Hackers stole billions in crypto to keep North Korea’s regime afloat
wsj.com125 points by Bostonian 8 days ago
125 points by Bostonian 8 days ago
If cryptocurrencies are self-regulating, aren’t the techniques used by these hackers actually the best and most effective way to play the game by its own rules? Calling this behavior “cheating” smells of sore-loserism.
There is a certain Bitcoin evangelist who will preach the gospel of a self governing currency that via a system of rules will automatically validate transactions between trust-less parties in a decentralized manner over a globe-spanning internet protocol but then complain when that same system does not prevent them from accidentally sending the entire contents of their "wallet" to an address in North Korea.
The system does not represent ownership the system only tracks of the validity of transactions and if the North Korean government proposes a valid transaction of your BTC or ETH to an address they control and a mining-node includes that transaction in a block which a majority of the network accepts then those assets are no longer yours they belong to North Korea.
The properties of the crypto-asset ecosystem which allow it to be ungoverned also make it ungovernable.
I would imagine exchanges these days routinely monitor incoming and outgoing transactions, and if they suspect the funds are stolen, they are freezed. I would imagine North Korea doesn't have really an easy job laundering that BTC they have stolen.
You're right, many crypto exchanges operating on the right side of the law will freeze these funds.
For those interested in this, CT (crypto twitter) makes tracking North Korea's stolen winnings a bit of a sport.
samczsun, an excellent security auditor who's working at Paradigm these days, broke down some of the org in a post the other day.
https://x.com/samczsun/status/1906754853063565720?t=N4aqa6Vy...
Taylor Monahan at MetaMask also makes a habit of tracing funds and shares some pretty interesting finds around NK's laundering efforts.
They are simply having to duplicate all the things Visa provides its customers.
BTC is inherently deflationary in the sense that once new coins cease to be mined the total number of BTC will decrease over time due to lose, theft and death. I know that I lost my wallet with the only BTC I owned 10 years ago. I can name several other people that have done the same. I would think this one property makes it undesirable for use as a currency.
> I know that I lost my wallet with the only BTC I owned 10 years ago. I can name several other people that have done the same. I would think this one property makes it undesirable for use as a currency.
How is this any different from losing your wallet with physical currency?
In many cases if you lose your physical wallet, someone else will find it and the cash will stay in circulation, but even if not, as physical currency is much more inflationary it's no big deal.
The second point is that most people keep a lot less money in a physical wallet, usually no more than say a few hundred dollars. Whereas a bitcoin wallet will often contain thousands or more so is more akin to a bank account.
Most of the lost coins will all be recovered by quantum computers. There is no way to update or fix the wallets they are stored in.
You can imagine things all you want, the rest of us will be over here in the real world.
"The shocking theft at WazirX, India’s largest cryptocurrency exchange..."
Oddly I am not in the least bit shocked. Now if we found out that this was an inside job I would again not be the least bit shocked.
It appears crypto is just speed-running the last few hundred years on their way to modern financial regulation
These are but pricey bug bounties. This will lead to a more efficient and secure cryptocurrency market, as participants will insist on better financial controls, threatening to flee to the regulated fiat markets if their needs are not met. /s
> These are but pricey bug bounties.
This isn't sarcasm to me, but the rest of your comment is.
[flagged]
What does this sentence even mean?
It is a reference to Magic The Gathering. Blue decks are known for wildly changing the rules of the game. Black decks are known for interacting with death and the graveyard which is where cards go after they are used.
A paraphrasing of the GP without using magic terminology is to say that they are playing by the rules in an unexpected way using unexpected combinations and sequences. More briefly "playing by the rules as written".
Tangential recommendation, but anyone interested in North Korean hacking should check our the BBC World Service's Lazarus Heist podcast[0].
0. https://www.bbc.co.uk/programmes/w13xtvg9/episodes/downloads
This is the only promise that cryptocurrency held. Avoid government barriers. So we should celebrate the fact that it was not a complete scam.
I disagree. There's a tremendous amount of waste in the economy related to reconciling different companies' records of who owes what to whom and then getting that info to the bank and then hearing back from the bank about whether the debt was fully or partially paid and then relating that to whether the service continues to be rendered.
Moving from an accounts-receivable/accounts-payable model to a insert-coin-receive-service model would be a huge advantage.
It just hasn't happened because the vibes are wrong and it appears that they'll stay wrong for a while.
