South Korean exchanges to step up monitoring as global fraud, exploits surge

South Korea will try to stamp out ‘crypto’ fraud on domestic digital asset exchanges, as the pace and scale of blockchain-based scams, hacks and exploits reaches epic proportions.

Last week, South Korea’s Financial Supervisory Service (FSS) announced that its Virtual Asset Unfair Trade Monitoring System will be fully operational on July 19. The system is part of the country’s Virtual Asset User Protection Act, an effort to stamp out corruption that threatens consumers participating in the country’s digital asset ecosystem.

Local exchanges previously relied on a hodgepodge of data monitoring tools that were deemed incapable of adequately ensuring operations were on the up and up. The FSS now says a “unified trading data form standard has been established to detect and extract abnormal transactions, and each exchange has established a computer system accordingly.”

The FSS claims the new unified system will monitor nearly all local exchange transactions for price and volume metrics outside the normal range (suggesting market manipulation or other illegal activity). The country’s registered exchanges will be required to report such activity immediately.

Exchanges are also facing new restrictions regarding which tokens they choose to list, as well as a review to determine whether assets currently on offer should be delisted. A group representing 20 domestic exchanges recently issued a Virtual Asset Trading Support Best Practices document that offers guidelines for reviewing token listings, with leeway given to tokens that have traded for over two years in markets with “sufficient regulation.”

South Korea’s Act imposes severe punishments for exchange operators who color outside the lines. The Act requires exchanges to keep 80% of customer deposits in cold storage and maintain insurance funds to compensate users in case hackers breach an exchange’s firewalls.

That threat of hacks is increasing, and not just because South Korea lives next door to the regime responsible for the world’s most aggressive and prolific ‘crypto’ hacking group. But a flurry of new reports show the threat of hackers, scammers and fraudsters is a truly global phenomenon, one that shows little signs of letting up anytime soon.

Thug life

The ‘whitehat’ hacker group Immunefi recently issued its report on ‘crypto’ losses in the second quarter of 2024. A total of $572.7 million was lost in the three months ending June 30, up 112% from the same period last year.

Of the total lost, $564.2 million (+155%) was attributed to 53 specific hacks and just $8.5 million (-81%) from 19 instances of fraud, scams and rug-pulls. Just $26.7 million of the sum lost in Q2 was ultimately recovered, a mere 5% of Q2’s total losses (although that’s an improvement on the 3.9% recovered in Q2 2023).

Centralized exchanges saw their Q2 loss figure soar by 984% year-on-year to $401.4 million. There was a 25% reduction in decentralized finance (DeFi) losses ($171.3 million) compared to the same period last year. Ethereum was the most targeted blockchain with 34 incidents in Q2, while Binance’s BNB Chain ranked second with 18 incidents and Arbitrum placed third with four incidents.

In the first half of 2024, overall ‘crypto’ losses hit nearly $921 million, up 24% year-on-year. Of this sum, $358.5 million was lost in May, driven by the $305 million hack of Japan’s DMM Bitcoin exchange (Turkey’s BTC Turk exchange lost $55 million in June). March saw the largest losses due to fraud, at $6.5 million.

Opinions are varied as to what constitutes hacks and exploits (eye of the ‘behodler’?). For instance, a different report by TRM Labs puts 2024’s dollar value lost to hacks through June 24 at $1.38 billion, twice the sum lost at this time last year. The five largest hacks/exploits accounted for 70% of the total lost, while the median hack value was 150% larger than in the first half of 2023.

On a plus note, the 2024 total is one-third smaller than the record sum lost in H1 2022. TRM observed that the volume of hacks/exploits tends to surge during periods in which token values are inflated, which is why the ‘crypto winter’ of 2023 appears to have robbed hackers of much of their motivation.

DefiLlama offered a different total of $644 million lost to phishing attacks, compromised private keys and other security shortcomings so far this year. That’s up by more than one-half from the total losses DefiLlama reported at this point in 2023. This dire scenario is expected to worsen due to the proliferation of open-source hacking software—including infostealer malware—across dark-web forums.

AI deepfakes making things worse

Access to high-end malicious toolkits is being made even worse through the new phenomenon of deepfakes powered by artificial intelligence (AI). A new report by the Bitget digital asset derivatives exchange claims deepfake crypto crime losses hit nearly $6.3 billion in the first quarter of 2024, putting the full-year sum on pace to more than double 2023’s total losses.

Bitget claims the Q1 deepfake share of fraud activity topped 47%, second only to the 49.3% observed in Q2 2023. (Both quarters scored high on the ‘greed’ side of the dreaded ‘Fear and Greed Index’ that details ‘crypto’ investor sentiment.) But the Q1 2024 dollar figure of deepfake losses hit an all-time high of over $6 billion and the increasing sophistication of these scams suggests the worst is yet to come.

