North Korea's Lazarus Group Launders Over $200M in Stolen Cryptocurrency

The infamous North Korean state-backed hacker group, Lazarus Group, laundered over $200 million in stolen crypto assets from over 25 hacks between 2020 and 2023. The group utilized crypto mixing services and peer-to-peer marketplaces to convert the stolen funds into fiat currency.

North Korean Lazarus Group Launders Over $200 Million in Stolen Cryptocurrency

Washington, D.C. - The Lazarus Group, a notorious North Korean state-backed hacking collective, has laundered over $200 million worth of cryptocurrency stolen from various crypto exchanges and platforms between 2020 and 2023, according to a comprehensive analysis published on April 29th by ZachXBT, a renowned pseudonymous on-chain researcher.

Lazarus Group: A History of Cryptocurrency Theft

The Lazarus Group has been operating for over a decade, emerging in 2009 and perpetrating numerous high-profile crypto hacks. Between 2017 and 2023 alone, the group has stolen over $3 billion in digital assets, solidifying its status as one of the most formidable and prolific cybercriminal organizations targeting the cryptocurrency industry.

Modus Operandi: Cryptocurrency Mixing and Peer-to-Peer Marketplaces

To launder the stolen crypto assets, the Lazarus Group employed a combination of cryptocurrency mixing services and peer-to-peer (P2P) marketplaces, a technique commonly used by cybercriminals to obscure the origin and ownership of illicit funds.

ZachXBT's analysis identified specific accounts on Noones and Paxful, two prominent P2P marketplaces, that received funds from the hacks and were subsequently used to convert the stolen cryptocurrency into fiat currency.

Traceable Activity: Paxful and Noones Accounts

The investigation revealed that the Lazarus Group laundered at least $44 million through these two marketplaces, using two specific usernames: "EasyGoatfish351" and "FairJunco470." These accounts exhibited significant deposits and trading volumes, consistent with the stolen funds.

USDT Stablecoin: A Key Intermediate

Analysis further indicates that the stolen funds were initially converted into the USDT (USDT) stablecoin, a popular digital currency pegged to the value of the US dollar. The USDT was then exchanged for cash and withdrawn.

China-Based OTC Traders: Facilitating Crypto-to-Fiat Conversions

Historically, the Lazarus Group has relied on China-based over-the-counter (OTC) traders to facilitate the conversion of cryptocurrencies into fiat currency. These traders operate outside of traditional financial institutions, providing anonymity and flexibility for illicit transactions.

Blacklisting of Stolen Funds

In November 2023, Tether, a leading stablecoin issuer, blacklisted over $374,000 worth of stolen funds. Subsequently, three out of four stablecoin issuers collectively blacklisted an additional $3.4 million held in a cluster of addresses linked to the Lazarus Group.

Lazarus Group's Share of Stolen Crypto in 2023

In 2023, the Lazarus Group accounted for approximately $309 million, or 17%, of the total $1.8 billion worth of cryptocurrency stolen through hacks and exploits, as reported by Immunefi in December 2023.

LinkedIn Attacks: Expanding Tactics

Recent reports from blockchain security analytics firm SlowMist indicate that the Lazarus Group has expanded its tactics to include targeted malware attacks on LinkedIn users with the intent of stealing digital assets.

Ronin Bridge Hack: A Notable Heist

One of the most significant heists orchestrated by the Lazarus Group was the 2022 Ronin Bridge hack, which resulted in the theft of approximately $625 million worth of cryptocurrency. This attack highlighted the group's sophisticated capabilities and willingness to target high-value crypto assets.

Conclusion

The Lazarus Group continues to pose a significant threat to the cryptocurrency industry, demonstrating its ability to adapt to evolving technologies and exploit vulnerabilities in crypto exchanges and platforms. Governments, law enforcement agencies, and the cryptocurrency community must remain vigilant in their efforts to combat the illicit activities of this persistent and highly skilled cybercriminal organization.