{"id":13048,"date":"2024-04-29T18:58:35","date_gmt":"2024-04-29T15:58:35","guid":{"rendered":"https:\/\/forklog.com\/en\/lazarus-group-launders-200-million-from-25-crypto-attacks-report-reveals\/"},"modified":"2024-04-29T18:58:35","modified_gmt":"2024-04-29T15:58:35","slug":"lazarus-group-launders-200-million-from-25-crypto-attacks-report-reveals","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/lazarus-group-launders-200-million-from-25-crypto-attacks-report-reveals\/","title":{"rendered":"Lazarus Group Launders $200 Million from 25 Crypto Attacks, Report Reveals"},"content":{"rendered":"<p>On-chain researcher ZachXBT <a href=\"https:\/\/zachxbt.mirror.xyz\/B0-UJtxN41cJhpPtKv0v2LZ8u-0PwZ4ecMPEdX4l8vE\">tracked the movement of $200 million<\/a> stolen by the Lazarus Group hackers in 25 cyberattacks from August 2020 to October 2023.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-eu.googleusercontent.com\/IsKOAJBe5EvceFudlBlutAahePlV5-mAKKyweuyB7S_L0lsQxbU7CBjvHDC7DhGxOyGk-vq9HkY2p7h40P7kJU82-zSkmVeExm9Az8Qge7S18Gr3gH96aRkEZVdi5vv1_LgWTuCXBgcuoA2KWtHeR6w\" alt=\"Table 0. Lazarus Group hacks in 2020\u20132023 described in this article\"\/><figcaption class=\"wp-element-caption\">Lazarus Group hacks in 2020\u20132023. Data: TRM Labs.<\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\"><strong>2020: CoinBerry, Unibright, and CoinMetro Hacks<\/strong><\/h2>\n<p>In August, the perpetrators withdrew $370,000 from the hot Bitcoin and Ethereum wallets of the Canadian crypto exchange CoinBerry. In September, they took $400,000 from the Unbright platform, and in October, $750,000 from CoinMetro.<\/p>\n<p>The funds from these three thefts were moved by the Lazarus Group through intermediary wallets before being consolidated <a href=\"https:\/\/etherscan.io\/address\/0x0864b5ef4d8086cd0062306f39adea5da5bd2603\">at one address<\/a> in early January 2021.<\/p>\n<p>The funds were then gradually transferred to the hackers&#8217; account in Tornado Cash and subsequently withdrawn to an <a href=\"https:\/\/etherscan.io\/address\/0x05492cbc8fb228103744ecca0df62473b2858810\">Ethereum address<\/a>, where they were combined with assets obtained from other group thefts.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-eu.googleusercontent.com\/q48uBm4szrUXkSAKQVk0aNPLijaGtmKgpNDmP9-hxdjroiPOe0kD9Z63OwXfqFC9SZsPmhok63H7iY4QOPIQAcO64OKm6baWqVI07FnMvltk6jSoEdz0JxpEtuoDuGQ1ABd-mHWSGnFAoih3Kz4dvFM\" alt=\"TRM forensic analysis graph\"\/><figcaption class=\"wp-element-caption\">TRM forensic analysis graph. Data: TRM Labs.<\/figcaption><\/figure>\n<p>That same year, several transfers were made to an OTC trader from China, Wu Huihui, who was later sanctioned by the <span data-descr=\"Office of Foreign Assets Control of the US Treasury Department\" class=\"old_tooltip\">OFAC<\/span>.<\/p>\n<p>From July 2022 to November 2023, USDT was withdrawn in small batches to P2P platforms Paxful and Noones.<\/p>\n<h2 class=\"wp-block-heading\"><strong>December 2020: Hack of Nexus Mutual Founder Hugh Karp<\/strong><\/h2>\n<p>On December 14, hackers gained remote access to Karp&#8217;s computer and stole 370,000 NXM ($8.3 million) from his MetaMask.<\/p>\n<p>From December 16 to 17, 137.1 BTC from this amount were sent in six transactions to the centralized mixing service ChipMixer. A few hours later, 136 BTC were withdrawn back to Ethereum via Ren Project and consolidated with funds from other thefts.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-eu.googleusercontent.com\/pnzbjXFg28_x791UD2b5eWjs-7GDYy6wyZ9NU2unr_-iP79oZjwx-k_iXfuHlkWGPdnLKs5fETHPo8noiaPlFqwcxgsqn48AMoYFh33TdBJShE1v2S4oNSBpcVpwc5ojr3Z91Uq7I54KWdUiR7C0MdU\" alt=\"TRM forensic analysis graph\"\/><figcaption class=\"wp-element-caption\">TRM forensic analysis graph. Data: TRM Labs.<\/figcaption><\/figure>\n<p>After passing through Tornado Cash, the assets ended up in a new Ren wallet.\u00a0<\/p>\n<p>In March 2021, the stolen cryptocurrency was repeatedly cycled between Bitcoin and Ethereum networks via ChipMixer. In April, a small portion of BTC was sold to Wu Huihui. The remaining amounts were sent to the Bixin exchange, Paxful, and Noones platforms.