North Korean Lazarus Hackers Employing Decentralized Networks for Money Laundering
State-backed North Korean cybercrime group Lazarus has reportedly engaged in several significant blockchain exploits in recent years. Now, emerging evidence suggests that hackers are consolidating their ill-gotten gains from various exploits and resorting to decentralized networks for money laundering.
Blockchain analysts zachXBT and Tayvano have identified a direct link between crypto funds stolen from the Harmony bridge, Atomic Wallet, CoinsPaid, and Alphapo hacks. The total value of the stolen funds is estimated to be around $290 million.
Lazarus Group Allegedly Consolidates and Launder Stolen Crypto via Decentralized Networks
The methods employed in these attacks and the subsequent movement of stolen assets into specific wallets have led experts in blockchain security to strongly suspect the involvement of the Lazarus group.
Tracing the flow of funds on-chain, the researchers discovered that the hackers transferred $8.5 million worth of stolen crypto across 300 addresses on three different blockchains. The entire laundering process spanned five hours and involved the division of 4,600 ETH into 125 new Ethereum addresses. Subsequently, these funds were transferred to Avalanche and then converted to Bitcoin. According to Tayvano, approximately 290 BTC now resides in 125 Bitcoin addresses, each holding between one and three BTC.
What is particularly striking is that during this money laundering operation, a total of 514 transactions moved stolen funds from Ethereum to Avalanche or from Avalanche to Bitcoin, employing the same services used for laundering the ill-gotten funds. Among these transactions, 500 involved moving stolen assets from Alphapo, CoinsPaid, and Atomic Wallet.
Remarkably, this is the fifth time in recent weeks that the Lazarus group has reportedly laundered millions of dollars through similar tactics.
A few nights back, @zachxbt and I stumbled on a crazy direct link btwn funds stolen from Coinspaid/Alphapo <> Atomic Wallet <> Harmony.
Last night, ~$8.5m of the funds from Coinspaid/Alphapo (w/ some leftovers from Atomic Wallet) went flying across 300+ addies on 3 chains.
— Tay 💖 (@tayvano_) August 3, 2023
The trail of these laundered funds ultimately leads to over-the-counter (OTC) traders operating on the Tron network, according to zachXBT.
Where do you think all this money goes? Its it linked to some war Monger or is it just funding criminal's lavish mortgage payments?
— Pixel Buddy Jam™ ⭕ (@PixelBuddyJam) August 1, 2023
Earlier this year, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on three individuals in China for their involvement in Lazarus’ money laundering activities. Among them, two were OTC crypto traders based in China and Hong Kong who converted millions of stolen cryptocurrencies into fiat currency on behalf of Lazarus. The third individual facilitated coordination with the OTC traders to support weapons production and purchase goods on behalf of the North Korean government through the OFAC-sanctioned entity Korea Kwangson Banking Corp (KKBC).
As the Lazarus group continues to demonstrate its ability to exploit blockchain vulnerabilities, authorities and security experts remain vigilant in their efforts to mitigate cyber threats and safeguard the integrity of the digital asset space. The ongoing pursuit of these malicious actors and their accomplices reflects the importance of international cooperation in combatting cybercrime and ensuring a secure environment for the global crypto community.