Analysis of the Cyber Attacks and Money Laundering Methods of the North Korean Hacker Organization Lazarus Group

A confidential United Nations report reveals that a cryptocurrency exchange was attacked by the Lazarus Group last year, resulting in the theft of $147.5 million. In March of this year, the funds were laundered through a certain virtual currency platform.

The United Nations Security Council Sanctions Committee's monitors are investigating 97 suspected cyber attacks by North Korean hackers against cryptocurrency companies that occurred between 2017 and 2024, involving approximately $3.6 billion. This includes a theft of $147.5 million that occurred at a cryptocurrency exchange late last year, with the money laundering process completed in March of this year.

In 2022, a certain country imposed sanctions on the virtual currency platform. The following year, two co-founders of the platform were accused of assisting in the money laundering of over $1 billion, including funds related to the North Korean cybercrime organization Lazarus Group.

According to a survey by cryptocurrency experts, the Lazarus Group laundered $200 million worth of cryptocurrency into fiat currency between August 2020 and October 2023.

The Lazarus Group has long been accused of conducting large-scale cyberattacks and financial crimes, targeting a wide range of areas globally, including banking systems, cryptocurrency exchanges, government agencies, and private enterprises.

Attack Methods of the Lazarus Group

Social Engineering and Phishing Attacks

The Lazarus Group has targeted military and aerospace companies in Europe and the Middle East. They posted fake job advertisements on social platforms to lure job seekers into downloading PDFs with malicious executable files, thereby conducting phishing attacks. This method has also been used in attacks against cryptocurrency payment providers, resulting in losses of $37 million.

Multiple cryptocurrency exchange attack incidents

From August to October 2020, multiple cryptocurrency exchanges and projects were attacked:

1. On August 24, a wallet from a Canadian cryptocurrency exchange was hacked.
2. On September 11, a project suffered an unauthorized transfer of $400,000 due to a private key leak. On October 6th, $750,000 worth of cryptocurrency assets were illegally transferred from the hot wallet of a certain trading platform.

The stolen funds were transferred and obfuscated multiple times before being withdrawn through certain specific addresses.

High-value attacks targeting individuals

On December 14, 2020, the founder of a mutual insurance platform suffered a Hacker attack, resulting in a loss of 370,000 NXM tokens, worth approximately 8.3 million USD. The attacker executed a series of complex operations, including cross-chain transfers, coin mixing, and multiple transfers, ultimately directing the funds to a specific withdrawal address.

Latest Attack Case

In August 2023, two major attack incidents occurred:

1. A certain DeFi project was attacked, and 624 ETH were stolen.
2. Another cryptocurrency project was attacked, 900 ETH were stolen.

The stolen funds were obfuscated and transferred, ultimately funneling into similar withdrawal addresses.

Money Laundering Methods of the Lazarus Group

The money laundering process of the Lazarus Group typically follows the pattern below:

1. Fund Obfuscation: Concealing the source of funds through cross-chain operations and using mixing services.
2. Fund Diversification and Aggregation: Disperse funds to multiple addresses, then aggregate them again.
3. Utilize specific platforms: Frequently use certain specific cryptocurrency mixing services.
4. Final Withdrawal: Transfer the obfuscated funds to a fixed group of addresses for withdrawal operations.

This complex money laundering process makes it extremely difficult to trace and recover stolen assets.

Conclusion

The ongoing activities of the Lazarus Group pose a serious security threat to the Web3 industry. In the face of such complex cybercrime, a joint effort from project parties, regulatory bodies, and law enforcement is needed to combat such criminal activities and protect user asset security. At the same time, continuously monitoring and analyzing the dynamics and money laundering methods of such hacker organizations is crucial for improving the overall security level of the industry.