Source: Beosin
Previously, a confidential UN report obtained by Reuters showed that the North Korean hacker group Lazarus Group laundered $147.5 million through the virtual currency platform Tornado Cash in March this year after stealing funds from a cryptocurrency exchange last year.
In a previous submission, the monitor told the UN Security Council Sanctions Committee that they have been investigating 97 suspected North Korean hackers' cyber attacks on cryptocurrency companies between 2017 and 2024, worth about $3.6 billion. This includes an attack at the end of last year, in which $147.5 million was stolen from the HTX cryptocurrency exchange, and then the money was laundered in March this year.
The United States imposed sanctions on Tornado Cash in 2022, and in 2023, its two co-founders were accused of assisting in the laundering of more than $1 billion, including the Lazarus Group, a cybercrime organization linked to North Korea.
According to the investigation of cryptocurrency detective ZachXBT, the Lazarus Group laundered $200 million worth of cryptocurrency into fiat currency between August 2020 and October 2023.
In the field of cybersecurity, the Lazarus Group has long been accused of large-scale cyberattacks and financial crimes. Their targets are not limited to specific industries or regions, but are spread all over the world, from banking systems to cryptocurrency exchanges, from government agencies to private enterprises. Next, we will focus on analyzing several typical attack cases to reveal how the Lazarus Group successfully carried out these amazing attacks through its complex strategies and technical means.
This case comes from European media reports that Lazarus has previously targeted military and aerospace companies in Europe and the Middle East, posting recruitment ads on platforms such as LinkedIn to deceive employees, requiring job seekers to download PDFs that deploy executable files, and then implement phishing attacks.
Both social engineering and phishing attacks attempt to use psychological manipulation to trick victims into letting down their guard and performing actions such as clicking on links or downloading files, thereby compromising their security.
Their malware enables agents to target vulnerabilities in victims' systems and steal sensitive information.
Lazarus used similar methods in a six-month operation against cryptocurrency payment provider CoinsPaid, which resulted in the theft of $37 million from CoinsPaid.
Throughout the campaign, it sent fake job offers to engineers, launched technical attacks such as distributed denial of service, and submitted many possible passwords for brute force cracking.
On August 24, 2020, the wallet of Canadian cryptocurrency exchange CoinBerry was stolen.
Hacker address:
0xA06957c9C8871ff248326A1DA552213AB26A11AE
On September 11, 2020, due to the leakage of private keys, Unbright made unauthorized transfers of $400,000 in multiple wallets controlled by the team.
Hacker address:
0x6C6357F30FCc3517c2E7876BC609e6d7d5b0Df43
On October 6, 2020, due to a security vulnerability, crypto assets worth $750,000 were transferred from the CoinMetro hot wallet without authorization.
Hacker address:
0x044bf69ae74fcd8d1fc11da28adbad82bbb42351
Beosin KYT: Stolen funds flow chart
In early 2021, funds from various attacks were gathered at the following addresses:
0x0864b5ef4d8086cd0062306f39adea5da5bd2603.
On January 11, 2021, the 0x0864b5 address deposited 3,000 ETH in Tornado Cash, and then deposited more than 1,800 ETH into Tornado Cash through the 0x1031ffaf5d00c6bc1ee0978eb7ec196b1d164129 address.
Then from January 11 to January 15, nearly 4,500 ETH were withdrawn from Tornado Cash to the 0x05492cbc8fb228103744ecca0df62473b2858810 address.
By 2023, after multiple transfers and exchanges, the attackers finally gathered the funds from other security incidents to the withdrawal address. According to the fund tracking diagram, the attackers sent the stolen funds to the Noones deposit address and the Paxful deposit address.
On December 14, 2020, Nexus Mutual founder Hugh Karp had 370,000 NXM (8.3 million U.S. dollars) stolen.
Beosin KYT: Stolen funds flow chart
The stolen funds were transferred between the following addresses and exchanged for other funds.
0xad6a4ace6dcc21c93ca9dbc8a21c7d3a726c1fb1
0x03e89f2e1ebcea5d94c1b530f638cea3950c2e2b
0x09923e35f19687a524bbca7d42b92b6748534f25
0x0784051d5136a5ccb47ddb3a15243890f5268482
Lazarus Group used these addresses to confuse, disperse, and aggregate funds. For example, part of the funds were transferred to the Bitcoin chain through a cross-chain, and then transferred back to the Ethereum chain through a series of transfers. After that, they were mixed through a mixing platform, and then the funds were sent to the withdrawal platform.
