Analysis of Money Laundering Methods by North Korean Hacker Group Lazarus Group

A recent confidential report from the United Nations has drawn widespread attention. The report shows that the hacker group Lazarus Group stole funds from a cryptocurrency exchange last year and laundered $147.5 million through a certain virtual currency platform in March of this year.

The UN Security Council Sanctions Committee's monitors are investigating 97 suspected cyberattacks by North Korean hackers against cryptocurrency companies that occurred between 2017 and 2024, involving amounts as high as $3.6 billion. This includes a $147.5 million theft from a cryptocurrency exchange at the end of last year, which completed the money laundering process in March this year.

It is worth noting that a certain mixed coin platform was sanctioned in 2022, and the following year, its two co-founders were accused of assisting in money laundering of over $1 billion, including funds related to the Lazarus Group.

According to a survey by cryptocurrency analysts, the Lazarus Group converted $200 million worth of cryptocurrency into fiat currency between August 2020 and October 2023.

The Lazarus Group has long been regarded as the mastermind behind large-scale cyber attacks and financial crimes worldwide. Their attack targets cover multiple areas, including banking systems, cryptocurrency exchanges, government agencies, and private enterprises.

Attack Methods of the Lazarus Group

Social engineering and phishing attacks

The Lazarus Group has lured target company employees by posting fake job advertisements on social media platforms. They asked job seekers to download PDF files containing malicious code, thus implementing phishing attacks. This method has been used against military and aerospace companies in Europe and the Middle East.

In a six-month-long operation, the Lazarus Group used similar tactics to attack a cryptocurrency payment provider, resulting in a loss of $37 million for the latter. The attackers not only sent fake job offers to engineers but also initiated technical attacks such as distributed denial of service and attempted to brute-force passwords.

multiple cryptocurrency exchange hacking incidents

From August to October 2020, multiple cryptocurrency-related platforms were attacked:

• On August 24, a wallet from a Canadian cryptocurrency exchange was hacked.
• On September 11, a project lost $400,000 in funds due to a private key leak.
• On October 6, 750,000 USD worth of cryptocurrency assets were stolen from a hot wallet of a certain platform.

The stolen funds ultimately pooled into the same address and were laundered through a mixing platform in January 2021. After multiple transfers and exchanges, the funds were eventually sent to a specific withdrawal address.

Targeted High-Value Theft Against Individuals

On December 14, 2020, the personal wallet of the founder of a mutual insurance platform was attacked, resulting in a loss of 370,000 NXM tokens (approximately $8.3 million). The Hacker transferred and exchanged the stolen funds through multiple addresses, with some funds even undergoing cross-chain operations. Ultimately, a large amount of funds was transferred to specific withdrawal addresses.

Latest Attack Cases

In August 2023, two different projects were attacked by hackers, resulting in a total of 1524 ETH stolen. The stolen funds also went through the money laundering process of a mixing platform, eventually gathering at the same address, and were subsequently transferred to a commonly used withdrawal address.

Money Laundering Model Summary

By analyzing multiple attack incidents of the Lazarus Group, we can summarize its main money laundering methods:

1. Cross-chain transfer: Transferring stolen assets between different blockchains, increasing the difficulty of tracking.
2. Use mixers: Use mixing platforms extensively to obscure the source of funds.
3. Fund Consolidation: Concentrate the cleaned funds to a specific address.
4. Fixed Withdrawal Channels: Use a few fixed addresses for the final withdrawal operation.
5. OTC Trading: Convert crypto assets into fiat currency through over-the-counter trading.

The persistent attacks by the Lazarus Group pose a serious threat to the Web3 industry. Relevant agencies are closely monitoring the movements of this Hacker group in hopes of effectively combating such criminal activities and assisting victims in recovering stolen assets.