FBI Unravels North Korea's Lazarus Group and $200 Million Crypto Heist

Investigative researcher ZachXBT unveils the operations of the notorious North Korean hacking group Lazarus Group, revealing their $200 million money laundering trail involving 25 crypto hacks. The report tracks the movement of stolen funds through exchanges, privacy mixers like Tornado Cash, and P2P marketplaces. ZachXBT's detailed analysis uncovers the group's methods of consolidating and converting digital assets into fiat, highlighting the role of Chinese OTC traders in facilitating the laundering process.

North Korea's Lazarus Group: Unraveling the $200 Million Crypto Laundering Scheme

Introduction

The infamous North Korean hacking group, Lazarus Group, has come under intense scrutiny following a comprehensive report by renowned on-chain sleuth ZachXBT. The report meticulously chronicles 25 separate hacks perpetrated by the group, resulting in the illicit acquisition of over $200 million worth of cryptocurrency.

The Lazarus Group's Crypto Heist: Modus Operandi

Over the past several years, Lazarus Group has orchestrated a series of high-profile cryptocurrency heists, targeting both individuals and companies. In 2020 alone, the group successfully breached the hot wallets of several crypto exchanges, including Coinberry and CoinMetro, stealing a combined sum of over $1.1 million in Bitcoin (BTC) and Ether (ETH).

Laundering the Proceeds: A Winding Path

Lazarus Group employed a sophisticated laundering scheme to conceal the illicit funds obtained through these hacks. The stolen cryptocurrency was initially consolidated into a single address before being gradually moved through Tornado Cash, an Ethereum-based privacy mixer. Despite Tornado Cash's reputation for obfuscating transaction trails, ZachXBT managed to trace the movement of these funds, leveraging their unique characteristics upon withdrawal.

Over the subsequent two years, the laundered cryptocurrency was commingled with funds from other Lazarus Group thefts and transferred to peer-to-peer (P2P) crypto marketplaces, such as Paxful and Noones, in the form of Tether (USDT).

Freezing the Assets: International Collaboration

In a significant development, a portion of the stolen funds was frozen in November 2023, with an undisclosed amount subsequently frozen by centralized exchanges in the fourth quarter of 2023. Additionally, three of four stablecoin issuers seized approximately $3.4 million held in a group of addresses associated with Lazarus Group.

Chinese OTC Desks: A Historic Nexus

The report also sheds light on Lazarus Group's use of Chinese over-the-counter (OTC) desks, including Wu Huihui, to facilitate the conversion of cryptocurrency into fiat (local currency). In April 2023, the US Department of Justice (DOJ) unsealed an indictment against Wu, alleging his involvement in financial transactions with the Democratic People's Republic of Korea (DPRK).

Lazarus Group's Impact: A Far-Reaching Threat

The report underscores the pervasive impact of Lazarus Group attacks on the crypto ecosystem. Thousands of individuals and organizations have been directly or indirectly affected by their malicious activities, and this number is anticipated to grow.

Additional Analysis: Quantifying the Damage

Elliptic, a leading blockchain analytics firm, revealed that Lazarus Group was responsible for crypto heists amounting to over $300 million in 2022 alone. As of September 2023, the group reportedly held approximately $47 million worth of cryptocurrency in its wallets.

Conclusion

ZachXBT's report provides a comprehensive and detailed account of Lazarus Group's cryptocurrency laundering activities. The findings underscore the group's sophisticated tactics, extensive network, and reliance on privacy-enhancing technologies to evade detection. This report serves as a timely reminder of the ongoing threat posed by North Korea's cybercrime operations in the digital asset realm.