>Moving from an accounts-receivable/accounts-payable model to a insert-coin-receive-service model would be a huge advantage.
Why would the method of payment affect how you track accounts payable/receivable in your books?
Maybe there were better words I could have used there, sorry.
You can of course track it however you want, but the complexity of what you end up tracking explodes if you're operating on something like a monthly billing cycle. Especially if you have more than one financial institution with an opinion about whether money should/did get moved.
I've been involved with the maintenance of several billing pipelines and having to handle events like maybe the bank was only able to collect half of this person's bill but it took them a few days to let us know that, but we've already sent that money over here so now we' have this deficit and do we shut off their service over a deficit of just $5...
It's a nightmare that's totally orthogonal to the business that's being run. Nobody wants to be on the billing team, but it's viewed as a necessary evil. But I'm saying that it's an unnecessary evil. If you can very quickly settle up for practically nothing, then you can just build the app to withhold service for a few milliseconds until payment clears and then there's no debts to keep track of and resolve later. And having it on a public blockchain means that if you're collaborating with other companies over how the pie gets sliced, there's a single source of truth for how big the pie actually is.
> There's a tremendous amount of waste in the economy related to reconciling different companies' records of who owes what to whom and then getting that info to the bank and then hearing back from the bank about whether the debt was fully or partially paid and then relating that to whether the service continues to be rendered.
Is all that really a tremendous waste, in the days of databases and instant communication? How much waste are we talking about here? I'd wager a lot of money it's at least one order of magnitude less than the literal heat waste produced by validating bitcoin transactions. Crypto is much more wasteful.
> Moving from an accounts-receivable/accounts-payable model to a insert-coin-receive-service model
The monetary system isn't what's preventing this. You can't provide a service and also charge for it in the exact same instant. If I hire a contractor to renovate my bathroom, there's a ton of negotiation, possible disagreements about whether the work is "done" or not, payment deadlines, etc., and crypto vs. fiat currency changes none of that.
> You can't provide a service and also charge for it in the exact same instant.
Sometimes you can, and it's those cases that I'm thinking of.
But even when you can't, why not create the transaction up front and include the conditions under which it should or should not proceed at a later date? If you want a third party as a mediator, just in case, why not make that part of the transaction too? Why not ensure now, that the money you'll be paid later, actually exists and can't be spent on something else in the meantime?
So much becomes possible if both parties are on the same page yet neither had to build that page from scratch.
> How much waste are we talking about here?
Well there's all the business that doesn't happen because while I'm a bit curious about your service, I'm not curious enough to give you my credit card and trust your pinky-promise that you'll charge me like you said you would.
And then there's the business that doesn't happen because micropayments are required for the business model (many tiny credit card transactions being prohibitively expensive).
And then there's all the money that gets wasted when resolving disputes in court when mediators could've been bound to the transaction up front--mediators who are more familiar with the parties and the situations and who have access to a single source of truth about the nature of the disagreement rather than having to reconcile both versions of some "handshake agreement".
And then there's maintenance for all that billing pipeline code which is implemented over and over again--slightly differently by each company but rarely meaningfully so--which has to account for two worlds: one which creates debts, another which eliminates them, just to align the conjunction of those worlds to an arbitrary cadence (typically monthly) which has no correspondence with the product's usage. If you offload the accounting to public infra immediately, then you don't have to build and maintain infra which keeps both worlds in sync.
All told, I think it's quite a lot. As for the waste heat from bitcoin--yes, bitcoin is stone-age crypto. What we need for this probably doesn't exist yet.
I just don't see most of what you're talking about as either actual problems, or as caused by fiat currency / solved by crypto.
> why not create the transaction up front and include the conditions under which it should or should not proceed at a later date
Forcing people to commit money to some Etherium contract before work can begin is not going to grease the wheels of commerce. You hire an engineering firm to design a new regional airport for tens of millions of dollars over three years, and you're supposed to stick all that money in some crypto account where nobody can touch it until an oracle says the work is complete? Where any bugs or security flaws or front-runners might just steal or lock away all the money with no recourse? In the real world, no party ever holds the entire pot of money all at once -- that's a cashflow nightmare! You seem to be lamenting the cashflow problems caused by our current system (which companies would indeed pay a lot to improve), and your solution is to lock up the entire contract value ahead of time?
The current way that people are paying each other is not a problem that needs to be fixed.
