Avalanche Bridge mixes in $300M of North Korean and other tainted crypto
Ava Labs' centralized bridge has mixed the assets of bonafide users with stolen assets deposited by rogue states

Whistleblower appeal: With these disclosures, we aim to show people who are not crypto insiders what goes on behind the scenes. Do you want to be part of this movement? If you have any further information on this case and the different parties involved, become a whistleblower for Crypto Leaks and join our movement bringing honesty and integrity back to the crypto community.

CASE #6  May 20, 2023

Corruption of Retail Assets

Ava Labs is the for-profit company that develops, promotes and operates the Avalanche blockchain. The company also operates the "Avalanche Bridge." This service allows users to deposit assets they hold on other blockchains, and receive wrapped versions of the assets on Avalanche, where they can be used in DeFi systems installed there, such as borrowing and lending services. At a later date, users can redeem the wrapped assets for the underlying assets, which Ava Labs maintains in a pool. The assets desposited by users include bitcoin, and assets on Ethereum, including ether, Daicoin and Tether.

The Avalanche Bridge has retail users firmly in mind and has been widely promoted by Ava Labs. However, for reasons we shall explore, bad actors including North Korean hackers and Russian spies, have deposited almost $300M in tainted and stolen assets into the Avalanche Bridge. Oftentimes the assets have been transferred from dark net markets, mixers, or accounts that are banned by OFAC (Office of Foreign Assets Control). These assets have become co-mingled with bonafide user assets in the pool of assets that Ava Labs maintains.

Retail users could now be subjected to financial loss:

  1. Desposited assets swapped for tainted. When a retail user redeems their wrapped assets, instead of receiving the bonafide assets they originally deposited into the pool, they may receive tainted or stolen assets, which cannot be sold on centralized exchanges, or should be returned to their rightful owner;

  2. Acquired assets tainted. A retail user who legally acquired wrapped assets using the DeFi systems on Avalanche, may have the same problem on redemption, and;

  3. Risk of seizure. Authorities may now seize the entire pool of assets that Ava Labs maintains for the Avalanche Bridge, now that the nature of its contents have been exposed.

North Korea and Rogue Nuclear Weapons

Illegal nuclear weapons being funded.

The largest portion of the tainted assets come from sources linked to Lazarus, a hacker group that collects funding for the North Korean regime, which will aim to swap them for "clean" retail assets. North Korea is a rogue state, and stolen funds laundered by Lazarus directly finance its illegal nuclear weapons program, which could cause death and suffering on an apocalyptic scale.

Blue Marble. Red Marble.

Using the Bitcoin network, it is possible to trace individual batches of coins, such that a batch can be determined to be stolen, originate from an account sanctioned by OFAC, a dark net market, or has been passed through a mixer. Other cryptocurrencies, such as ether, can be collected into a single balance at an address and indistinguishably mingled. However, if an address is controlled by a centralized entity such as Ava Labs, an authority may still determine some portion are stolen, or belong to nefarious entities, and lay claim to them.

The pool of assets that Ava Labs maintains for the Avalanche Bridge, which back the wrapped assets, can therefore be thought of like a bag of marbles, where bonafide balances of assets are blue marbles, and tainted or stolen assets are red marbles. To avoid loss, a retail user must redeem their wrapped assets for blue marbles, and do so while the bridge remains free to operate.

If a wrapped asset balance is redeemed for a red marble, such as a stolen balance of bitcoin, in principle the red marble can be re-deposited into the Avalanche Bridge, and then redeemed again, for another chance at getting a blue marble from the bag. This process can be repeated until a blue marble is obtained. However, over time, the use of such tactics will increase the concentration of red marbles in the bag, making it harder and harder for users to obtain blue marbles. In the end, only red marbles will remain.

How Did This Happen?

Ava Labs built the Avalanche Bridge in a centralized way, and neglected to add systems that properly checked the source of assets being deposited. (Ava Labs is a corporation we have covered before in Case #3 and Case #5.)

To capitalize on the crypto bull run, the corporation had quickly adapted the open source software that powers the Ethereum network, to create Avalanche, a completely new Proof-of-Stake network, which now primarily runs on cloud services such as Amazon Web Services. Their next step was to import clones of the DeFi systems running on Ethereum by promising to pay $180M to its developers. However, for these cloned DeFi systems to be useful, they also needed access to the assets stored on Ethereum. To solve this problem, Ava Labs built and operated the Avalanche Bridge.

As explained and exposed by spy video in Case #5, the Avalanche Bridge depends on centralized trust in Ava Labs. Rather than developing a provably secure public network protocol, Ava Labs chose to take a shortcut, and build using SGX "security hardware." This runs secret code developed by Ava Labs, which creates the Avalanche Bridge. However, because it runs inside a private "enclave" to obscure its workings, hackers likely calculated that this would also obscure asset movements, making it the perfect crypto mixer/tumbler for use in their money laundering efforts.

Blockchain Tracing Data

The scale and nature of the problem can be understood using advanced blockchain tracing. Here we trace the movement of stolen and tainted assets into the Avalanche Bridge. The document allows you to click on transactions to open them inside a blockchain explorer.

Our research tracks crypto assets being deposited into the Avalanche Bridge from seven types of sources: mixers, OFAC sanctioned addresses, dark net markets, high risk exchanges, illicit actors, scammers, and stolen funds.

Download the blockchain analysis: c6-avalanche-bridge-disaster.pdf

Cannot display PDF. Please download.

Proposed Solution

By promoting the sale of AVAX tokens to retail investors, Ava Labs corporation, and its founders and investors, have accumulated huge wealth — while those same retail investors have often found themselves holding bags of tokens heavily in loss. It is time for Ava Labs both to backstop their community and prevent further funds being laundered for Lazarus and others. They should immediately freeze the pool of assets backing the Avalanche Bridge, and provide them to the relevant authorities. Then, they should create a new "compensation service," which allows those holding wrapped assets to redeem them for assets that are not stolen or tainted, which Ava Labs can purchase from exchanges such as Coinbase or Binance.

Taking these steps will protect their users from loss, and also prevent stolen and tainted assets from being withdrawn and re-distributed throughout the crypto ecosystem. If such actions are not taken quickly, experienced crypto users may extract all untainted crypto assets from the Avalance Bridge, ensuring that the retail investors whom Ava Labs induced to deposit clean assets, may have to withdraw tainted tokens (as explained in "Blue Marble. Red Marble"). Will Ava Labs do the right thing to protect those it induced to use the Avalanche Bridge, and prevent further money laundering via its centralized systems?

Read other case investigations...