 Thank you everyone for joining this talk. I'm Julia Hardy, I'm here with Adam Hart, and we're here from Chainalysis to talk to you about the $10 billion problem. So we're looking at coordinated adversaries that are working within Ethereum and the Web3 space. First, you might be wondering, who is Chainalysis? Why do we care about this issue? Chainalysis is a blockchain analytics company. So what we do is we take the raw blockchain data as well as inputs that we have from research and from services, and we enhance that data. So we cluster, so we put different addresses that we know are controlled by the same entity together. We also provide attribution, and we put all of that together into our different products that we have, and the one that we use as investigators mainly is Reactor, which is our blockchain visualization tool. And so what we're doing in our day-to-day is we're looking at what have been different exploits that have happened when mapping out that activity on Chain. And when we're looking back at the past year, it can feel like there's been an exploit every week, if not every day in some cases. Some of these have been the larger bridge exploits that have been discussed today. There was even the B&B chain bridge just last week. There are things like the discords and the Twitters that have been compromised and they end up having phishing links posted on them. There are things like the Oracle exploits that come out. And what we do is we trace what has happened with those funds and we look for patterns of activity. And ultimately we're asking the question to ourselves, do we think that these are all separate events that have occurred in the past year or do we see any coordinated attacks happening? Do we see that there are the same adversaries that are working and having multiple exploits in the space? And as you might imagine from our title, we do see some coordination here. So first we're gonna talk about the nation-state adversary and about North Korea. And in the past, you've probably heard that North Korea has been attributed to the Ronan Bridge hack, but you might not know the extent of their activity. And China also says identified 42 different DPRK hacks since 2016. And this is a total of $2.7 billion worth of stolen funds. So this is a pretty crazy number, a pretty large part of the DeFi exploits that have occurred. And when we look at what kind of exploits they are conducting, we see that they're really following the money. So originally there was most of the money concentrated in Bitcoin. And then as Ethereum has taken off, as there's been DeFi summer and yield farming and NFT trading, we see that DPRK has shifted and they're focusing a lot more on stealing Ether and ERC-20 token. So this is a map of the flow of funds for the Ronan Bridge hack. And this is really a high level view, but you can imagine if you're zooming in, each of these dots here is a separate address or a separate group of addresses. And the lines between them are flow funds. So you can see just how well coordinated this adverse area is. They're able to move funds 24-7 across blockchains through mixers and just are very well-resourced and well-understanding of how to launder in this space. So we can also use those patterns that we see from Ronan and from other hacks to be able to identify how DPRK works. So from there, we can look at past hacks that have happened and say, well, do we think this was actually DPRK? Are they following these same laundering strategies? But we just didn't know before. And we can also look forward and if a future exploit occurs, we can take a look and say, do we see these same patterns happening there? Do we think that this is another DPRK activity? And then hopefully ultimately help to prevent the flow of funds to cash out points. Great. And so Julia just walked us through a very brief overview of some of the North Korean activity. And there's definitely been talks in this room earlier today about exactly how some of those attacks are actually executed. But what we really wanted to dive into in this session are some of the coordinated adversaries that maybe receive a little bit less media attention, but are equally, if not more damaging to the ecosystem. So DPRK definitely a major threat, one that deserves all of the attention that it gets. It's just that on chain, we certainly see other activity as well. So, and Julia, which one goes forward? There we go. Perfect. So a common problem that we come across, as Julia mentioned earlier, is the sheer volume of hacks, exploits, other events, scams that occur. And the question that we're always trying to ask is, are these different entities that are all just copying each other? Or is this one coordinated adversary? Because if it's a coordinated entity, then they're probably more sophisticated, more organized, probably doing more damage. And the attack vectors can vary. So it can be something like compromised Web 2 infrastructure. We just had a really great talk in this room about how those sorts of exploits occur. But one of our questions is, is this the same entity that's maybe going after DNS registrations or is it different entities? And the same goes for any sort of compromise of say a Discord server or a popular Twitter profile, a trusted method of communication that again tricks users into doing something that they probably shouldn't be doing on the blockchain. And the way we sort of approach this problem of identifying coordinated entities in the first place is a combination of traditional cybersecurity analysis. So looking at things like what infrastructure is used in the attack. What systems are compromised? What's the specific attack vector? But then, as was just shown in the case of looking at North Korean activity, but what we can also apply to sort of these other coordinated actors is looking at what occurs on the blockchain. So this is where the transparency of something like Ethereum is really, really useful to us as security analysts trying to sort of understand these bad actors because we can look at things like how is the victim actually losing funds? And that might be something really sophisticated like a re-entrancy exploit in a popular smart contract, or it can be something as simple as phishing for token approvals. The simple attacks sometimes are the most damaging, but the precise sort of payload can be very illustrative and help us understand these groups. And then also, we can track the funds after the attack occurs. Now, unfortunately, this