> the business that doesn't happen because micropayments are required for the business model
The world is lousy with microtransactions. I heard about this being a problem a decade ago, but not anymore. Besides, what are the current gas fees on major crypto platforms? Isn't crypto terrible for microtransactions?
> money that gets wasted when resolving disputes in court
If people are still signing contracts with each other, this is still happening. Crypto does not solve this. This will still happen, plus all the money that gets wasted when their bitcoin wallet is stolen or their contract is front-run or there's a bug in the exchange.
> maintenance for all that billing pipeline code which is implemented over and over again--slightly differently by each company but rarely meaningfully so--which has to account for two worlds: one which creates debts, another which eliminates them
There are somewhere around 20,000 cryptocurrencies in existence. Twenty thousand. You're lamenting the fact that different companies have to handle dual-entry accounting, a relatively simple practice that has remained basically the same for hundreds of years, to the complexity of implementing cryptocurrency exchanges and blockchains correctly? Why can't companies just rely on third parties for fiat transactions? You're comparing crypto and fiat on completely different playing fields here. A bug in your fiat accounting code requires a manual correction, maybe an audit, and possibly a court case. A bug in your crypto code can permanently cost you all your money with no possible recourse.
> What we need for this probably doesn't exist yet.
So you're comparing the problems with our current fiat system with some hypothetical perfect future crypto system and saying the crypto system is better. Yes, I could compare anything that is happening now with a hypothetical future perfect alternative that might not be possible, and the latter will always look better. That is utterly meaningless. When you compare our current fiat system with any crypto systems that currently exist, the crypto systems are significantly worse in almost every way, except for buying drugs and scamming people. If you have a thousand "innovation points" that you can spend making a cryptocurrency system that doesn't have these problems (doubtful), why not spend that innovation on specific improvements to specific problems with the fiat system instead?
> So you're comparing the problems with our current fiat system with some hypothetical perfect future crypto system and saying the crypto system is better
Well yes, I was attempting to refute:
> This is the only promise that cryptocurrency held
My claim is that there are other promises. I hear you say
> The current way that people are paying each other is not a problem that needs to be fixed.
...and I couldn't disagree more. Have you ever worked at a payment provider? Your code ends up with other payment providers in all directions and the user is nowhere to be found. It's just a big pile of parasites fighting over the money pipe. Outside of work I'd strike up a conversation with a merchant about how I'm familiar with their POS equipment, and there I'd learn that it's practically a hostage situation.
The liquor store near my house has two entirely separate POS systems pointing at two separate bank accounts and they just direct customers to whichever one happens to be enlisted in the least-objectionable shenanigans at the moment.
The needs of the people are not being served, especially if they're people who can't afford a lawyer.
I'm not proposing that anybody should have to use crypto. I'm saying that when crypto is ready, those who do use it will have a competitive advantage because they won't have to deal with the drag exerted by the existing system. The multiplicity of platforms won't be an issue because those two people--whoever they are--will agree on whichever one fits their use case (though I expect they will be fewer by then).
> why not spend that innovation on specific improvements to specific problems with the fiat system instead?
Because the fiat system was not designed to solve any of the problems we're talking about. It was designed to feed the Roman war machine, and since then its primary purpose has been to ensure that power structures established by varying forms of violence remain in effect without the need to trot out that violence again.
It's not the kind of thing you can incrementally improve on. It has the problems it does because the people who maintain it want it to have those problems.
Take credit card companies for example. There's a lot they could do to prevent fraud--there are many ways to build a system where payments happen without leaving secrets like credit card numbers out in the open. But they don't want to solve that problem because it's a problem that puts them in a privileged position--they get to be the money-censors, which is a powerful position that they frequently abuse.
Or consider health insurance claims. They could absolutely provide a price to the patient within a minute or two--fast enough for the patient to factor it into whether or not they get the procedure. But having the bill come six months later and full of surprises is a feature for them, not a bug.
We have a lot of harmful middlemen. Improving the fiat system would just to improve their capacity to do harm.
It may be in a pretty embarrassing state right now, which I hope it snaps out of, but crypto is at least compatible with the idea that we could put control over the system in the hands of its users. Fiat is not.
