Analysis of the Attack Methods and Money Laundering Techniques of the North Korean Hacker Group Lazarus Group

A recent confidential report from the United Nations revealed that a hacker group stole funds from a cryptocurrency exchange last year and laundered $147.5 million through a certain virtual currency platform in March of this year.

It is reported that inspectors are investigating 97 suspected cyber attacks targeting cryptocurrency companies that occurred between 2017 and 2024, involving an amount of approximately $3.6 billion. This includes an incident at the end of last year where $147.5 million was stolen from a cryptocurrency exchange, and the funds were subsequently laundered in March of this year.

In 2022, the United States imposed sanctions on a mixing platform. The following year, two co-founders of the platform were accused of assisting in money laundering exceeding $1 billion, involving a cybercrime organization linked to North Korea.

An investigation by a cryptocurrency analyst shows that this hacker group laundered $200 million worth of cryptocurrency into fiat currency between August 2020 and October 2023.

This hacker organization has long been accused of conducting large-scale cyber attacks and financial crimes. Their targets span the globe, from banking systems to cryptocurrency exchanges, from government agencies to private enterprises. The following will analyze several typical attack cases, revealing how this hacker organization implements these astonishing attacks through complex strategies and technical means.

Social Engineering and Phishing Attacks

According to European media reports, the organization targeted military and aerospace companies in Europe and the Middle East. They posted job advertisements on social platforms to deceive employees, asking applicants to download PDFs containing executable files, thus carrying out phishing attacks.

This type of attack attempts to exploit psychological manipulation, tricking victims into lowering their guard and performing actions such as clicking links or downloading files, thereby endangering system security. Hackers target vulnerabilities in the victim's system through malware and steal sensitive information.

In a six-month operation targeting a certain cryptocurrency payment provider, the organization used similar methods, resulting in the company being stolen 37 million dollars. They sent fake job offers to engineers, launched distributed denial-of-service attacks, and attempted to brute-force passwords.

Multiple Cryptocurrency Exchange Attack Incidents

From August to October 2020, multiple cryptocurrency exchanges and projects were attacked:

• On August 24, a wallet from a Canadian cryptocurrency exchange was hacked.
• On September 11, a certain project experienced unauthorized transfers of $400,000 from multiple wallets controlled by the team due to the leakage of private keys.
• On October 6th, a trading platform's hot wallet was compromised, resulting in the transfer of $750,000 in cryptocurrency assets due to a security vulnerability.

The stolen funds were pooled to the same address in early 2021, and then transferred and obfuscated multiple times through mixing platforms. By 2023, the attackers sent the funds to certain specific withdrawal addresses.

Founder of a Mutual Insurance Platform Attacked by Hacker

On December 14, 2020, the personal account of the founder of a mutual insurance platform was hacked, and 370,000 platform tokens were stolen, worth approximately $8.3 million.

Hacker transfers and exchanges stolen funds through multiple addresses. Some funds are cross-chain to the Bitcoin network, then back to the Ethereum network, and afterwards obfuscated through a mixing platform, ultimately sent to the withdrawal platform.

From May to July 2021, the attacker transferred 11 million USDT to a certain trading platform. From February to June 2023, they sent over 11 million USDT in batches to two different withdrawal addresses.

Recent DeFi Project Attack Incidents

In August 2023, two DeFi projects were attacked, resulting in approximately 1500 ETH being stolen. The Hacker transferred these ETH to a mixing platform and then withdrew them to several intermediary addresses.

On October 12, 2023, these funds were consolidated into a new address. By November, the address began to transfer funds, ultimately sending the funds to a specific withdrawal address through intermediaries and exchanges.

Summary

The hacker organization primarily obfuscates funds after stealing cryptocurrency assets through cross-chain operations and the use of mixers. After obfuscation, they withdraw the stolen assets to the target address and send them to a fixed group of addresses for withdrawal operations. The stolen cryptocurrency assets are usually deposited into specific withdrawal addresses and then exchanged for fiat currency through over-the-counter trading services.

In the face of such ongoing and large-scale attacks, the Web3 industry is facing severe security challenges. Relevant agencies are continuously monitoring the dynamics and money laundering methods of this Hacker group to assist project teams, regulatory and law enforcement agencies in combating such crimes and recovering stolen assets.