is reactive. This is after victims are losing money. But again, it can help us understand our adversaries, the bad actors on the blockchain better and start to map out the true sort of scale of the challenge that we're up against here. So to delve into that a little bit, we actually wanted to spend a little time here walking through a case study of how we approach this problem and also hopefully drive home the point that North Korea is definitely not the only coordinated adversary out there. So the particular example here is something that we refer to as a Tether, USDT approval mining scam. So to the folks in this room, those words might not really make sense together, right? You don't mine anything with Tether, what's going on here. But essentially the attack here is not targeting folks who are attending DevCon. This is targeting newer crypto users, primarily targeting mobile crypto users, folks who are maybe getting into the ecosystem for the first time, the next billion users. But instead of engaging with a normal DAP or something interesting, instead the users are maybe social engineered into going to a website. Maybe they have some Tether in their wallet and they hear from a trusted friend that they met on the internet that there's this really great opportunity to make some money. And they don't even have to send their Tether anywhere because red flags go up if you send your token somewhere. But they just go onto this site, they buy a little voucher to participate in this node mining and from there they can start earning some pretty great rewards. And everyone knows you can make some money off of crypto, that's always nice. However, as was very well reported by the MetaMask security team, it turns out that naturally this was not the true application. What was really happening here is when the users were going on to this website, what they were seeing was some screen that said, hey, you're earning great rewards. All you have to do is buy a little voucher to claim those rewards. But when they bought that voucher, what they really did was approve another address to move the Tether sitting in their wallet. And again, this is a really common attack factor, certainly not a new one. It's been around forever. But it still tricks a lot of users. Users don't understand what this approval is that they're signing and naturally, once the bad actor gets the user, the victim, to approve their address to move their funds, they can now clean out all the Tether that's sitting in that address. And what we can see, thanks to the great work of MetaMask, is MetaMask as a very popular wallet provider, they received lots of tickets from users who had been scammed and they noticed a trend on the off-chain side. They noticed a similarity in how these users were being tricked. They noticed similarities in some of the domains being used to trick these users. And from that, they published a awesome Dune dashboard showing 60 addresses that were scamming users, i.e. 60 addresses that were being granted approvals from victims and those 60 addresses had managed to scam somewhere in the range of $83 million over the course of a year. Now that's already in the range of some of the major bridge hacks. However, we can go beyond this, right? Because MetaMask as a wallet provider, they're the first point of contact, they're getting the reports from users. But what we do as a blockchain analytics company is we try and build out patterns. So here, with 60 addresses, we can look in a variety of directions. So the reported scam addresses are shown here. And one of the first things that we might do in investigation is say, okay, how were these different addresses funded? How did they get the ether that they needed to execute transactions on the blockchain? Again, this is one of many avenues that we pursue. But from there, we might be able to identify related addresses. And from there, maybe we can start identifying some patterns. Maybe we notice there are some addresses that appear to be testing these phishing scripts, right? They're testing the approval function, they're funded from the same entities, clearly related to what's going on here. And with that pattern recognition by looking at the funding, by looking at these testing patterns and others, we can start to identify additional addresses that are receiving approvals from victims, that are following this exact same pattern of getting that approval from the victim and then transferring the tether out. Everything looks alike. And so now we're starting to expand our understanding of the adversary here. Where things really get interesting though, is when adversaries are coordinated and organized, as is the case here, this is a persistent scam that's lasted over a year, there is some point of consolidation, some pattern we can identify. And we identified a consolidation point here, funds were being gathered in a very specific manner. And from that consolidation point, we can really start to understand the true scale of this scam. And it turns out that when we really mapped out this scam, and certainly the mapping is not complete here, we were able to go from the 60 addresses that MetaMask reported from their victims, to 91 additional addresses that we identified, doing the exact same thing, where we are very confident that they're all controlled by the same entity. So these 91 addresses, plus the original 60 addresses, they take victim funds and they spread them out to all sorts of addresses. They spread them out to 879 other addresses. So already we're again seeing a very clear laundering pattern, as Julia will get into in just a moment. But we can start to map out where those funds go. And additionally, we can identify how many victims are actually being hurt by this scam. So MetaMask in their original Dune dashboard, which again, they did a fantastic job publicizing this, and we wouldn't be able to get started without their work. But here, we were able to identify more than 11,000 additional victims. And this is where these sorts of persistent scams, although less technically sophisticated than something like an exploit, really damaged the community. Because now, we've got over 20,000 likely victims. And these likely victims are probably first-time users. And they're gonna go tell all their friends that their only experience in crypto is getting scammed. So this is a real problem, and certainly the scale is pretty shocking as well. But to truly understand the scale of these sorts of scams, we also not