The most rampant cryptocurrency theft gang in history? A detailed analysis of the money laundering methods used by the hacker organization Lazarus Group

Author: Beosin

Previously, a confidential United Nations report obtained by Reuters revealed that the North Korean hacker group Lazarus Group laundered $147.5 million through the virtual currency platform Tornado Cash in March this year after stealing funds from a cryptocurrency exchange last year.

In a document submitted earlier, the monitors informed the UN Security Council Sanctions Committee that they had been investigating 97 suspected cyberattacks by North Korean hackers targeting cryptocurrency companies between 2017 and 2024, with a total value of approximately $3.6 billion. This includes an attack at the end of last year, where $147.5 million was stolen from the HTX cryptocurrency exchange and subsequently laundered in March this year.

The United States imposed sanctions on Tornado Cash in 2022, and in 2023, two of its co-founders were charged with assisting in the laundering of over $1 billion, including funds related to the North Korean cybercrime organization Lazarus Group.

According to an investigation by cryptocurrency detective ZachXBT, Lazarus Group laundered $200 million worth of cryptocurrency into fiat currency from August 2020 to October 2023.

In the field of cybersecurity, Lazarus Group has long been accused of conducting large-scale cyberattacks and financial crimes. Their targets are not limited to specific industries or regions but span globally, from banking systems to cryptocurrency exchanges, from government agencies to private enterprises. Next, we will focus on analyzing several typical attack cases, revealing how Lazarus Group successfully executed these astonishing attacks through its complex strategies and technical means.

Lazarus Group Manipulating Social Engineering and Phishing Attacks

This case comes from reports by European media, where Lazarus previously targeted military and aerospace companies in Europe and the Middle East, posting job advertisements on platforms like LinkedIn to deceive employees, asking job seekers to download a PDF containing an executable file, and then executing phishing attacks.

Both social engineering and phishing attacks attempt to exploit psychological manipulation to lure victims into lowering their guard and performing actions such as clicking links or downloading files, thereby jeopardizing their security.

Their malware enables agents to target vulnerabilities in the victim's system and steal sensitive information.

Lazarus used similar methods in a six-month operation against the cryptocurrency payment provider CoinsPaid, resulting in a theft of $37 million from CoinsPaid.

Throughout the operation, it sent fake job opportunities to engineers, launched distributed denial-of-service attacks, and submitted numerous possible passwords for brute-force cracking.

Creating Attacks on CoinBerry, Unibright, and Others

On August 24, 2020, the wallet of the Canadian cryptocurrency exchange CoinBerry was hacked.

Hacker address:

0xA06957c9C8871ff248326A1DA552213AB26A11AE

On September 11, 2020, Unibright experienced unauthorized transfers of $400,000 from multiple wallets controlled by the team due to private key leakage.

Hacker address:

0x6C6357F30FCc3517c2E7876BC609e6d7d5b0Df43

On October 6, 2020, due to a security vulnerability, $750,000 worth of crypto assets were unauthorizedly transferred from CoinMetro's hot wallet.

Hacker address:

0x044bf69ae74fcd8d1fc11da28adbad82bbb42351

Beosin KYT: Flowchart of Stolen Funds

At the beginning of 2021, the funds from various attack incidents were consolidated into the following address:

0x0864b5ef4d8086cd0062306f39adea5da5bd2603.

On January 11, 2021, the 0x0864b5 address deposited 3000 ETH into Tornado Cash, and then again deposited over 1800 ETH into Tornado Cash through the address 0x1031ffaf5d00c6bc1ee0978eb7ec196b1d164129.

Subsequently, from January 11 to January 15, nearly 4500 ETH were withdrawn from Tornado Cash to the address 0x05492cbc8fb228103744ecca0df62473b2858810.

By 2023, after multiple transfers and exchanges, the attackers ultimately consolidated the funds into other addresses for cashing out related to previous security incidents. According to the fund tracking chart, the attackers gradually sent the stolen funds to the Noones deposit address and the Paxful deposit address.

Nexus Mutual Founder (Hugh Karp) Hacked

On December 14, 2020, Nexus Mutual founder Hugh Karp was hacked for 370,000 NXM (approximately $8.3 million).

Beosin KYT: Flowchart of Stolen Funds

The stolen funds were transferred between the following addresses and exchanged for other currencies.

0xad6a4ace6dcc21c93ca9dbc8a21c7d3a726c1fb1

0x03e89f2e1ebcea5d94c1b530f638cea3950c2e2b

0x09923e35f19687a524bbca7d42b92b6748534f25

0x0784051d5136a5ccb47ddb3a15243890f5268482

0x0adab45946372c2be1b94eead4b385210a8ebf0b

Lazarus Group used these addresses for fund obfuscation, decentralization, and consolidation operations. For example, some funds were cross-chained to the Bitcoin chain, then transferred back to the Ethereum chain through a series of transfers, mixed through a mixing platform, and then sent to a cash-out platform.

From December 16 to December 20, 2020, one of the hacker addresses, 0x078405, sent over 2500 ETH to Tornado Cash. A few hours later, based on feature association, it was found that the address 0x78a9903af04c8e887df5290c91917f71ae028137 began withdrawal operations.

The hacker transferred some funds to the cash-out addresses involved in the previous incident through transfers and exchanges.

Subsequently, from May to July 2021, the attackers transferred 11 million USDT to the Bixin deposit address.

From February to March 2023, the attackers sent 2.77 million USDT to the Paxful deposit address through the address 0xcbf04b011eebc684d380db5f8e661685150e3a9e.

From April to June 2023, the attackers sent 8.4 million USDT to the Noones deposit address through the address 0xcbf04b011eebc684d380db5f8e661685150e3a9e.

Steadefi and CoinShift Hacker Attacks

Beosin KYT: Flowchart of Stolen Funds

Steadefi incident attack address:

0x9cf71f2ff126b9743319b60d2d873f0e508810dc

Coinshift incident attack address:

0x979ec2af1aa190143d294b0bfc7ec35d169d845c

In August 2023, 624 stolen ETH from the Steadefi incident were transferred to Tornado Cash, and in the same month, 900 stolen ETH from the Coinshift incident were transferred to Tornado Cash.

After transferring ETH to Tornado Cash, the funds were immediately withdrawn to the following addresses:

0x9f8941cd7229aa3047f05a7ee25c7ce13cbb8c41

0x4e75c46c299ddc74bac808a34a778c863bb59a4e

0xc884cf2fb3420420ed1f3578eaecbde53468f32e

On October 12, 2023, the funds withdrawn from Tornado Cash by the above three addresses were all sent to the address 0x5d65aeb2bd903bee822b7069c1c52de838f11bf8.

In November 2023, the 0x5d65ae address began transferring funds, ultimately sending the funds to the Paxful deposit address and the Noones deposit address through intermediaries and exchanges.

Incident Summary

The above introduces the dynamics of the North Korean hacker Lazarus Group over the past few years and analyzes and summarizes their money laundering methods: After stealing crypto assets, Lazarus Group primarily obfuscates funds through back-and-forth cross-chain transfers and then into mixers like Tornado Cash. After obfuscation, Lazarus Group withdraws the stolen assets to target addresses and sends them to fixed groups of addresses for cash-out operations. The previously stolen crypto assets are mostly deposited into the Paxful deposit address and the Noones deposit address, and then exchanged for fiat currency through OTC services.

Under the continuous and large-scale attacks by Lazarus Group, the Web3 industry faces significant security challenges. Beosin continues to monitor this hacker group and will further track their dynamics and money laundering methods to assist project parties, regulatory and law enforcement agencies in combating such crimes and recovering stolen assets.