Analysis of Activities and Money Laundering Techniques of North Korean Hacker Group Lazarus Group

A confidential United Nations report reveals that a cryptocurrency exchange was attacked by the Lazarus Group last year, resulting in approximately $147.5 million in funds being stolen. In March of this year, these funds went through a money laundering process via a certain virtual currency platform.

The United Nations Security Council sanctions committee's observer is investigating 97 suspected cyberattacks by North Korean hackers against cryptocurrency companies that occurred between 2017 and 2024, involving amounts as high as $3.6 billion. This includes a $147.5 million theft from a cryptocurrency exchange at the end of last year, with the money laundering process completed in March this year.

In 2022, the United States imposed sanctions on a certain virtual currency platform. The following year, two co-founders of the platform were accused of assisting in the money laundering of over $1 billion, involving the North Korea-related cybercrime organization Lazarus Group.

A survey by a cryptocurrency analyst shows that the Lazarus Group laundered $200 million worth of cryptocurrency into fiat currency between August 2020 and October 2023.

The Lazarus Group has long been accused of conducting large-scale cyber attacks and financial crimes. Their targets are diverse, including banking systems, cryptocurrency exchanges, government agencies, and private enterprises.

Social Engineering and Phishing Attacks of the Lazarus Group

European media reports that Lazarus targeted military and aerospace companies in Europe and the Middle East by deceiving employees through fake job advertisements posted on social platforms. They asked job seekers to download PDFs containing executable files, thereby executing phishing attacks.

This social engineering and phishing attack attempts to exploit psychological manipulation, luring victims into lowering their guard and engaging in risky behaviors such as clicking links or downloading files. Their malware is capable of targeting vulnerabilities in the victim's system to steal sensitive information.

Lazarus also used similar methods to conduct a six-month attack on a certain cryptocurrency payment provider, resulting in a loss of 37 million dollars for the company. Throughout the attack, they sent fake job opportunities to engineers, launched distributed denial-of-service attacks, and attempted to brute-force passwords.

Multiple Cryptocurrency Exchange Attack Incidents

From August to October 2020, multiple cryptocurrency exchanges and projects were attacked:

• On August 24, a wallet from a certain cryptocurrency exchange in Canada was hacked.
• On September 11, a project experienced an unauthorized transfer of $400,000 from multiple wallets controlled by the team due to a private key leak.
• On October 6th, another exchange suffered a security vulnerability, resulting in the theft of $750,000 of cryptocurrency assets from its hot wallet.

These stolen funds were transferred and obfuscated multiple times, ultimately converging at several specific addresses. The attackers sent the funds to certain deposit addresses through multiple transfers and exchanges.

The founder of a mutual insurance platform was attacked by hackers

On December 14, 2020, the founder of a mutual insurance platform suffered a Hacker attack, losing 370,000 platform tokens worth approximately $8.3 million.

Stolen funds are transferred between multiple addresses and exchanged for other assets. The Lazarus Group performed fund obfuscation, dispersion, and aggregation through these addresses. Some funds were cross-chain to the Bitcoin network, then crossed back to the Ethereum network, and then obfuscated through mixing platforms before being sent to withdrawal platforms.

From December 16 to 20, 2020, a hacker address sent over 2500 ETH to a mixing platform. A few hours later, another associated address began withdrawal operations.

From May to July 2021, the attacker transferred 11 million USDT to the deposit address of a certain trading platform.

From February to June 2023, attackers sent over 11 million USDT to different deposit addresses through multiple addresses.

Recent Attack Incidents

In August 2023, the stolen ETH from two attack incidents (624 coins and 900 coins respectively) was transferred to a certain mixing platform. Subsequently, these funds were withdrawn to several specific addresses.

On October 12, 2023, the funds from these addresses were consolidated into a new address. By November, that address began transferring funds, ultimately sending the money to certain deposit addresses through intermediaries and exchanges.

Summary

The Lazarus Group mainly obfuscates the source of funds after stealing cryptocurrency assets by using cross-chain operations and mixers. After obfuscation, they withdraw the stolen assets to the target address and send them to a fixed group of addresses for cashing out. The stolen cryptocurrency assets are usually deposited into specific deposit addresses and then exchanged for fiat currency through over-the-counter trading services.

In the face of the ongoing and large-scale attacks by the Lazarus Group, the Web3 industry is facing severe security challenges. Relevant agencies are continuously monitoring this Hacker group and will further track their activities and Money Laundering methods to assist project parties, regulatory and law enforcement agencies in combating such crimes and recovering stolen assets.