Bitget flagged a wide variety of deepfake crypto crimes, including (but not limited to) deepfake-generated fake IDs for bot networks, ransom and extortion, social engineering attacks, credential stuffing, cryptojacking and more.

Bitget lumped all these efforts into four generalized categories: ‘scams, fraud and deception’ (including ‘fake news’ reports) accounted for 53.3% of all deepfake-related crypto crimes, followed by ‘market manipulation and exploitation’ (28%), ‘identity and impersonation fraud’ (14.2%) and ‘cyber extortion and regulatory violations’ (5.5%).

Bitget says efforts to mitigate deepfake-related crimes will depend on regulators working with both AI developers and digital asset operators within their respective borders while also strengthening international cooperation. Without the latter, “we risk witnessing a geographical shift in victimization, as illegal operations may simply move from one country to another.”

Who watches the watchmen?

Cooperation between digital asset platforms and ‘whitehat’ security outfits should also be a priority, but one recent episode involving the U.S.-based Kraken exchange and blockchain security firm CertiK has shown that these relationships aren’t always symbiotic.

The public version of this tale began on June 19, when Kraken’s chief security officer, Nick Percoco, tweeted about receiving a Bug Bounty program alert on June 9. The alert came from an unspecified security researcher regarding an “extremely critical” bug that allowed the researcher “to artificially inflate their balance on our platform.”

Percoco said Kraken confirmed the bug was real, and the hole was patched in “47 minutes.” The bug “allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.”

Percoco said Kraken’s investigation showed three accounts had “leveraged this flaw” and that one of these accounts “was KYC’d [know your customer] to an individual who claimed to be a security researcher.”

This account used the bug to credit their account with $4, but instead of immediately alerting Kraken and collecting the bug bounty, Percoco claimed they flagged the bug to “two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts.”

Percoco added that Kraken asked the researcher for specifics on how the bug was discovered and also asked for the return of the funds. There are “common practice” steps in traditional bug bounty programs, but the researchers “refused.”

The researchers allegedly replied that they wouldn’t return the funds until Kraken provided “a speculated $ amount that this bug could have caused if they had not disclosed it.” Percoco likened this request to “extortion.”

While Percoco didn’t name names, CertiK outed itself a few hours later, describing its bug-hunting process. But CertiK also wondered why “for several days, with many fabricated tokens generated and withdrawn to valid cryptos, no risk control or prevention mechanisms were triggered until reported by CertiK. The real question should be why Kraken’s in-depth defense system failed to detect so many test transactions. Continuous large withdrawals from different testing accounts was a part of our testing.”

Moreover, Percoco’s claim that “no client’s assets were ever at risk” and that the withdrawn sums came from “Kraken’s treasuries, not other client assets” bears further scrutiny. If the withdrawals were made through wallets that only deal with customer withdrawals/deposits, that $3 million was customer cash, not Kraken’s. Unless, of course, there’s some undisclosed FTX-style commingling of operating capital and customer deposits going on.

Off-white hat

While CertiK ultimately returned the $3 million, a CertiK-linked digital wallet was found to have sent some funds to Tornado Cash, the controversial coin mixing service that’s been the subject of criminal prosecutions on multiple continents. Tornado Cash is under sanctions imposed by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), meaning anyone using it to ‘clean’ improperly obtained funds can face seven-figure fines.

North Korea’s premier hacking group Lazarus Group is known to be big fans of Tornado Cash to launder their ill-gotten tokens. North Korea is also known to be sending tech-savvy citizens abroad to join fintech projects and subvert them from within, leading some to speculate that CertiK may have been compromised in this fashion.

Another sleuth flagged that some of the USDT (Tether) stablecoins withdrawn from Kraken had been swapped for ETH and sent to ChangeNOW, a non-KYC exchange. Why exactly a ‘security’ researcher would see any of the above obfuscation moves as necessary steps in the bug-hunting process is unclear.

It got worse, as other sleuths claimed that a Certik-linked wallet had begun probing the Kraken vulnerability on May 27, well before the June 5 date that CertiK publicly claimed to have “found the initial issue.”

In a bid to lower the temperature, CertiK issued a “Q&A” on the brouhaha defending its actions but, if public comments are any indication, failed to resolve much of the controversy surrounding this episode.

It says a lot about ‘crypto’ that even those who purport to be the good guys guarding the flock from predatory wolves can occasionally appear to be wolves in sheep’s clothing. Can’t wait for the horror movie adaptation when we learn the call is coming from inside the blockchain.

Watch: Why Proof of Work is the most secure model of consensus