, 28,052 DAI was exchanged for 17.3 ETH through UniswapV2.

From September 8th to September 11th, a total of 18 transactions were conducted to transfer all 1,800 ETH to Tornado.Cash.

After the transfer, the address still had 1,078,087 DAI of stolen funds remaining.

Intermediate address (0x2ABdC2) fund transfer:

After one layer of fund transfer, this address holds 2,000 ETH. Firstly, on September 11th, this address transferred 2,000 ETH to the intermediate address (0x71C848).

Subsequently, the intermediate address (0x71C848) conducted a total of 20 transactions through two fund transfers on September 11th and October 1st, each transferring 100 ETH, totaling 2,000 ETH to Tornado.Cash.

After one layer of fund transfer, this address holds 10,000 ETH. As of October 8, 2023, the 10,000 ETH remains in this address and has not been transferred.

Address tracing: Analysis of the historical transactions of fraudster address 1 (0x4c10a4) and fraudster address 2 (0x693b72) revealed that an EOA address (0x846317) transferred 1.353 ETH to fraudster address 2 (0x693b72), and the source of funds for this EOA address is related to the hot wallet addresses of centralized exchanges KuCoin and Binance.

III. Rugpull and Fraud

The frequency of Rugpull fraud events in 2023 showed a significant upward trend, reaching 73 incidents in Q4, with a total loss of 19 million USD. The average loss per incident was approximately 26,000 USD. The quarter with the highest proportion of Rugpull fraud losses in 2023 was Q2, followed by Q3, with loss proportions exceeding 30% in both quarters.

In the second half of 2023, there were a total of 139 Rugpull events and 12 fraud events, resulting in losses of 71.55 million USD and 340 million USD, respectively.

In the second half of 2023, Rugpull events mainly occurred on BNBChain, reaching 91 incidents, accounting for over 65%, with losses totaling 29.57 million USD and accounting for 41%. Ethereum (44 incidents) followed, with losses of 7.39 million USD. In addition to Ethereum and BNBChain, a BALD Rugpull event occurred on the Base chain in August, resulting in significant losses of 25.60 million USD.

Figure: Web 3 2023 Quarterly Number of Rugpull and Scam Events and Losses (in million USD)

Figure: Web 3 2023H2 Monthly Number of Rugpull and Scam Events and Losses

Figure: Web 3 2023H2 Number of Rugpull Events and Losses by Different Chains

Analysis of Rugpull Fraud Factory Behavior

A Rug fraud factory model is prevalent on BNBChain, used to mass-produce Rugpull tokens and conduct fraud. Let's take a look at the fraudulent behavior patterns of fake SEI, X, TIP, and Blue tokens in the Rugpull factory.

(1) SEI

First, the owner of the fake SEI token, 0x0a8310eca430beb13a8d1b42a03b3521326e4a58, exchanged 249 fake SEI tokens at a price of 1U.

Then, 0x6f9963448071b88FB23Fd9971d24A87e5244451A conducted batch buy and sell operations. Under these operations, the token's liquidity significantly increased, and the price also rose.

Through promotion via phishing and other methods, a large number of users were enticed to buy. As liquidity increased, the token price doubled.

When the token price reached a certain value, the token owner conducted a sell operation to perform Rugpull. It can be seen from the following image that the timing and price of the sell operation varied.

(2) Fake X, Fake TIP, Fake Blue

The owners of X, TIP, and Blue tokens, 0x44A028Dae3680697795A8d50960c8C155cBc0D74, exchanged the corresponding tokens at a price of 1U. Then, similar to the fake SEI token.

0x6f9963448071b88FB23Fd9971d24A87e5244451A conducted batch buy and sell operations. Under these operations, liquidity significantly increased, and the price rose.

Then, through promotion via phishing and other methods, a large number of users were enticed to buy. As liquidity increased, the token price also doubled.

Similar to fake SEI, when the token price reached a certain value, the token owner conducted a sell operation to perform Rugpull. It can be seen from the following image that the timing and price of the sell operation varied.

