Skip to content

Latest commit

 

History

History
271 lines (222 loc) · 12.6 KB

File metadata and controls

271 lines (222 loc) · 12.6 KB

SAF-T1915: Cross-Chain Laundering via Bridges/DEXs ("Chain-Hopping")

Overview

Tactic: Exfiltration (ATK-TA0010), Defense Evasion (ATK-TA0005), Impact (ATK-TA0040)
Technique ID: SAF-T1915
Severity: High
First Observed: Not documented in production (technique analysis based on industry reports)
Last Updated: 2025-11-02

Description

Adversaries obscure the provenance of illicit value by moving funds across multiple blockchains (e.g., Ethereum → Avalanche → TRON) using cross-chain bridges, decentralized exchanges (DEXs), swap/aggregator services, and wrapped assets. This "chain-hopping" breaks simple single-chain traces and is often combined with mixers and stablecoin swaps before cash-out at custodial off-ramps.

This technique exploits the technical complexity of tracking assets across multiple blockchain networks with different architectures, consensus mechanisms, and transaction formats. By fragmenting transaction trails across chains, adversaries increase the difficulty and cost of forensic analysis for investigators and compliance teams.

Attack Vectors

  • Primary Vector: Cross-chain bridges for multi-hop asset transfers
  • Secondary Vectors:
    • Decentralized exchanges (DEXs) for intra-chain swaps
    • Wrapped asset protocols for cross-chain value representation
    • Stablecoin pivoting (USDT/USDC/DAI) between chains
    • Custodial off-ramps and OTC services for final cash-out

Technical Details

Prerequisites

  • Ability to control a source wallet/key or an MCP tool that can sign transactions
  • Access to bridge and DEX infrastructure (public smart contracts, RPC endpoints)
  • Liquidity in target assets and available off-ramp

Attack Flow

  1. Placement / Initial Control: Funds controlled on Chain A (often from a compromise, fraud, or skimming event)
  2. Swap & Fragment: Swap into liquid/stable assets; split across fresh addresses
  3. Bridge Hop: Use cross-chain bridge smart contracts to mint/burn wrapped assets and move to Chain B (sometimes repeating to Chain C)
  4. DEX Hops: Use DEX/aggregators for intra-chain swaps; repeat bridging as needed
  5. Mixer (Optional): Where available, route into mixers; adapt to takedowns by switching services
  6. Off-Ramp: Consolidate and cash-out at custodial services/OTCs or continue layering

Example Scenario

{
  "scenario": "Automated chain-hopping via MCP tool",
  "attack_sequence": [
    {
      "step": 1,
      "chain": "Chain A",
      "action": "swap",
      "tool_call": "crypto_wallet.swap",
      "params": {
        "from_token": "NATIVE_TOKEN",
        "to_token": "STABLECOIN",
        "amount_usd": "10000"
      }
    },
    {
      "step": 2,
      "chain": "Chain A -> Chain B",
      "action": "bridge",
      "tool_call": "cross_chain_bridge.transfer",
      "params": {
        "from_chain": "chain_a",
        "to_chain": "chain_b",
        "token": "STABLECOIN",
        "destination_address": "fresh_address_1"
      }
    },
    {
      "step": 3,
      "chain": "Chain B",
      "action": "swap",
      "tool_call": "dex_aggregator.swap",
      "params": {
        "from_token": "STABLECOIN_A",
        "to_token": "STABLECOIN_B"
      }
    },
    {
      "step": 4,
      "chain": "Chain B -> Chain C",
      "action": "bridge",
      "tool_call": "cross_chain_bridge.transfer",
      "params": {
        "from_chain": "chain_b",
        "to_chain": "chain_c",
        "token": "STABLECOIN_B",
        "destination_address": "fresh_address_2"
      }
    },
    {
      "step": 5,
      "chain": "Chain C",
      "action": "off-ramp",
      "tool_call": "exchange_deposit.send",
      "params": {
        "destination": "custodial_service",
        "token": "STABLECOIN_B",
        "memo": "deposit_identifier"
      }
    }
  ],
  "obfuscation_techniques": [
    "Multi-chain hops to break analysis",
    "Fresh addresses at each hop",
    "Stablecoin pivoting between different issuers",
    "DEX and bridge combination",
    "Custodial service deposit for cash-out"
  ]
}

Advanced Attack Techniques

Observed variations of this technique include:

  1. Bi-directional Bridge Exploitation: Attackers use both lock/mint and burn/unlock mechanisms across multiple bridge protocols to create complex transaction graphs

  2. DEX Aggregator Layering: Using multi-hop DEX aggregator protocols between bridge operations to further fragment the trail and exploit different liquidity pools

  3. Wrapped Asset Cycling: Converting between different wrapped versions of the same asset (e.g., wrapped native tokens, wrapped stablecoins) across chains to exploit gaps in labeling and tracking

  4. Off-Ramp Concentration: Targeting known custodial exchanges and OTC services for final cash-out operations

Impact Assessment

  • Confidentiality: Medium - Transaction data is public on-chain but origin/destination relationships are obfuscated
  • Integrity: High - Legitimate transaction mechanisms are abused; trust in cross-chain infrastructure is undermined
  • Availability: Low - Does not directly impact service availability
  • Scope: Network-wide - Can span multiple blockchain networks and jurisdictions

Current Status (2025)

Organizations and regulators are developing mitigations:

  • Cross-chain analytics platforms are emerging to support bi-directional bridge tracing across multiple blockchain networks
  • FATF Targeted Updates (2024-2025) strengthen Travel Rule requirements for Virtual Asset Service Providers (VASPs), including cross-chain operations (FATF, 2024)
  • US Treasury DeFi Risk Assessment (2023) identified chain-hopping vulnerabilities and recommended enhanced monitoring (US Treasury, 2023)