only have to map out the infrastructure being used to scam victims, but also where the funds go after the attack. And for that, I'll pass it back over to Julia. Yeah, so looking back at where do the funds go once they have been stolen and gone to those recipient addresses, we see a really clear pattern of activity. And what we're gonna show here is just one example, but you can just imagine it across hundreds of addresses. So first, we see that the funds are received from the different victims and then spread across a few different addresses. They might be doing that to provide liquidity within the other addresses that they have within this network. They might be doing that to obfuscate the flow of funds. We can't really be certain. But what we do see is after that initial spreading out, we see a consolidation point. And this is just one address, or one line here from one address, but imagine that there are tens of different addresses, hundreds of different addresses that are all consolidating to this one address right here and consolidating all those different victim funds. Then we see the funds move to new addresses in preparation to start to interact with exchanges. And once we get to the exchanges at the bottom, the numbers are pretty staggering. We see 10 million going to a single deposit address at an exchange on one line there, 31 million at another. And when we tally up all of those different values that we see from this flow of funds, we end up finding $143 million worth of additional stolen value. So in combination with what MetaMask initially provided, we have a $227 million scam. This is by this point in the top five DeFi exploits category. And this is just from all the different victims, all the different users that in aggregate are ending up being just as big of an activity. Now this is the known value when we look at that entire network and look at what funds are actually going to exchanges, we see $1.2 billion. So we can't know without further investigation that all of those funds are coming from this one tether scam, but it shows what the upper bounds of this scam value could really be. The other thing is that we do see that on chain coordination. We see that the same recipient addresses are being used across different transfer from scammer addresses. So we see the consolidation points. We know that there is definitely some coordinated activity here and that there is one actor behind at least the majority of this exploit. And we can take this a step further. So we can do probabilistic analytics on other addresses and say, do we see other addresses that are showing the same pattern of activity as the ones that we've manually identified and with that we see another 375 potential addresses. So this is just one example of us working with Metamask to find the scam and find its full levels, but really we want this to be a starting point and we really want all of us as a community within the security space to try to work a lot more closely together. And we can raise the cost for bad actors by trying to use some of these different points. This is something that is not just unique to us. We know that those that are working in the ransomware space have done a good job with trying to work a lot more collaboratively and we think we can do a lot of the same things here. So trying to have more data sharing between the victims and the incident response firms, trying to use blockchain analytics more and focus on that combination of off chain and on chain together. Trying to have more public-private collaboration and trying to identify trends and share that research with each other. So we're all kind of working right now a little bit more in our own silos, but maybe we can start a conversation about how we can start to communicate more and try to use all of these assets that we have to our advantage to prevent the next year having quite as many exploits as this year. So with that, we thank you very much. We would really like to talk with each and every one of you after this if you have any ideas about how we can collaborate or where we should take this from this point here. Definitely feel free to follow us and reach out to us. I think we have a couple of minutes if anyone has any questions off hand. Yeah. Oh yeah, so the question was in the traditional cybersecurity space, we talk about APTs, advanced persistent threats, whereas we use the term coordinated adversaries. We didn't want to confuse the cybersecurity side of things because maybe some of these coordinated adversaries aren't really an advanced super tech sophisticated threat, but mostly it's just terminology of choice. Yeah. So in the case study we saw here, we represented something that was not supposedly looking like it came from the Lazarus Group or the DPRK, but why? Why does this not look like it comes from the DPRK or the Lazarus Group? I mean exactly for the reasons that we were talking about. So using that off chain and on chain pattern and from what we have historically known how Lazarus tends to provide spearfishing or use certain methods off chain, how they tend to launder on chain, it just isn't following that pattern. Thank you for the talk today. Briefly you mentioned that you used checking how wallets were funded as a means to investigate. What were the other tactics that I heard you say we use other tactics? What are the other tactics that you use? Yeah, I'll take that one. So my day job is actually to run training courses on that. Unfortunately, it's gonna take like eight hours to really get a delve into that one. But there's a lot of different directions to look in. Generally we look both forward and backwards to see where the funds are going, where they came from. And then a lot of times with a persistent group like this, there's some sort of testing effort as well. Mapping out the testing effort can be often very illustrative. But we can definitely chat more on the side. Yeah, I think we can do one more probably. So the question was with respect to ZK rollups and other ZK chains, how does that potentially interfere with blockchain analytics? It definitely depends. I'll give you the non-answer there. Different chains come with different considerations there. But as our co-founder stated, these groups, especially Lazarus, are moving something like $600 million in a shock. Like that's kind of tougher to hide. So if you're operating at that volume, it's hard to hide that amount. Well, thank you, everyone. Definitely feel free to find us later.