The Lazarus Group (also known as APT38, BlueNorOff and various other names) is a hacker group believed to be affiliated with the North Korean government. Since at least 2009, it has been actively involved in large scale cyber-attacks, leveraging sophisticated techniques to target both private and public entities for monetary gain. In recent times, the Group targeted blockchain protocols, including the high-profile Ronin Bridge hack in early 2022 and the Harmony Bridge exploit in 2023.
A 15 month investigation led by ZachXBT, a blockchain researcher noted for tracing and revealing on chain hacks and exploits, found that the Group laundered nearly USD$200M worth of cryptocurrency into fiat across 2020 to 2023. Industry leaders from MetaMask, Binance Security Team, TRM Labs and Five I’s combined their expertise to assist in the on-chain analysis of over 25 hacks, across different blockchains.
The report details various techniques used by the North Korean group, from security breaches, software bugs enabling unauthorised withdrawals, remotely accessing computers, compromising private keys to sending phishing emails. Once illicit funds were acquired by the group, they passed through multiple channels including crypto mixers, peer-to-peer (P2P) marketplaces and exchange services.
According to ZachXBT’s findings, the Group employed the sanctioned mixer Tornado Cash and ChipMixer, which was been subject to a coordinated international takedown in 2023. To further complicate tracing, the Group leveraged P2P exchanges including Noones and Paxful, making deposits in batches, totalling USD$44M over July 2022 to November 2023.
ZachXBT reflected on the grim findings in a tweet:
Despite this worrying trend, ZachXBT's investigations highlight the power of on-chain analytics tools in tracing the movement of illicit funds, including identifying the channels used for laundering funds and off-ramping. While combating cybercrimes, in particular those involving cryptocurrency remains a persistent challenge, blockchain’s very transparency holds the keys to tracing wrongdoers, better intelligence sharing and coordinated action to prevent future attacks.
Written by Kelly Kim and Steven Pettigrove