The fluctuation charts of fake SEI, fake X, fake TIP, and fake Blue tokens are as follows:

From fund tracing and behavior patterns, we can infer:

In the fund tracing content, the funds of the token factory creator and token creator come from multiple EOA accounts. There are also fund transfers between different accounts, some of which are transferred through phishing addresses, some obtained through previous token Rugpull behaviors, and some obtained through mixing platforms like Tornado Cash. The use of multiple methods for fund transfers aims to build a complex and intricate fund network. Different addresses have also created multiple token factory contracts and mass-produced tokens.

When analyzing token Rugpull behavior, we found that the addresses

0x6f9963448071b88FB23Fd9971d24A87e5244451A is one of the sources of funds. When manipulating token prices, batch methods were also used. Address 0x072e9A13791f3a45fc6eB6AD38e6ea258C080cc3 also acted as a fund provider, providing corresponding funds to multiple token holders.

Analysis reveals that behind this series of behaviors is a well-organized Web3 scam group, forming a black industrial chain mainly involving hot topic collection, automatic token issuance, automatic trading, false advertising, phishing attacks, and Rugpull harvesting, mostly occurring on BNBChain. The Rugpull fake tokens issued are closely related to industry hot events, with strong misleading and provocative characteristics. Users need to remain vigilant at all times, stay rational, and avoid unnecessary losses.

IV. Ransomware

Ransomware attacks continued to pose a constant threat to organizations and enterprises in 2023. Ransomware attacks are becoming increasingly complex, with attackers using various techniques to exploit vulnerabilities in organizational systems and networks. The ongoing spread of ransomware attacks continues to pose a significant threat to global enterprises, individuals, and critical infrastructure. Attackers are constantly adjusting and refining their attack strategies, maximizing their illegal gains using leaked source code, intelligent attack schemes, and emerging programming languages.

LockBit, ALPHV/BlackCat, and BlackBasta are currently the most active ransomware extortion organizations.

Figure: Number of victims of ransomware organizations

Currently, an increasing number of ransomware use cryptocurrency payments. Taking Lockbit as an example, the companies recently attacked by LockBit include TSMC at the end of June, Boeing in October, and the U.S. subsidiary of ICBC in November. Most of them use Bitcoin for ransom payments, and after receiving the ransom, LockBit conducts cryptocurrency laundering. Below, we analyze the ransomware money laundering model using Lockbit as an example.

According to ChainAegis analysis, LockBit ransomware mostly uses BTC for ransom payments, using different receiving addresses. Some addresses and receiving amounts are summarized below. The amount of BTC extorted in a single ransom ranges from 0.07 to 5.8, equivalent to approximately 2,551 USD to 211,311 USD.

Figure: Some receiving addresses and amounts for LockBit

We will conduct on-chain address tracing and anti-money laundering analysis on the two addresses with the highest amounts involved:

Ransom receiving address 1: 1PtfhwkUSGVTG6Mh6hYXx1c2sJXw2ZhpeM;

Ransom receiving address 2: 1HPz7rny3KbjEUURHKHivwDrNWAAsGVvPH.

(1) Ransom receiving address 1: 1PtfhwkUSGVTG6Mh6hYXx1c2sJXw2ZhpeM

According to the analysis below, address 1 (1Ptfhw) received a total of 17 on-chain transactions from March 25, 2021, to May 15, 2021. After receiving the funds, the assets were quickly transferred to 13 core intermediate addresses. These intermediate addresses transferred funds through multiple layers to 6 secondary intermediate addresses, namely: 3FVzPX…cUvH, 1GVKmU…Bbs1, bc1qdse…ylky, 1GUcCi…vSGb, bc1qan…0ac4, and 13CPvF…Lpdp.

Intermediate address 3FVzPX…cUvH, through on-chain analysis, was found to ultimately flow to the dark web address 361AkMKNNWYwZRsCE8pPNmoh5aQf4V7g4p.

Intermediate address 13CPvF…Lpdp transferred a small amount of 0.00022 BTC to CoinPayments, with 500 similar transactions, totaling 0.21 BTC collected at the CoinPayments address: bc1q3y…7y88, used for money laundering.

Other intermediate addresses ultimately flowed into centralized exchanges Binance and Bitfinex.

