Hackers switching to centralized exchanges to fund crypto attacks

There is growing concern about the number of crypto hackers using centralized exchanges to fund their attacks.

In order to pay the transaction fees necessary to carry out attacks, hackers must first fund their wallets. However, given the transparency of a public ledger, they have to carefully consider how to do this without linking themselves to the crime.

Tornado Cash used to be the industry standard for covering one’s tracks, used by hackers and privacy advocates alike.

Now, it appears that in many cases, hackers simply opt to skirt their way around exchanges’ know-your-customer (KYC) procedures when funding their accounts.

Blockchain monitoring firm Forta Network’s analysis of funding sources for recent attacks shows that the hacker’s favourite Tornado Cash now represents just under half the hacks studied, with funds coming from centralized exchanges (CEXs) in a third of cases.

Other funding methods included novel privacy tool Railgun and ‘middleware operations software’ UnionChain, making up 6.7% apiece, as well as cross-chain swaps via Squid router, which accounts for 3.3%.

Read more: Explainer: What to know about crypto mixer Tornado Cash

The dataset is made up of addresses used in 30 recent flash-loan attacks, including November’s intricate $48 million hack of decentralized exchange KyberSwap, back-to-back attacks on Arbitrum projects Radiant Capital and Gamma Strategies, and a thwarted $1 million governance attack on NFT project Loot last month.

Although Tornado Cash remains the dominant source of funding for on-chain hacks, matters have been complicated for hackers trying to cash out after the US Treasury placed sanctions on the crypto mixing service in August 2022.

After the sanctions, addresses that have touched any ‘tainted’ funds originating from the mixer are generally flagged by exchanges, making it a poor choice when needing to convert any ill-gotten gains to fiat currency.

A recent article from 404 Media claims to have used a $15 AI-generated fake ID from a website named OnlyFake to pass KYC checks on OKX, the funding source of one of the attacks studied by Forta.

With these AI tools, there is no need to purchase stolen credentials, or ‘fullz’ on the darknet, hackers can simply generate an entirely new person, and all their corresponding documentation. 

Such a significant proportion of attacks being exchange-funded shows just how easy bypassing KYC has become, a trend that is likely to continue with more widespread use of similar tools.

Read more: Iranian crypto exchange Bit24 reportedly leaks 230,000 users’ KYC data

Although the hackers run the risk of the CEX blocking their funds, they might feel somewhat safer leaving less of a trail on-chain.

While dodging genuine KYC checks may present a problem to the crypto industry in on-ramping hackers, the problem is bound to affect many other industries. Ironically, the widespread use of cryptographic proofs, the technology underlying cryptocurrencies, may be the solution to these kinds of issues in the future.

However, for now, there are reasonable doubts over how seriously exchanges take their role and how stringent KYC controls really are.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on XInstagramBluesky, and Google News, or subscribe to our YouTube channel.