The United States has initiated legal actions to seize over $2.67 million in cryptocurrency stolen by North Korean hackers. On October 4, the government filed two complaints targeting the Lazarus Group, a notorious hacking organization associated with the North Korean regime.
The stolen funds originate from two significant cyber heists: $1.7 million in USDT taken during the 2022 Deribit hack and approximately $970,000 worth of Avalanche-bridged Bitcoin (BTC.b) pilfered from Stake.com in 2023.
The Lazarus group’s criminal activities
The Lazarus Group has been active in cybercrime since at least 2009. This group gained notoriety through high-profile incidents such as the 2014 Sony Pictures breach and the 2016 Bangladesh Bank theft. More recently, its activities have shifted towards targeting cryptocurrency platforms. Analysts estimate that since 2017, the group has stolen between $3 billion and $4.1 billion from various crypto companies.
The Deribit hack exemplifies the Lazarus Group’s tactics. The hackers exploited vulnerabilities in a hot wallet, stealing $28 million in crypto. To obscure their activities, they utilized Tornado Cash, a tool designed to enhance anonymity by mixing transactions. Following the initial theft, they further complicated tracking efforts by transferring the stolen assets through multiple Ethereum addresses.
Despite their sophisticated methods, law enforcement agencies have remained vigilant. The U.S. government is now focused on recovering at least $1.7 million in USDT connected to this illicit activity.
Tactics and techniques used by Lazarus
The Lazarus Group, also known as APT38 or Bluenoroff, is renowned for its advanced cyberattack strategies and crypto heists. Their operations involve tailored tools specifically designed for each target, highlighting their expertise in the field. Reports from blockchain analytics firms like Chainalysis and TRM Labs illustrate the extensive damage the group has inflicted over the years.
Recent attacks underscore their effectiveness. In August 2023, the group successfully breached Steadefi’s deployer wallet, stealing $1.2 million in crypto. This incident exemplified social engineering tactics, as a Steadefi employee inadvertently downloaded a malicious file from a threat actor impersonating a fund manager on Telegram. Another incident involved the Coinshift platform, which lost over $900,000 in Ethereum. In these cases, as with Deribit, the stolen assets were laundered through Tornado Cash.
The speed of these operations is also noteworthy. On August 23, the attackers executed both the Steadefi and Coinshift hacks and swiftly deposited funds into Tornado Cash’s 100 ETH pool within minutes of one another.
Challenges in tracking and recovery efforts
Despite ongoing efforts to freeze the stolen assets, the Lazarus Group continues to adapt and elude capture. In November 2023, Tether blacklisted $374,000 in USDT linked to the group. Concurrently, several centralized exchanges froze an undisclosed amount of cryptocurrency connected to their activities. By the fourth quarter of 2023, three out of four major stablecoin issuers had blacklisted a total of $3.4 million associated with the group.
The Lazarus Group uses peer-to-peer exchanges like Paxful and Noones to convert stolen cryptocurrency into cash. These tactics have made them a persistent threat in the cryptocurrency industry despite the concerted efforts of law enforcement and the crypto community to thwart their activities.