Detection Methods

Indicators of Compromise (IoCs)

  • Rapid sequence of bridge lock/mint/burn transactions across multiple chains
  • Fresh addresses appearing immediately after bridge operations
  • Repeated stablecoin swaps (USDT/USDC/DAI) surrounding bridge operations
  • High-frequency use of multiple bridge protocols within short time windows
  • Deposits to known high-risk custodial off-ramps following multi-hop sequences
  • Transaction patterns matching known DPRK or ransomware operator TTPs

Detection Rules

Important: The following rule is written in Sigma format and contains example patterns only. Attackers continuously develop new chain-hopping techniques and bridge exploitation methods. Organizations should:

  • Use AI-based anomaly detection to identify novel cross-chain patterns
  • Regularly update detection rules based on threat intelligence
  • Implement multiple layers of detection beyond pattern matching
  • Consider graph analysis of cross-chain transaction flows
title: Cross-Chain Laundering via Bridge Hopping
id: a7f8c9d2-1e4b-4a5c-9f3d-8b6e2c5a1d9f
status: experimental
description: Detects suspicious cross-chain bridge usage patterns indicative of laundering via chain-hopping
author: SAF-MCP Contributors
date: 2025-11-02
references:
  - https://github.com/SAF-MCP/saf-mcp/techniques/SAF-T1915
  - https://www.chainalysis.com/blog/2024-crypto-money-laundering/
  - https://www.elliptic.co/hubfs/The%20state%20of%20cross-chain%20crime%202025/The%20state%20of%20cross-chain%20crime%202025%20-%20FINAL.pdf
logsource:
  product: mcp
  service: blockchain_tools
detection:
  bridge_sequence:
    tool_name:
      - 'cross_chain_bridge.*'
      - 'bridge.transfer'
      - 'multichain.*'
    action: 'transfer'
  timeframe: 1h
  condition: bridge_sequence | count(distinct_chains) >= 3
falsepositives:
  - Legitimate cross-chain arbitrage trading
  - Market maker operations across multiple chains
  - Multi-chain treasury management for DeFi protocols
level: high
tags:
  - attack.exfiltration
  - attack.defense_evasion
  - attack.ta0010
  - attack.ta0005
  - safe.t1915

Behavioral Indicators

  • Unusual bridge protocol diversity (using 3+ different bridges in short succession)
  • Fresh wallet addresses created immediately after each bridge operation
  • Stablecoin-only operations (avoiding native chain tokens)
  • Off-ramp deposits that match the timing and amount of prior bridge sequences
  • Geographic clustering of off-ramp services in jurisdictions with weak AML enforcement
  • Repeated patterns matching known threat actor methodologies (e.g., Lazarus Group TTPs)

Mitigation Strategies

Preventive Controls

  1. SAF-M-1: Input Validation: Validate all blockchain transaction parameters and enforce allowlists for approved bridge protocols and destination chains
  2. SAF-M-8: Rate Limiting: Implement velocity limits on cross-chain bridge operations per session/user
  3. SAF-M-19: Least Privilege: Restrict MCP tool capabilities for blockchain operations; require explicit user consent for cross-chain transfers
  4. SAF-M-46: Bridge Risk Management: Maintain an updated list of high-risk bridge protocols and off-ramp services; block or require enhanced review for suspicious routes

Detective Controls

  1. SAF-M-2: Comprehensive Logging: Log all bridge transactions with full cross-chain context including source chain, destination chain, bridge protocol, amounts, and addresses
  2. SAF-M-10: Anomaly Detection: Deploy AI-based anomaly detection for unusual multi-chain patterns and rapid bridge sequences
  3. SAF-M-47: Cross-Chain Transaction Graph Analysis: Implement bi-directional cross-chain tracing to link lock/mint/burn events across blockchain networks
  4. SAF-M-48: Custodial Off-Ramp Monitoring: Prioritize monitoring of known custodial services that historically receive concentrated illicit inflows

Response Procedures

  1. Immediate Actions:

    • Freeze suspicious wallet operations pending investigation
    • Notify compliance team for SAR preparation
    • Document full cross-chain transaction trail
    • Check against sanctions lists (OFAC SDN, UN, EU)
  2. Investigation Steps:

    • Reconstruct complete chain-hopping sequence across all blockchains
    • Identify all intermediate addresses and bridge protocols used
    • Correlate with known threat actor TTPs (e.g., DPRK Lazarus Group patterns)
    • Analyze off-ramp destinations and beneficiary services
    • Cross-reference with industry threat intelligence feeds
  3. Remediation:

    • File Suspicious Activity Report (SAR) following FinCEN guidance
    • Update bridge protocol and off-ramp risk scoring
    • Enhance detection rules based on observed TTPs
    • Coordinate with law enforcement if sanctions violations identified
    • Implement additional controls for high-risk chains/bridges

Related Techniques

  • SAF-T1910: Covert Channel Exfiltration - Chain-hopping extends covert exfiltration to blockchain value transfers
  • SAF-T1911: Parameter Exfiltration - Bridge parameters can be used to encode additional data
  • SAF-T1913: HTTP POST Exfil - Off-ramp deposits often use HTTP APIs
  • SAF-T1914: Tool-to-Tool Exfil - Chain-hopping inherently chains multiple blockchain tools
  • SAF-T2104: Fraudulent Transactions - Chain-hopping is often used to launder proceeds from fraudulent on-chain transactions

References

MITRE ATT&CK Mapping

Version History

Version Date Changes Author
1.0 2025-11-02 Initial documentation Laxmi Pant