I know this is hard for techies to hear, but the way you fight existing power structures is by organizing, petitioning, protesting, voting. Political, in other words. No technology is going to come and save us from powerful people exploiting the poor if we keep voting for the biggest assholes on the planet. Ironically, most of the people advocating for crypto to save us from powerful people are exactly the same people voting for the absolute worst people whose campaign promises are to fuck over the poor and exact revenge on their political enemies. So it's hard to take the argument "I'm pro-crypto because it rages against the machine" in good faith when 99.8% of people making that argument are fighting tool and nail to make it illegal to oppose the machine. But I'll assume you're in the 0.2% for sake of argument. The point stands: these are political problems, not technological ones.
> Because the fiat system was not designed to solve any of the problems we're talking about. It was designed to feed the Roman war machine
This is exactly why I'm saying you're comparing fiat vs. crypto completely unequally. If fiat was designed to feed the Roman war machine, then crypto was designed to buy drugs online. You're being reductionist and pessimistic when describing fiat and blindly optimistic when describing crypto.
> its primary purpose has been to ensure that power structures established by varying forms of violence remain in effect without the need to trot out that violence again.
The primary purpose of the fiat system is to allow more control and regulation over the system, mostly to avoid huge boom-bust cycles in the economy and more Great Depressions. That's genuinely it. Yes, much of the purpose of government is to enable the transfer of power without violence. If we're redesigning government, can we please keep that part? Right now, if I break into your home and hit you with a wrench until you tell me the private keys of your bitcoin wallet, I can steal all your money assuming I get away. If I break into your home at hit you with a wrench until you give me your credit card, there's very little I can actually do with that. The violence you're talking about is the violence of anarchy -- the exact same anarchy that you're touting as a benefit of crypto.
> Take credit card companies for example. There's a lot they could do to prevent fraud
Credit card companies do an enormous amount to prevent fraud, and they're incredibly good at it. And are you seriously claiming that crypto will have less fraud? Most of the ways that credit card companies deal with fraud is by immediately detecting and canceling fraudulent transactions -- something that is inherently impossible with crypto.
> --there are many ways to build a system where payments happen without leaving secrets like credit card numbers out in the open
Yes, including in a fiat system! Here you are again comparing the current, flawed fiat system with some imagined future crypto system, but you can also imagine a better fiat system! And people are working on it, e.g. with chipped cards (yes it's annoying it's only for in-person purchases).
> Or consider health insurance claims. They could absolutely provide a price to the patient within a minute or two ... [previously] I'm not proposing that anybody should have to use crypto.
But if health insurance companies don't have to use crypto, and they benefit from the current system, then they just won't use crypto. So your problem is not solved. It's a political one, not a technological one.
Look, humanity has been getting incrementally better at this "government" thing over thousands of years. Yes, it's slow, and we backslide a lot. I'm pissed at entrenched power structures too. But these are political problems, and crypto just is not inherently a fix for these problems. The people "in power" could be megacorporations and aging narcissistic asshole rapist felons, or they could be scientists, human rights lawyers, passionate nerds, doctors, and even everyday people. It's largely up to us whether it's the former or the latter, and most crypto advocates today fight tooth and nail in favor of keeping power in the hands of narcissistic assholes.
If we're imagining a better world, why are we imagining one where existing shitty power structures just get torn down, and nobody has the power to stop scams, money laundering, illegal activity (we're not talking about buying fun drugs here either, we're talking about the bad shit), billions of dollars being funneled to North Korea (thanks, crypto!), small bugs in contract logic causing billions of dollars in losses, etc.? A world where a multi-billion-dollar project to build a new children's hospital requires some party to ever actually hold multiple billions of dollars in one pot, lock it up in some crypto contract for 5 years where it can't benefit the economy, and then have absolutely no possible recourse when it gets stolen and funneled to North Korea? Why is that the world we're imagining, and not one where power is just distributed better? Fuck crypto, vote better.
> these are political problems, not technological ones
That's a false dichotomy. Social media platforms are a technology, and it's a political problem that the biggest assholes on the planet tend to use them to get elected. The solution is a technological one, which is to build and use social media which do not give special privileges to an owner.
It's all bound up together.
> You're being reductionist and pessimistic when describing fiat and blindly optimistic when describing crypto.
My purpose in this thread is not to convince anybody that crypto is better than fiat, it's that crypto's potential is greater than fiat's potential. I'm being reductionist and pessimistic about fiat not to point out problems that it has not solved, but to point out problems that it is incapable of solving.
It's a bit like The Architect's speech in whichever Matrix movie: it's fundamental to the system that it creates these anomalies. It's not "the one" but it's definitely "the few".