From December 16 to December 20, 2020, one of the hacker addresses 0x078405 sent more than 2,500 ETH to Tornado Cash. A few hours later, based on feature association, it was found that the 0x78a9903af04c8e887df5290c91917f71ae028137 address began to withdraw funds.
Through transfer and exchange, the hacker transferred part of the funds to the address for fund collection and withdrawal involved in the previous incident.
Afterwards, from May to July 2021, the attacker transferred 11 million USDT to the Bixin deposit address.
From February to March 2023, the attacker sent 2.77 million USDT to the Paxful deposit address through the 0xcbf04b011eebc684d380db5f8e661685150e3a9e address.
From April to June 2023, the attacker sent 8.4 million USDT to the Noones deposit address through the 0xcbf04b011eebc684d380db5f8e661685150e3a9e address.
Beosin KYT: Stolen funds flow chart
Steadefi incident attack address
0x9cf71f2ff126b9743319b60d2d873f0e508810dc
Coinshift incident attack address
After transferring ETH to Tornado Cash, immediately withdraw the funds to the following addresses:
0x9f8941cd7229aa3047f05a7ee25c7ce13cbb8c41
0x4e75c46c299ddc74bac808a34a778c863bb59a4e
0xc884cf2fb3420420ed1f3578eaecbde53468f32e
On October 12, 2023, the above three addresses will be withdrawn from Tornado Cash. The funds withdrawn by Cash were sent to the address 0x5d65aeb2bd903bee822b7069c1c52de838f11bf8.
In November 2023, the 0x5d65ae address began to transfer funds, and eventually sent the funds to the Paxful deposit address and Noones deposit address through transfer and exchange.
The above introduces the dynamics of the North Korean hacker Lazarus Group in the past few years, and analyzes and summarizes its money laundering methods: After stealing encrypted assets, the Lazarus Group basically confused the funds by cross-chain back and forth and then transferred to Tornado Cash and other mixers. After confusion, the Lazarus Group extracted the stolen assets to the target address and sent them to a fixed group of addresses for withdrawal operations. Previously, the stolen crypto assets were basically deposited into Paxful deposit addresses and Noones deposit addresses, and then the crypto assets were exchanged for legal currency through OTC services.
Under the continuous and large-scale attacks of the Lazarus Group, the Web3 industry faces greater security challenges.
The Lazarus Group, a North Korean hacking syndicate, has elevated its crypto phishing tactics by exploiting LinkedIn's trust. They impersonate industry figures to lure unsuspecting victims, highlighting the need for enhanced cybersecurity measures in the crypto community.
JoyLazarus Group, notorious for $3 billion crypto exploits, withdrew $1.2 million Bitcoin from a coin mixer. Blockchain analysis by Arkham reveals their $79 million wallet. Recent attacks align with Lazarus's known patterns, raising concerns.
BerniceLazarus Group's sophisticated hacking operations continue to plague the crypto world, accounting for a significant portion of 2023's crypto thefts. Their actions not only reflect the ongoing threats in the digital finance realm but also the need for concerted global efforts to counter such cybercrimes.
Huang BoThe Lazarus Group, a North Korean hacking entity, has raised global cybersecurity concerns by amassing a substantial $3 billion through sophisticated cryptocurrency heists.
Hui XinThe user will then unknowingly play a crucial role in running this program, participating in seemingly routine actions that were, in fact, essential to the attack's success.
DavinLazarus Group's typical approach involves luring victims with enticing employment offers at reputable companies, tricking them into downloading malicious payloads disguised as documents.
DavinThe seizure was coordinated between Binance, Huobi, and Elliptic.
cryptopotatoThe notorious North Korean hacker collective known as Lazarus has had a busy weekend moving millions of dollars in Ethereum.
cryptopotatoLazarus Group has been targeting Japanese firms with phishing links via email and social media.
CoindeskTreasury Department updates SDN list to ostensibly tie infamous hacker group to last month’s mega-heist.
Cointelegraph