Source: Beosin
According to a confidential United Nations report obtained by Reuters, North Korean hacker group Lazarus Group laundered $1.475 billion through the virtual currency platform Tornado Cash in March this year after stealing funds from a cryptocurrency exchange last year.
Inspectors informed the United Nations Security Council sanctions committee in a previous submission that they have been investigating 97 suspected North Korean hacker attacks on cryptocurrency companies worth approximately $3.6 billion between 2017 and 2024. This includes an attack at the end of last year where $1.475 billion from the HTX cryptocurrency exchange was stolen and then laundered in March this year.
The United States sanctioned Tornado Cash in 2022, and in 2023, its two co-founders were accused of assisting in laundering over $1 billion, including with the North Korean cybercrime organization Lazarus Group.
Cryptocurrency detective ZachXBT’s investigation revealed that Lazarus Group laundered $200 million worth of cryptocurrency into fiat currency between August 2020 and October 2023.
In the field of cybersecurity, Lazarus Group has long been accused of carrying out large-scale cyber attacks and financial crimes. Their targets are not limited to specific industries or regions but span globally from banking systems to cryptocurrency exchanges, and from government agencies to private enterprises. Next, we will analyze several typical attack cases to reveal how Lazarus Group successfully executed these astonishing attacks through their complex strategies and technical means.
Lazarus Group Manipulates Social Engineering and Phishing Attacks
This case comes from reports in European media. Lazarus Group previously targeted military and aerospace companies in Europe and the Middle East by posting job advertisements on platforms like LinkedIn to deceive employees into downloading PDFs that contained executable files, leading to phishing attacks.
Both social engineering and phishing attacks aim to deceive victims into lowering their guard through psychological manipulation and carrying out actions like clicking links or downloading files, jeopardizing their security.
Their malicious software allowed agents to target vulnerabilities in victims’ systems and steal sensitive information.
In a six-month operation targeting cryptocurrency payment provider CoinsPaid, Lazarus used similar methods, resulting in the theft of $37 million from CoinsPaid.
Throughout the operation, they sent fake job opportunities to engineers, launched distributed denial-of-service attacks, and attempted many possible passwords for brute force attacks.
Creating CoinBerry, Unibright, and Other Attack Events
On August 24, 2020, the Canadian cryptocurrency exchange CoinBerry’s wallet was hacked.
Hacker address:
0xA06957c9C8871ff248326A1DA552213AB26A11AE
On September 11, 2020, Unbright experienced unauthorized transfers totaling $400,000 due to private key leaks.
Hacker address:
0x6C6357F30FCc3517c2E7876BC609e6d7d5b0Df43
On October 6, 2020, due to a security vulnerability, CoinMetro’s hot wallet had $750,000 worth of crypto assets transferred without authorization.
Hacker address:
0x044bf69ae74fcd8d1fc11da28adbad82bbb42351
Beosin KYT: Stolen Funds Flow Chart
In early 2021, funds from various attack events were collected at the following address:
0x0864b5ef4d8086cd0062306f39adea5da5bd2603.
On January 11, 2021, the 0x0864b5 address deposited 3000 ETH into Tornado Cash and then deposited over 1800 ETH through the 0x1031ffaf5d00c6bc1ee0978eb7ec196b1d164129 address to Tornado Cash.
Subsequently, between January 11 and January 15, nearly 4500 ETH was withdrawn from Tornado Cash to the 0x05492cbc8fb228103744ecca0df62473b2858810 address.
By 2023, after multiple transfers and exchanges, the attackers ultimately collected funds into other addresses for withdrawal, as shown in the fund tracking chart, where the attackers continuously sent the stolen funds to Noones deposit address and Paxful deposit address.
Nexus Mutual Founder (Hugh Karp) Targeted in Hacker Attack
On December 14, 2020, Nexus Mutual founder Hugh Karp was targeted in a hacker attack and lost 370,000 NXM ($8.3 million).
Beosin KYT: Stolen Funds Flow Chart
The stolen funds were transferred between several addresses and exchanged for other funds.
Lazarus Group carried out fund mixing, dispersing, and collecting operations through these addresses. For example, some funds were transferred to the Bitcoin chain and then back to the Ethereum chain through a series of transfers before being mixed on a mixing platform and sent to a withdrawal platform.
From December 16 to December 20, 2020, one hacker address, 0x078405, sent over 2500 ETH to Tornado Cash. A few hours later, based on characteristic correlations, it was observed that the address 0x78a9903af04c8e887df5290c91917f71ae028137 began withdrawal operations.
By transferring and exchanging, the hacker moved some funds to the addresses involved in the previous event’s fund collection for withdrawal.
Subsequently, between May and July 2021, the attacker transferred $11 million USDT to the Bixin deposit address.
Between February and March 2023, the attacker sent $2.77 million USDT to the Paxful deposit address through the address 0xcbf04b011eebc684d380db5f8e661685150e3a9e.
Between April and June 2023, the attacker sent $8.4 million USDT to the Noones deposit address through the address 0xcbf04b011eebc684d380db5f8e661685150e3a9e.
Steadefi and CoinShift Hacker Attacks
Beosin KYT: Stolen Funds Flow Chart
Steadefi Attack Address
0x9cf71f2ff126b9743319b60d2d873f0e508810dc
CoinShift Attack Address
0x979ec2af1aa190143d294b0bfc7ec35d169d845c
In August 2023, the stolen 624 ETH from the Steadefi event was transferred to Tornado Cash. In the same month, 900 ETH from the CoinShift event was transferred to Tornado Cash.
After transferring ETH to Tornado Cash, the funds were immediately withdrawn to the following addresses:
0x9f8941cd7229aa3047f05a7ee25c7ce13cbb8c41
0x4e75c46c299ddc74bac808a34a778c863bb59a4e
0xc884cf2fb3420420ed1f3578eaecbde53468f32e
On October 12, 2023, the funds withdrawn from Tornado Cash by the above three addresses were sent to the address 0x5d65aeb2bd903bee822b7069c1c52de838f11bf8.
In November 2023, the address 0x5d65ae began transferring funds, eventually sending them to the Paxful deposit address and Noones deposit address through intermediaries and exchanges.
Event Summary
The above details the activities of the North Korean hacker group Lazarus Group in recent years and analyzes and summarizes their money laundering methods: after stealing cryptocurrency assets, Lazarus Group typically confuses funds by cross-chain transfers and then deposits them into mixers like Tornado Cash. After mixing, Lazarus Group extracts the stolen assets to target addresses and sends them to fixed groups of addresses for withdrawal operations. Previously stolen cryptocurrency assets were mainly deposited into Paxful and Noones deposit addresses and then exchanged for fiat currency through OTC services.
Under the continuous and large-scale attacks by Lazarus Group, the Web3 industry faces significant security challenges.