> The primary purpose of the fiat system is to allow more control and regulation over the system
...and it does so by giving hopefully-trustworthy people the privilege to rewrite transaction history despite the transacting parties not having explicitly consented to that person having that power over that transaction.
The argument that crypto holds no promise besides grift rests on the wobbly assumption that the benefits of regulatory control cannot be achieved without creating those privileged positions--positions which end up being occupied by grifters.
It was once a necessary evil. We have a financial system based around scarcity because it was the only readily available implementation. The laws of physics ensure that certain things are scarce, so there was no need to build anything in order to enforce that scarcity. But there was also no hope of rewriting the rules of the system towards the elimination of its systemic problems. That has changed.
> most crypto advocates today fight tooth and nail in favor of keeping power in the hands of narcissistic assholes
That's true. It's horrible. Most crypto projects today are just a reimplementation of the scarcity-based system that the laws of physics handed our ancestors re: gold and such. We moved away from the gold standard for a variety of good reasons. The idea of returning to a gold-like system appeals to grifters because they don't like being limited by the fiat system. But there's no reason we can't build something that limits the grifters even more than fiat already does--and when we do that, should we really avoid using crypto for the job just because the grifters tend to use it also?
Crypto is not about artificial scarcity and passing tokens around. That's merely a rule-set that it supports. Is promise lies in the idea that we can implement other rule-sets as well--ones which are more sensitive to the needs of their users than either the physics-imposed system re: gold, or the bureaucracy-imposed system re: fiat.
I share your objections:
> detecting and canceling fraudulent transactions -- something that is inherently impossible with crypto
> and then have absolutely no possible recourse when it gets stolen and funneled to North Korea
...but these problems are the same as they were when we were moving chests full of gold coins around. It's a shame that people have used crypto to reinvent a scarcity-only system that the rest of us largely abandoned in the 1970's. But nothing about that precludes somebody using the same primitives to implement something better. It's like you're attacking angry birds and I'm defending mobile phones. The platform has merit, despite the existence of shitty apps. Let's stop using those apps.
We also want similar things. This sounds great:
> The people in power ... could be scientists, human rights lawyers, passionate nerds, doctors, and even everyday people
The structural problem with the fiat system is that those privileged positions--the ones that I claimed end up populated by grifters--when they end up populated by an altruistic person, they end up placing too heavy of a load on that person. The only way to do some of these jobs is to be at least partially negligent. I know several people who fit the description that you've given and they're doing good work. The last thing I want to do is encourage them to stop doing what they're doing and instead go be a politician--they're needed where they are.
The bureaucratic computer which implements fiat's rules is not sensitive to which users trust which other users. Sure, in some cases you need a bureaucrat whose full time job is to be the authority over some domain. But most of the time you don't. Most of the time you can get away with explicitly indicating an authority and giving them narrowly scoped power. Some scientist, some doctor, some passionate nerd... One who knows both parties to a contract/transaction, somebody who has a track record of keeping their promises. By all means lets vote for these people if they want a permanent political role, but we shouldn't have to wait for an election to do that. With crypto it can be much more granular.
We can come up with a set of rules that lets us unambiguously grant those individuals the kind of control that the fiat system gives us, but over such a limited scope that they don't have to stop doing whatever they were doing that makes them awesome to go be a politician instead, and which doesn't give them so much power that they become a magnet for the corrupting factors that plague the fiat system.
Sometimes you need a judge and a court and a lengthy trial, but other times you just need another professional to look at the work and say "yeah, that's good work, you should be paid for it". Crypto is a more flexible medium through which both parties' trust of individual can be made explicit and through which their assessment can be made binding.
> Fuck crypto, vote better.
We can vote better while also building better things. But if those things are operated by a single corruptible party, then they'll never be as good as equivalents that aren't (that means using crypto). Fuck artificial scarcity, let's build a world without it, because it's where the biggest assholes on the planet get their power.
Thank you for the good discussion. I think we share a lot of the same vision. I'm more pessimistic than you about inherent limitations in crypto (and more optimistic that there's still room for improvement in fiat), but I hope you're right that the limitations of current crypto can be overcome. Your vision sounds a lot like an idea I've had for a more "open-source government" where laws are drafted as series of commits by experts in that topic, and debate happens over individual merge requests, etc. I don't know how crypto is supposed to help with that but maybe there are things I'm just not seeing. I hope there's a way to get the best of both systems.