On March 15th, 2023, Euler Finance, a decentralised finance (DeFi) protocol built on the Ethereum network, suffered a flash loan attack resulting in the loss of $199 million worth of digital assets. However, on March 21st, 2023, new developments emerged as North Korea’s Lazarus Group, the same group responsible for the $540 million Ronin Bridge attack last year, attempted to steal from the Euler Finance hacker responsible for the recent attack.
The Phishing Attempt
The Lazarus Group sent a message from the Ethereum account used in the Ronin Bridge attack, directing the Euler Finance hacker to decrypt a message using a specific piece of software. The message contained a phishing attempt that aimed to steal the stolen funds from Euler Finance.
Euler Finance’s Response
Euler Finance, aware of the vulnerabilities in the software, stepped in to warn the hacker about the risks involved in using the software. The warning from Euler Finance was an attempt to prevent further theft of the stolen funds.
According to blockchain analytics firm Elliptic’s analysis, the Lazarus Group has been active in the cryptocurrency space since at least 2017, targeting both cryptocurrency exchanges and DeFi bridges. The group is known for its sophisticated hacking techniques and has been linked to several high-profile attacks, including the WannaCry ransomware attack in 2017 and last year’s Ronin and Horizon bridge hacks.
Elliptic also found that the Lazarus Group has been increasingly targeting DeFi protocols, likely due to the large amounts of money locked in these platforms. This highlights the need for increased cybersecurity measures in the DeFi space.
According to the SNYK Vulnerability Dastabase, the repository that the Lazarus group have linked to, has identified vulnerabilities in its elliptic library version 6.4.0, which can lead to the compromise of private keys.
The elliptic library is a popular cryptographic library used to generate and manipulate private keys in blockchain applications. The vulnerability in version 6.4.0 was identified and fixed in subsequent releases, but many DeFi protocols may still be vulnerable if they are using an older version of the library.
The attempted theft of the stolen funds from Euler Finance by the Lazarus Group highlights the need for increased cybersecurity measures in the DeFi space. The vulnerabilities in the elliptic library version 6.4.0 demonstrate the importance of regular security audits and updates in DeFi protocols.
100 ETH Payment
On March 17th, Lookonchain, another blockchain analytics firm, reported that an address controlled by the Euler Finance exploiter responsible for last week’s attack transferred 100 ETH, worth over $170,000, to a wallet associated with the Ronin Bridge exploit conducted by the Lazarus Group. The Ronin Bridge exploiter was previously identified by the US Treasury as belonging to the North Korean state hacking group. The transfer raises questions about whether the two hackers are the same person or if the transfer was intentional.
Days after sending the stolen funds to a North Korean address flagged by authorities, the attacker sent an on-chain message to Euler Finance on March 20th, expressing their willingness to negotiate and “come to an agreement” with Euler.
“We want to make this easy on all those affected. No intention of keeping what is not ours. Setting up secure communication. Let us come to an agreement,”Euler Exploiter
Euler Finance replied with its own on-chain message just hours later, acknowledging the attacker’s message and requesting to continue the conversation “in private.”
The transparency of blockchain technology has allowed for forensic analysis of these attacks and the identification of potential threats. Collaboration between cybersecurity firms and DeFi protocols is essential to prevent and mitigate future attacks. The DeFi space must remain vigilant in its efforts to secure the platform and protect the funds of its users.