Figure: Address 1 (1Ptfhw…hpeM) details of fund sources and outflows

Figure: Address 1 (1Ptfhw…hpeM) fund flow tracing

Figure: Address 1 (1Ptfhw…hpeM) details of intermediate addresses and fund flows

Figure: Address 1 (1Ptfhw…hpeM) transaction graph

(2) Ransom receiving address 2: 1HPz7rny3KbjEUURHKHivwDrNWAAsGVvPH

Between May 24, 2021, and May 28, 2021, the victim made 11 transactions to pay 4.16 BTC to the ransom operator LockBit. Subsequently, address 2 (1HPz7rn…VvPH) quickly transferred 1.89 BTC of ransom funds to intermediate address 1: bc1qan…0ac4, 1.84 BTC to intermediate address 2: 112QJQj…Sdha, and 0.34 BTC to intermediate address 3: 19Uxbt…9RdF.

Ultimately, intermediate address 2: 112QJQj…Sdha and intermediate address 3: 19Uxbt…9RdF both transferred funds to intermediate address 1: bc1qan…0ac4. Subsequently, intermediate address 1 bc1qan…0ac4 continued fund transfers, with a small portion of funds directly entering the Binance exchange, while the rest of the funds were transferred through multiple layers to ultimately be laundered on Binance and other platforms. The specific transaction details and address labels are as follows.

Figure: Address 2 (1HPz7rn…VvPH) details of fund sources and outflows

Figure: Address 2 (1HPz7rn…VvPH) fund flow tracing

Figure: Address 2 (1HPz7rn…VvPH) details of intermediate addresses and fund flows

LockBit conducts cryptocurrency laundering after receiving the ransom. This money laundering model is different from traditional methods and typically occurs on the blockchain, characterized by long cycles, dispersed funds, high automation, and complexity. To regulate cryptocurrency and track funds, it is necessary to build both on-chain and off-chain analysis and evidence collection capabilities, as well as deploy APT-level security attack and defense capabilities at the network security level.

V. Money Laundering

Money laundering is the process of making illegally obtained proceeds appear legal, mainly by disguising and concealing the source and nature of the illegal proceeds and their generated profits, making them appear legitimate in form. This behavior includes but is not limited to providing financial accounts, assisting in converting the form of property, and facilitating the transfer of funds or remittances abroad. Cryptocurrencies—especially stablecoins—have been utilized for money laundering activities due to their low transfer costs, decentralized nature, and certain resistance to scrutiny, which is one of the main reasons why cryptocurrencies have been criticized.

Traditional money laundering activities often utilize over-the-counter cryptocurrency trading markets for exchanging between fiat and cryptocurrencies, or vice versa. The laundering scenarios vary, but the essence of these activities is to obstruct law enforcement investigations into the financial chain, including traditional financial institution accounts or cryptocurrency institution accounts.

Unlike traditional money laundering activities, the new type of cryptocurrency money laundering activities target the cryptocurrencies themselves, including the cryptocurrency industry infrastructure such as wallets, cross-chain bridges, and decentralized trading platforms, which are exploited for illegal purposes.

Figure: Money laundering amounts in recent years

From 2016 to 2023, the total amount of cryptocurrency money laundering reached as much as 147.7 billion USD. The amount of money laundering has been increasing at a rate of 67% per year since 2020, reaching 23.8 billion USD in 2022 and a staggering 80 billion USD in 2023. The scale of money laundering is astonishing, and anti-money laundering actions for cryptocurrencies are imperative.

According to statistics from the ChainAegis platform, the funds in the on-chain mixing platform Tornado Cash have been growing rapidly since January 2020, with nearly 3.62 million ETH deposited in the pool, totaling 7.8 billion USD. Tornado Cash has become the largest money laundering center for Ethereum. However, after the U.S. law enforcement agencies sanctioned Tornado Cash in August 2022, the weekly deposits and withdrawals at Tornado Cash plummeted. Due to the decentralized nature of Tornado Cash, it was impossible to stop the influx of funds into the system, and money laundering activities continued.

