The United States is coming after North Korean hackers who stole over $2.67 million in crypto. On October 4, the government filed two complaints to seize this stolen crypto.
The target? The infamous Lazarus Group, a hacking crew linked to the North Korean government. The funds in question were swiped from two big crypto heists.
$1.7 million in USDT from the 2022 Deribit hack and $970,000 worth of Avalanche-bridged Bitcoin (BTC.b) from Stake.com in 2023.
The Lazarus lore
The Lazarus Group has been hacking companies and stealing millions since at least 2009.
It started with high-profile attacks like the 2014 Sony Pictures hack and the 2016 Bangladesh Bank heist. Now, its focus is on crypto.
Analysts estimate that since 2017, the group has taken between $3 billion and $4.1 billion from crypto companies.
The Deribit hack was classic Lazarus Group. It breached a hot wallet and siphoned off $28 million in crypto. After grabbing the funds, it used Tornado Cash to hide its tracks.
The Lazarus Group then moved the crypto through several Ethereum addresses to make things even harder to track.
Even though the group used mixers and multiple addresses, law enforcement stayed on their tail. Now, they want to recover at least $1.7 million of the stolen USDT.
Track record in crypto theft
Lazarus Group, also known as APT38 or Bluenoroff, is notorious for its cyberattacks and crypto heists. The group is highly skilled, with tailor-made tools for each target.
What’s shocking is the sheer scale of the group’s operations. Reports from analytics firms like Chainalysis and TRM Labs show just how much damage the hackers have done.
They estimate Lazarus has stolen between $3 billion and $4.1 billion since 2017, mostly from exchanges. In August 2023, they took control of Steadefi’s deployer wallet and drained $1.2 million in crypto.
This attack was social engineering at its finest. A Steadefi team member downloaded a malicious file from someone posing as a fund manager on Telegram.
In another attack, the Coinshift platform lost over $900,000 in Ethereum (ETH), and just like with Deribit, Steadefi and the rest, the hackers laundered the stolen crypto through Tornado Cash.
What’s even more interesting is how fast they operate. On August 23, the attackers from both the Steadefi and Coinshift hacks made deposits into the Tornado Cash 100 ETH pool within mere minutes of each other.
Once they convert the funds into stablecoins, the Lazarus hackers use peer-to-peer (P2P) exchanges to turn the stolen crypto into cash.
Paxful and Noones, two popular P2P platforms, were key parts of their process. According to the U.S. complaints, Lazarus Group’s Paxful deposit address (0x2465) has been involved in multiple hacks, including those targeting EasyFi, Bondly, and Nexus Mutual.
In response to these hacks, several actions have been taken to lock down the stolen funds. In November 2023, Tether blacklisted $374,000 in USDT connected to Lazarus.
At the same time, other centralized exchanges froze an undisclosed amount of crypto. By Q4 2023, three out of four major stablecoin issuers had blacklisted a total of $3.4 million linked to Lazarus.
However, despite these efforts, Lazarus continues to evolve and adapt, making it a persistent threat in the industry.