South Korea Busts $102M Laundering Ring

Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, South Korea dismantled a $102 million money laundering ring, Saga paused SagaEVM after a $7 million cross-chain exploit, Makina Finance lost about $5 million in an oracle manipulation attack, a Utah man sentenced to three years for fraud and illegal cash conversion and a software flaw that let traders win ethereum transaction auctions for free.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

South Korean customs authorities dismantled an international money laundering network they say moved nearly $102 million through cryptocurrency and the domestic banking system. The Korea Customs Service referred three suspects to prosecutors for violating the Foreign Exchange Transactions Act.

Investigators allege the group operated from September 2021 to June, disguising illicit transfers as legitimate expenses such as cosmetic surgery fees and overseas tuition. To avoid detection, the suspects allegedly bought crypto assets in multiple countries, transferred them to wallets in South Korea, converted them into won and distributed the funds across numerous local bank accounts.

The case comes amid heightened scrutiny of illegal foreign exchange activity. In January, the KCS launched year-round inspections targeting underground money changers. Authorities said discrepancies between bank-handled trade proceeds and customs-reported goods widened to about $290 billion last year, raising concerns over illicit capital flows.

Layer 1 blockchain project Saga paused its SagaEVM network after a security exploit drained nearly $7 million in USDC, the team said. An attacker executed unauthorized withdrawals on SagaEVM, bridged the stolen USDC out of the network and converted the funds into ether, the company said.

Saga halted the SagaEVM chain at block height 6,593,800 after detecting suspicious activity and said the network will be paused while the investigation and remediation efforts continue. The team said it is working with partners, including exchanges and bridge operators, to blacklist the attacker’s address and limit further risk.

Preliminary findings indicate the exploit relied on a coordinated sequence of contract deployments, liquidity movements and cross-chain interactions to rapidly extract funds. Saga said that the incident was isolated to SagaEVM and did not impact its SSC mainnet, consensus layer or validators and that it found no evidence of compromised keys or consensus failures.

Decentralized finance protocol Makina Finance suffered a major smart contract exploit that drained about $5 million from one of its stablecoin pools, said blockchain security firm CertiK. The attacker apparently used a 280 million USDC flash loan to manipulate the pricing oracle underpinning the protocol’s DUSD/USDC Curve pool.

CertiK said the exploiter deployed roughly 170 million USDC to distort the MachineShareOracle and then traded the remaining 110 million USDC against a pool holding about $5 million in liquidity, effectively draining its assets. Makina Finance, which launched in February and markets itself as an institutional-grade decentralized finance execution engine, currently reports about $100.5 million in total value locked, based on DefiLlama data.

Other security firms reported differing loss estimates, ranging from $4.13 million to $5.1 million. CertiK also said that an MEV builder captured most of the stolen funds, seizing about $4.14 million. Makina’s team has not formally confirmed the exploit, only saying that it is investigating a potential incident and advising liquidity providers to withdraw funds from affected positions.

A U.S. federal court sentenced Utah resident Brian Garry Sewell to three years in prison for defrauding investors and running an unlicensed cryptocurrency money-transmitting business, prosecutors said. Sewell, 54, pleaded guilty to wire fraud that caused more than $2.9 million in losses and to illegally converting over $5.4 million in bulk cash into cryptocurrency for third-party clients, including individuals linked to fraud and drug trafficking.

U.S. District Court for the District of Utah Judge Ann Marie McIff Allen ordered Sewell to an additional three years of supervised release and to pay $3.82 million in restitution, including payments to defrauded investors, financial institutions and the U.S. Department of Homeland Security.

Prosecutors said Sewell ran the investment scheme from late 2017 to April 2024, misleading at least 17 investors about his credentials and ability to generate high returns. Separately, he operated Rockwell Capital Management in 2020 without required federal anti-money laundering registration or reporting.

A researcher showed how a software flaw in ethereum’s transaction auction system briefly allowed traders to secure profitable trades without paying the usual fees. On ethereum, new batches of transactions are added to the blockchain every 12 seconds. When traders spot a guaranteed profit opportunity, such as buying a token cheaply on one exchange and selling it at a higher price on another, they must compete to have their transaction included in the next batch.

Instead of winning through speed, traders bid for priority. These auctions often push most of the profit to the network operator that adds the transactions, leaving traders with only a small share.

While reviewing the auction software, the researcher found a timing bug that occurred during bid verification. The system first checked who offered the highest payment, then separately retrieved that bidder’s transaction. In the tiny gap between those two steps, a malicious trader could replace a high-payment transaction with a nearly free one.

As a result, the system would select the trader as the winner but collect no payment, allowing the trader to keep the full profit. The exploit was unreliable but low risk if attempted carefully.

The researcher reported the issue in 2023. The developers fixed it by ensuring the bid check and transaction selection happened in a single, indivisible step. They awarded the researcher a $5,000 bounty for disclosing the flaw.