Money Laundering Analysis of Lazarus Group (North Korean APT Organization)

National-level APT (Advanced Persistent Threat) organizations are top-tier hacker groups supported by national backgrounds, specializing in long-term persistent network attacks against specific targets. The North Korean APT organization Lazarus Group is a very active APT group, primarily targeting financial theft and is considered the biggest threat to global financial institutions. In recent years, they have been responsible for multiple attacks and fund theft cases in the cryptocurrency field.

The confirmed statistics of security incidents and losses in the cryptocurrency field due to Lazarus attacks are as follows:

Lazarus has stolen over 3 billion USD in network attacks. It is reported that the Lazarus hacker group is supported by North Korean strategic interests, providing funds for North Korea's nuclear and ballistic missile programs. In response, the United States announced a reward of 5 million USD for sanctions against the Lazarus hacker group. The U.S. Treasury Department has also added related addresses to the OFAC Specially Designated Nationals (SDN) list, prohibiting individuals, entities, and related addresses in the United States from conducting transactions to ensure that state-sponsored groups cannot access these funds, thus imposing sanctions. Ethereum developer Virgil Griffith was sentenced to five years and three months in prison for helping North Korea use virtual currency to evade sanctions. In 2023, OFAC also sanctioned three individuals associated with the Lazarus Group, including two sanctioned individuals, Cheng Hung Man and Wu Huihui, who facilitated over-the-counter (OTC) cryptocurrency trading for Lazarus, and the third individual, Sim Hyon Sop, provided other financial support.

Nevertheless, Lazarus has completed the transfer and laundering of over 1 billion USD in assets. Their money laundering model is analyzed as follows. Taking the Atomic Wallet incident as an example, after removing the technical interference set by the hackers (a large number of fake token transfer transactions + multiple address splitting), the fund transfer pattern of the hackers can be obtained:

Figure: Victim 1 fund transfer view in the Atomic Wallet incident

Victim 1 address 0xb02d…c6072 transferred 304.36 ETH to the hacker address 0x3916…6340, which was split 8 times through the intermediate address 0x0159…7b70 and then aggregated to address 0x69ca…5324. The aggregated funds were then transferred to address 0x514c…58f67, and the funds are currently still in that address, with an ETH balance of 692.74 ETH (worth 1.27 million USD).

Figure: Victim 2 fund transfer view in the Atomic Wallet incident

Victim 2 address 0x0b45…d662 transferred 1.266 million USDT to the hacker address 0xf0f7…79b3, which was split into three transactions. Two transactions were transferred to Uniswap, totaling 1.266 million USDT, and the other was transferred to address 0x49ce…80fb, with a transfer amount of 672.71 ETH. Victim 2 transferred 22,000 USDT to the hacker address 0x0d5a…08c2, and the hacker used multiple intermediate addresses, including 0xec13…02d6, to aggregate the funds directly or indirectly to address 0x3c2e…94a8.

This money laundering model is highly consistent with the money laundering patterns in the previous Ronin Network and Harmony attack incidents, all of which involve three steps:

(1) Sorting and exchanging stolen funds: After launching the attack, the original stolen tokens are sorted, and multiple tokens are swapped for ETH through dex and other methods. This is a common way to avoid fund freezing.

(2) Aggregation of stolen funds: The sorted ETH is aggregated into several one-time wallet addresses. In the Ronin incident, the hackers used a total of 9 such addresses, Harmony used 14, and the Atomic Wallet incident used nearly 30 addresses.

(3) Transfer of stolen funds: The aggregated addresses are used to wash the money through Tornado.Cash. This completes the entire fund transfer process.

In addition to having the same money laundering steps, there is also a high degree of consistency in the details of the money laundering:

(1) The attackers are very patient, using a week-long period for money laundering operations, and starting subsequent money laundering actions a few days after the incident.

(2) The money laundering process uses automated transactions, with a large number of transactions for fund aggregation and a uniform pattern.

Based on the analysis, we believe that the money laundering model of Lazarus is typically as follows:

(1) Multiple account splitting and small, frequent asset transfers to increase tracking difficulty.

