Lazarus Hacker group steals $147.5 million, attacks encryption exchange multiple times.

Recently, a confidential report revealed the large-scale cyber attack operations of North Korean hacker organization Lazarus Group. After stealing funds from a crypto assets exchange last year, the organization laundered $147.5 million through a certain virtual money platform in March of this year.

Investigators reported to the United Nations Security Council Sanctions Committee that they are investigating 97 suspected cyber attacks by North Korean hackers targeting crypto assets companies from 2017 to 2024, involving approximately $3.6 billion. This includes an attack on a certain crypto exchange at the end of last year, which resulted in the theft of $147.5 million and the completion of money laundering in March this year.

In 2022, the United States imposed sanctions on the virtual money platform. The following year, its two co-founders were accused of assisting in money laundering over $1 billion, including involvement with the North Korean cybercrime organization Lazarus Group.

According to an investigation by a Crypto Assets analysis expert, the Lazarus Group laundered $200 million worth of Crypto Assets into fiat currency from August 2020 to October 2023.

The Lazarus Group has long been accused of conducting large-scale cyber attacks and financial crimes. Their targets span the globe, from banking systems to Crypto Assets exchanges, and from government agencies to private enterprises. The following will analyze several typical attack cases, revealing how the Lazarus Group implements these attacks through complex strategies and technical means.

Lazarus Group's social engineering and phishing attacks

According to reports, Lazarus has targeted military and aerospace companies in Europe and the Middle East by posting fake job advertisements on social platforms to deceive employees. They asked job seekers to download PDFs containing executable files to carry out phishing attacks.

These social engineering and phishing attacks exploit psychological manipulation to deceive victims into lowering their guard and performing dangerous actions such as clicking on links or downloading files, thereby jeopardizing system security. Their malware can exploit vulnerabilities in the victim's system to steal sensitive information.

Lazarus also used similar methods in a six-month campaign against a certain crypto assets payment provider, resulting in the company being robbed of 37 million dollars. Throughout the process, they sent fake job opportunities to engineers, initiated distributed denial of service attacks, and attempted to brute-force passwords.

Multiple incidents of attacks on crypto assets exchanges

On August 24, 2020, a wallet from a Canadian crypto assets exchange was hacked.

On September 11, 2020, a blockchain project experienced unauthorized transfers of $400,000 from multiple wallets controlled by the team due to a private key leak.

On October 6, 2020, the hot wallet of a certain crypto assets exchange was hacked due to a security vulnerability, and crypto assets worth $750,000 were transferred.

At the beginning of 2021, the funds from these attacks were pooled into the same address. Subsequently, the attackers sent the stolen funds to certain specific addresses through multiple transfers and exchanges.

The founder of a mutual insurance platform was attacked by a Hacker.

On December 14, 2020, the founder of a mutual insurance platform suffered a hacker attack, resulting in a loss of 370,000 NXM (worth approximately 8.3 million USD).

The stolen funds were transferred between multiple addresses and exchanged for other assets. The Lazarus Group performed operations such as money laundering, decentralization, and aggregation through these addresses. Some of the funds were cross-chain transferred to the Bitcoin network, then back to the Ethereum network, and subsequently obfuscated using a mixing platform, before finally being sent to a withdrawal platform.

From December 16 to 20, 2020, a Hacker address sent over 2500 ETH to a certain mixing platform. A few hours later, another related address began withdrawal operations.

The hacker transferred some funds to the withdrawal address that was previously involved in the incident through transfer and exchange.

From May to July 2021, the attacker transferred 11 million USDT to a deposit address on a certain exchange.

From February to March 2023, attackers sent 2.77 million USDT to a certain P2P exchange deposit address through a specific address.

From April to June 2023, the attacker sent 8.4 million USDT to another deposit address using the same address.

Recent Attack Incident Analysis

In August 2023, a total of 1524 stolen ETH was transferred to a certain mixing platform in two different hacker incidents.

After transferring ETH to the mixing platform, the funds were immediately withdrawn to multiple new addresses. On October 12, 2023, the funds from these addresses were consolidated into a new address.

In November 2023, this address began transferring funds, ultimately sending the funds to two specific deposit addresses through intermediaries and exchanges.

Summary

The Lazarus Group, after stealing Crypto Assets, primarily obfuscates funds through cross-chain operations and using mixers. After obfuscation, they withdraw the stolen assets to target addresses and send them to fixed address clusters for withdrawal. The stolen Crypto Assets are usually deposited into specific deposit addresses and then exchanged for fiat currency through over-the-counter trading services.

These ongoing large-scale attacks pose a serious security threat to the Web3 industry. Relevant agencies are closely monitoring the activities of this hacker group and are working to trace their money laundering methods to assist project parties, regulatory and law enforcement agencies in combating such crimes and recovering stolen assets.