Analysis of the Crypto Assets Theft and Money Laundering Activities of the North Korean Hacker Group Lazarus Group

A confidential report from the United Nations reveals that the North Korean hacker group Lazarus Group stole funds from a certain Crypto Assets exchange last year and laundered $147.5 million through a certain virtual currency platform in March of this year.

The United Nations Security Council Sanctions Committee's inspectors are investigating 97 suspected cyber attacks by North Korean hackers targeting Crypto Assets companies that occurred between 2017 and 2024, involving approximately $3.6 billion. These attacks include the incident at a certain Crypto Assets exchange at the end of last year, where $147.5 million was stolen, and the funds were subsequently laundered in March of this year.

In 2022, the United States imposed sanctions on the virtual currency platform. The following year, its two co-founders were accused of assisting in the Money Laundering of over $1 billion, including funds related to the North Korean cybercrime organization Lazarus Group.

An investigation by a Crypto Assets detective shows that the Lazarus Group laundered $200 million worth of Crypto Assets into fiat currency between August 2020 and October 2023.

The Lazarus Group has long been accused of conducting large-scale cyber attacks and financial crimes. Their targets span the globe, involving various sectors such as banking systems, crypto asset exchanges, government agencies, and private enterprises.

The Attack Methods of Lazarus Group

Social Engineering and Phishing Attacks

The Lazarus Group has targeted military and aerospace companies in Europe and the Middle East by deceiving employees through fake job postings on social platforms. They asked job seekers to download a PDF containing executable files, thereby implementing phishing attacks.

These social engineering and phishing attacks use psychological manipulation to trick victims into lowering their guard and performing actions that jeopardize security, such as clicking links or downloading files. Their malware can target vulnerabilities in the victim's system and steal sensitive information.

The Lazarus Group also launched a six-month attack against a certain Crypto Assets payment provider, resulting in the theft of $37 million from the company. Throughout the process, they sent fake job offers to engineers, initiated distributed denial-of-service attacks, and attempted password brute-forcing.

Multiple Hacker attacks on Crypto Assets exchanges

The Lazarus Group is involved in multiple attacks on cryptocurrency exchanges and related platforms, including:

1. On August 24, 2020, a wallet of a certain Canadian crypto assets exchange was hacked.
2. On September 11, 2020, a certain platform experienced an unauthorized transfer of $400,000 due to a private key leak.
3. On October 6, 2020, $750,000 worth of Crypto Assets was stolen from a hot wallet on a certain platform.

The funds from these attack incidents ultimately converge to a specific address and are laundered through a certain mixing platform. The attacker transfers and exchanges the funds multiple times before finally sending them to a specific deposit address.

Targeted High-Value Attacks on Individuals

On December 14, 2020, the founder of a mutual insurance platform was attacked by a Hacker, resulting in the theft of 370,000 NXM (worth $8.3 million). The attacker transferred and exchanged funds through a series of addresses, with some funds obfuscated through cross-chain operations. Ultimately, these funds were also sent to specific deposit addresses.

Latest Attack Incident

In 2023, the Lazarus Group launched attacks against a certain DeFi platform and a certain Crypto Assets management tool. The stolen funds were also laundered through mixing platforms, eventually converging to a specific address and transferred to a fixed deposit address.

Money Laundering Patterns Summary

The money laundering methods of the Lazarus Group mainly include the following steps:

1. After stealing crypto assets, obfuscate funds through cross-chain operations and mixing platforms.
2. Withdraw the obfuscated funds to the target address.
3. Send funds to a fixed group of addresses for withdrawal operations.
4. Convert crypto assets into fiat currency through OTC services.

This ongoing, large-scale attack poses a serious security threat to the Web3 industry. Relevant institutions are continuously monitoring the dynamics of this hacker group and working to trace their money laundering methods to assist project teams, regulatory bodies, and law enforcement in combating such crimes and recovering stolen assets.