(2) Initiating a large number of fake token transactions to increase tracking difficulty. Taking the Atomic Wallet incident as an example, out of 27 intermediate addresses, 23 accounts were used for fake token transfers. Similar techniques were also found in the analysis of the Stake.com incident, but the previous Ronin Network and Harmony incidents did not involve this interference technique, indicating an upgrade in Lazarus's money laundering technology.

(3) Increased use of on-chain methods (such as Tornado Cash) for coin mixing. In earlier incidents, Lazarus often used centralized exchanges to obtain startup funds or conduct subsequent over-the-counter (OTC) transactions, but recently, there has been a decreasing reliance on centralized exchanges, and it can even be considered an attempt to avoid using centralized exchanges as much as possible. This is likely related to recent sanction events.

VI. Sanctions and Regulation

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) and similar agencies in other countries impose sanctions on countries, regimes, individuals, and entities deemed to pose a threat to national security and foreign policy. Traditionally, the enforcement of sanctions relies on the cooperation of mainstream financial institutions, but some bad actors have turned to cryptocurrencies to circumvent these third-party intermediaries, presenting new challenges to policymakers and sanctioning authorities. However, the inherent transparency of cryptocurrencies and the willingness of compliant cryptocurrency services, especially many centralized exchanges that serve as a bridge between cryptocurrencies and fiat currencies, have proven that implementing sanctions in the cryptocurrency world is possible.

The following are the cases of individuals or entities with connections to cryptocurrencies that were sanctioned in the United States in 2023, as well as the reasons for OFAC sanctions.

Tether, the company behind the world's largest stablecoin, announced on December 9, 2023, that it would "freeze" the tokens in the wallets of individuals sanctioned by the Office of Foreign Assets Control (OFAC). Tether described this action as a voluntary step to "proactively prevent any potential Tether token abuse and enhance security measures."

This also indicates that the investigation and sanctioning of cryptocurrency crimes have entered a substantive stage, and the cooperation between core enterprises and law enforcement agencies can form effective sanctioning measures to regulate and punish cryptocurrency crimes.

In terms of Web3 regulation in 2023, Hong Kong has made significant progress and is sounding the horn for "compliant development" of Web3 and the crypto market. When the Monetary Authority of Singapore restricted retail customers from using leverage or credit for cryptocurrency trading starting in 2022, the Hong Kong SAR government issued the "Policy Declaration on the Development of Virtual Assets in Hong Kong." Some Web3 talents and companies are moving to this promising new destination.

On June 1, 2023, Hong Kong implemented the "Guidelines for Virtual Asset Trading Platform Operators," officially launching the virtual asset trading platform licensing system, and has issued Class 1 (securities trading) and Class 7 (providing automated trading services) licenses.

Currently, institutions such as OKX, BGE, HKbitEX, HKVAX, VDX, Meex, PantherTrade, VAEX, Accumulus, and DFX Labs are actively applying for Virtual Asset Service Provider (VASP) licenses.

Chief Executive Carrie Lam, Financial Secretary Paul Chan, and other representatives of the Hong Kong government have frequently voiced their support for the landing of Web3 in Hong Kong, attracting cryptocurrency enterprises and talents from around the world to contribute to the development. In terms of policy support, Hong Kong has introduced a licensing system for virtual asset service providers, allowing retail investors to trade cryptocurrencies, launched a Web3 Hub ecosystem fund worth tens of millions of dollars, and plans to invest over 700 million Hong Kong dollars to accelerate the development of the digital economy and promote the development of the virtual asset industry. A dedicated working group for Web3.0 development has also been established.

However, as progress continues, risk events have also emerged. Unlicensed cryptocurrency exchange JPEX is involved in cases involving over 1 billion Hong Kong dollars, HOUNAX fraud cases involve amounts exceeding tens of millions of dollars, and HongKongDAO and BitCuped are suspected of virtual asset fraud. These malicious events have attracted high attention from the Securities and Futures Commission and the police in Hong Kong. The Securities and Futures Commission stated that it will work with the police to develop risk assessment guidelines for virtual asset cases and exchange information on a weekly basis.

It is believed that in the near future, a more comprehensive regulatory and security system will help Hong Kong, as a crucial financial hub in both the East and the West, embrace Web3.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。