North Korean hacker group Lazarus Group's Crypto Assets attacks and money laundering techniques

A recent confidential report from the United Nations reveals a series of cyber attacks by the North Korean hacker group Lazarus Group. The report shows that after stealing funds from a Crypto Assets exchange last year, the group laundered $147.5 million through a virtual currency platform in March this year.

The United Nations Security Council Sanctions Committee's monitors are investigating 97 suspected cyber attacks by North Korean hackers targeting crypto assets companies that occurred between 2017 and 2024, involving amounts as high as $3.6 billion. These attacks include the $147.5 million theft that occurred at a crypto assets exchange at the end of last year, with the related funds subsequently laundered in March of this year.

It is worth noting that the U.S. government imposed sanctions on the virtual currency platform in 2022. In 2023, two co-founders of the platform were accused of assisting in the laundering of over $1 billion, including funds linked to the North Korean cybercrime organization Lazarus Group.

According to research by experts in Crypto Assets investigations, the Lazarus Group successfully converted $200 million worth of Crypto Assets into fiat currency between August 2020 and October 2023.

The Lazarus Group has long been regarded as one of the most active cyber attack and financial crime groups globally. Their attack targets span multiple sectors, from banking systems to crypto exchanges, from government agencies to private enterprises.

Attack Methods of the Lazarus Group

social engineering and phishing attacks

The Lazarus Group has targeted military and aerospace companies in Europe and the Middle East. They posted fake job advertisements on social media platforms to lure job seekers into downloading PDF files containing malicious code, thereby executing phishing attacks. This form of social engineering and phishing attack aims to exploit psychological manipulation, causing victims to let their guard down and perform risky actions such as clicking on links or downloading files.

Their malware can exploit vulnerabilities in victims' systems to steal sensitive information. In a six-month operation targeting a certain Crypto Assets payment provider, the Lazarus Group used a similar approach, resulting in a loss of 37 million dollars for the company.

multiple hacking incidents of Crypto Assets exchanges

From August to October 2020, the Lazarus Group attacked multiple crypto asset exchanges and projects, including a Canadian exchange, Unibright, and CoinMetro. These attacks resulted in hundreds of thousands of dollars in stolen crypto assets.

Hackers aggregate the stolen funds to specific addresses, and then, through multiple transfers and obfuscation operations, ultimately send the funds to certain deposit addresses for withdrawal.

Precision attacks against high-value targets

In December 2020, the founder of a mutual insurance protocol suffered a Hacker attack, losing NXM coins worth $8.3 million. The attacker converted the stolen funds into fiat currency through a series of complex fund transfers, cross-chain operations, and coin mixing processes.

Money Laundering Methods of the Lazarus Group

1. Fund obfuscation: Hiding the source of funds through multiple transfers and cross-chain operations.

2. Use mixing services: Heavily utilize a certain mixing platform to further obfuscate the flow of funds.

3. Cross-chain operations: Transferring funds between different blockchain networks, increasing tracking difficulty.

4. Fund Diversification and Collection: Disperse the stolen funds to multiple addresses, and then gradually collect them to a specific address.

5. Withdraw using a specific platform: Finally, send the obfuscated funds to a fixed deposit address for withdrawal.

Conclusion

The ongoing large-scale attacks by the Lazarus Group pose a serious security threat to the Web3 industry. As their methods of attack continue to evolve, project parties, regulatory agencies, and law enforcement need to strengthen cooperation to jointly address this challenge, protect user asset security, and maintain healthy industry development.