Source: Beosin
In a confidential report obtained by Reuters, it was revealed that the North Korean hacker group Lazarus Group laundered $1.475 billion through the virtual currency platform Tornado Cash in March this year after stealing funds from a cryptocurrency exchange last year.
Inspectors informed the UN Security Council sanctions committee in a previous submission that they have been investigating 97 suspected North Korean hacker attacks on cryptocurrency companies between 2017 and 2024, totaling around $3.6 billion. This includes an attack at the end of last year where $1.475 billion was stolen from the HTX cryptocurrency exchange and then laundered in March this year.
The United States imposed sanctions on Tornado Cash in 2022, and in 2023, its two co-founders were accused of assisting in laundering over $1 billion, including with the North Korean cybercrime organization Lazarus Group.
According to the investigation by cryptocurrency detective ZachXBT, Lazarus Group laundered $200 million worth of cryptocurrency into fiat currency between August 2020 and October 2023.
In the field of cybersecurity, Lazarus Group has long been accused of conducting large-scale cyber attacks and financial crimes. Their targets are not limited to specific industries or regions but span globally, from banking systems to cryptocurrency exchanges, from government agencies to private enterprises. Next, we will focus on analyzing several typical attack cases, revealing how Lazarus Group successfully carried out these astonishing attacks through their complex strategies and technical means.
Lazarus Group Manipulates Social Engineering and Phishing Attacks
This case comes from reports by European media. Lazarus Group previously targeted military and aerospace companies in Europe and the Middle East, posting job advertisements on platforms like LinkedIn to deceive employees into downloading PDFs with executable files as part of phishing attacks.
Both social engineering and phishing attacks attempt to manipulate victims psychologically to relax their vigilance and perform actions like clicking links or downloading files, jeopardizing their security.
Their malicious software allows agents to target vulnerabilities in the victim’s system and steal sensitive information.
Lazarus used similar methods in a six-month operation against CoinsPaid, a cryptocurrency payment provider, which resulted in the theft of $37 million.
Throughout the operation, they sent fake job opportunities to engineers, initiated distributed denial-of-service attacks, and attempted various password brute force attacks.
CoinBerry, Unibright, and CoinMetro Attack Events
On August 24, 2020, the CoinBerry wallet of a Canadian cryptocurrency exchange was hacked.
Hacker address:
0xA06957c9C8871ff248326A1DA552213AB26A11AE
On September 11, 2020, Unbright experienced unauthorized transfers of $400,000 due to private key leaks.
Hacker address:
0x6C6357F30FCc3517c2E7876BC609e6d7d5b0Df43
On October 6, 2020, due to security vulnerabilities, CoinMetro’s hot wallet had $750,000 worth of crypto assets transferred without authorization.
Hacker address:
0x044bf69ae74fcd8d1fc11da28adbad82bbb42351
Beosin Know Your Transaction (KYT): Stolen funds flow chart
In early 2021, the funds from various attack events converged at the following address:
0x0864b5ef4d8086cd0062306f39adea5da5bd2603.
On January 11, 2021, the address 0x0864b5 deposited 3000 ETH into Tornado Cash, then deposited over 1800 ETH through the address 0x1031ffaf5d00c6bc1ee0978eb7ec196b1d164129 to Tornado Cash.
Subsequently, from January 11 to January 15, nearly 4500 ETH was withdrawn from Tornado Cash to the address 0x05492cbc8fb228103744ecca0df62473b2858810.
By 2023, after multiple transfers and exchanges, attackers ultimately gathered the stolen funds into other addresses for cash withdrawal. According to the fund tracking chart, attackers continuously sent the stolen funds to Noones deposit address and Paxful deposit address.
Nexus Mutual Founder (Hugh Karp) Hacked
On December 14, 2020, Nexus Mutual founder Hugh Karp had 370,000 NXM ($8.3 million) stolen.
Beosin KYT: Stolen funds flow chart
The stolen funds were transferred between the following addresses and exchanged for other funds.
0xad6a4ace6dcc21c93ca9dbc8a21c7d3a726c1fb1
0x03e89f2e1ebcea5d94c1b530f638cea3950c2e2b
0x09923e35f19687a524bbca7d42b92b6748534f25
0x0784051d5136a5ccb47ddb3a15243890f5268482
0x0adab45946372c2be1b94eead4b385210a8ebf0b
Lazarus Group conducted fund obfuscation, dispersion, and aggregation operations through these addresses. For example, some funds were cross-chained to the Bitcoin chain, then transferred back through a series of transfers to the Ethereum chain, followed by mixing through a mixer platform before sending to a withdrawal platform.
From December 16 to December 20, 2020, one of the hacker addresses, 0x078405, sent over 2500 ETH to Tornado Cash. A few hours later, based on characteristic correlations, it was found that the address 0x78a9903af04c8e887df5290c91917f71ae028137 began withdrawal operations.
Through transfers and exchanges, hackers transferred some funds to the addresses used for cash withdrawal in the previous event.
Between May and July 2021, attackers transferred $11 million USDT to the Bixin deposit address.
From February to March 2023, attackers sent $2.77 million USDT to the Paxful deposit address through the address 0xcbf04b011eebc684d380db5f8e661685150e3a9e.
From April to June 2023, attackers sent $8.4 million USDT to the Noones deposit address through the address 0xcbf04b011eebc684d380db5f8e661685150e3a9e.
Steadefi and CoinShift Hacker Attacks
Beosin KYT: Stolen funds flow chart
Steadefi Event Attack Address
0x9cf71f2ff126b9743319b60d2d873f0e508810dc
CoinShift Event Attack Address
0x979ec2af1aa190143d294b0bfc7ec35d169d845c
In August 2023, the stolen 624 ETH from the Steadefi event was transferred to Tornado Cash, and in the same month, the stolen 900 ETH from the CoinShift event was transferred to Tornado Cash.
After transferring ETH to Tornado Cash, funds were immediately withdrawn to the following addresses:
0x9f8941cd7229aa3047f05a7ee25c7ce13cbb8c41
0x4e75c46c299ddc74bac808a34a778c863bb59a4e
0xc884cf2fb3420420ed1f3578eaecbde53468f32e
On October 12, 2023, the funds withdrawn from Tornado Cash by the above three addresses were sent to the address 0x5d65aeb2bd903bee822b7069c1c52de838f11bf8.
In November 2023, the address 0x5d65ae started transferring funds and eventually sent the funds to Paxful deposit address and Noones deposit address through transfers and exchanges.
Event Summary
The above details the activities of the North Korean hacker group Lazarus Group over the past few years and analyzes and summarizes their money laundering methods: after stealing crypto assets, Lazarus Group typically obfuscates funds by cross-chaining and transferring them to mixers like Tornado Cash. After obfuscation, they extract the stolen assets to target addresses and send them to specific groups of addresses for cash withdrawals. Previously stolen crypto assets were mostly deposited into Paxful deposit address and Noones deposit address, which were then exchanged for fiat currency through OTC services.
Under the continuous and large-scale attacks by Lazarus Group, the Web3 industry faces significant security challenges.