Analysis of the Cryptocurrency Attacks and Money Laundering Techniques of the North Korean Hacker Group Lazarus Group

A confidential United Nations report reveals that the North Korean hacker group Lazarus Group stole funds from a Crypto Assets exchange last year and laundered $147.5 million through a certain virtual currency platform in March this year.

The United Nations Security Council sanctions committee's inspector is investigating 97 suspected cyber attacks by North Korean hackers targeting Crypto Assets companies that occurred between 2017 and 2024, involving approximately $3.6 billion. This includes the $147.5 million theft incident that occurred at a certain Crypto Assets exchange at the end of last year, which was subsequently completed the Money Laundering process in March this year.

In 2022, the United States imposed sanctions on the virtual currency platform. The following year, two co-founders of the platform were charged with assisting in the Money Laundering of over $1 billion, involving the cybercrime organization Lazarus Group linked to North Korea.

A study by a Crypto Assets investigation expert shows that the Lazarus Group converted $200 million worth of Crypto Assets into fiat currency between August 2020 and October 2023.

The Lazarus Group has long been accused of conducting large-scale cyber attacks and financial crimes. Their targets are diverse, including banking systems, Crypto Assets exchanges, government agencies, and private enterprises. The following will analyze several typical attack cases, revealing how the Lazarus Group implements these attacks through complex strategies and technical means.

Social Engineering and Phishing Attacks by the Lazarus Group

According to European media reports, Lazarus has targeted military and aerospace companies in Europe and the Middle East. They posted fake job advertisements on social media platforms to lure employees into downloading PDFs containing malicious executable files, thereby conducting phishing attacks.

This type of attack attempts to exploit psychological manipulation to lure victims into lowering their guard and performing dangerous actions such as clicking links or downloading files. Their malware can target vulnerabilities in the victim's system and steal sensitive information.

In a six-month attack against a certain Crypto Assets payment provider, Lazarus employed similar methods, resulting in the theft of 37 million dollars from the company. Throughout the process, they sent fake job opportunities to engineers, launched distributed denial-of-service technical attacks, and attempted various possible passwords for brute force cracking.

Multiple Hacker Attacks on Crypto Assets Exchanges

From August to October 2020, multiple Crypto Assets exchanges and projects were attacked:

1. On August 24, 2020, a wallet from a certain Canadian Crypto Assets exchange was hacked.
2. On September 11, 2020, a project experienced an unauthorized transfer of $400,000 from multiple wallets controlled by the team due to the leakage of private keys.
3. On October 6, 2020, a certain trading platform's hot wallet transferred $750,000 worth of Crypto Assets without authorization due to a security vulnerability.

The funds from these attack incidents converged at the same address in early 2021. Subsequently, the attackers deposited large amounts of ETH through a mixing service and withdrew them successively over a few days. By 2023, these funds had undergone multiple transfers and exchanges, ultimately converging at the withdrawal address for funds collected from other security incidents.

The founder of a certain insurance project was attacked by a Hacker

On December 14, 2020, the founder of an insurance project was attacked by a Hacker, resulting in a loss of 370,000 NXM (approximately $8.3 million). The attacker transferred and exchanged the stolen funds through multiple addresses, performing operations such as money laundering, dispersing, and aggregating funds. Some of the funds were cross-chain transferred to the Bitcoin network, then crossed back to the Ethereum network, subsequently obfuscated through a mixing platform, and finally sent to a withdrawal platform.

From December 16 to 20, 2020, a Hacker address sent over 2500 ETH to a certain mixing service. A few hours later, another related address began withdrawal operations.

From May to July 2021, the attacker transferred 11 million USDT to the deposit address of a certain trading platform. From February to June 2023, the attacker again sent over 11 million USDT to the deposit addresses of two different trading platforms through different addresses.

Recent Attack Events

In August 2023, two new attacks occurred, involving the theft of 624 ETH and 900 ETH. The stolen funds were transferred to a mixing service. Subsequently, the funds were withdrawn to several new addresses and consolidated into a single address on October 12, 2023.

In November 2023, this unified address began transferring funds, ultimately sending the funds to the deposit addresses of two major trading platforms through intermediaries and exchanges.

Summary

The money laundering model of the Lazarus Group shows certain patterns: after stealing Crypto Assets, they mainly obfuscate the source of funds by repeatedly cross-chain transferring and using mixing services. After obfuscation, they withdraw the assets to the target address and send them to a fixed group of addresses for withdrawal operations. The stolen Crypto Assets are usually deposited into specific exchange platform deposit addresses and then exchanged for fiat currency through over-the-counter trading services.

In the face of the continuous and large-scale attacks by the Lazarus Group, the Web3 industry is facing severe security challenges. Relevant agencies are continuously monitoring the dynamics of this Hacker group and further tracking their Money Laundering methods to assist project parties, regulators, and law enforcement in combating such crimes and recovering stolen assets.