<\/p>\n<h2 class=\"wp-block-heading\"><strong>April 2021: Hack of EasyFi Founder Ankitt Gaur<\/strong><\/h2>\n<p>Similar to the previous case, $81 million in various tokens were stolen from Gaur via a malicious version of MetaMask.<\/p>\n<p>The assets were then moved to new addresses using cross-chain transfers, sent to ChipMixer, and returned to the Ethereum network via the Ren protocol.\u00a0<\/p>\n<p>In June 2022, funds from two addresses were sent to new <span data-descr=\"externally owned account\" class=\"old_tooltip\">EOA<\/span> addresses, where they were consolidated with other illegally obtained cryptocurrencies. They were then sent to the Binance exchange among other funds.<\/p>\n<p>Another batch of funds was withdrawn to new Ethereum wallets as renBTC via ChipMixer, later exchanged for DAI and wBTC.<\/p>\n<p>The final movements again led researchers to Paxful and Noones, where assets in the form of USDT were sent in small batches until November 2023.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-eu.googleusercontent.com\/Xpv0k9tMxWj9VPDlH1LIh7qSgyGSfWRtxdPYsHptnZCXW_DV6dbhkREg9XOBkxEsInyZJIqpCSRMjLbUCS1PO1jnTcOg0V_Scgke0E6YHUtyjcTVjIaR_b4AADBKCopZn0ux-iGAHl21iA65lursOE0\" alt=\"TRM forensic analysis graph\"\/><figcaption class=\"wp-element-caption\">TRM forensic analysis graph. Data: TRM Labs.<\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\"><strong>July 2021: Bondly Hack<\/strong><\/h2>\n<p>The incident resulted in $8.5 million in losses across Ethereum, BSC, and Polygon.<\/p>\n<p>All assets went through the Tornado Cash mixer and were transferred via multichain bridges to new Ethereum addresses.\u00a0<\/p>\n<p>In June 2022, combined with other stolen funds, they ended up on Binance. Again, until November 2023, batches of USDT were sent to Paxful and Noones.<\/p>\n<h2 class=\"wp-block-heading\"><strong>August and September 2021: Unknown Hacks<\/strong><\/h2>\n<p>Due to the compromise of a private key, several individuals lost $2 million. The hackers immediately converted the assets to ETH, withdrew them to a single address, and sent them to Tornado Cash.<\/p>\n<p>Through an intermediary wallet, the funds were combined with other illegal proceeds and distributed across exchanges.\u00a0<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-eu.googleusercontent.com\/tYqvZDbY3hjt9_GGO4sKQa3YYiXokD9xxeZIKvf9FKGRURNvifvQYS8TuSWaipVSPX7HS4Dvugh-niVU5-PlT4ETDanGu4moKj8Q3UVLbA3ibSEoQ2HHDBsg62CpQROhVH9bnBMSPAO5za47weNoPo8\" alt=\"TRM forensic analysis graph\"\/><figcaption class=\"wp-element-caption\">TRM forensic analysis graph. Data: TRM Labs.<\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\"><strong>October 2021: MGNR and PolyPlay Hacks<\/strong><\/h2>\n<p>MGNR lost $24 million. The assets, converted to Ethereum, were sent in two parts through Tornado Cash and ended up in previously used Lazarus Group wallets. From summer 2022, USDT was sent to Paxful and Noones.<\/p>\n<p>PolyPlay suffered $1.6 million in losses. The laundering followed a similar scheme.\u00a0<\/p>\n<h2 class=\"wp-block-heading\"><strong>November 2021: bZx Hack<\/strong><\/h2>\n<p>A phishing attack on the protocol netted hackers $55 million. All cryptocurrency, after Tornado Cash, was further mixed with previously laundered assets from the above hacks and sent to Paxful.<\/p>\n<h2 class=\"wp-block-heading\"><strong>August 2023: Steadefi and CoinShift Hacks<\/strong><\/h2>\n<p>User losses amounted to $1.2 million. In the case of Steadefi, hackers posed as an employee of the investment fund Spirit Blockchain Group.<\/p>\n<p>CoinShift did not publicly report the incident, but funds from wallets linked to the platform&#8217;s founder were suddenly withdrawn on August 16.<\/p>\n<p>The stolen Ethereum from both hacks was sent in parts to Tornado Cash within minutes of each other.\u00a0<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/zachxbt.mirror.xyz\/_next\/image?url=https%3A%2F%2Fimages.mirror-media.xyz%2Fpublication-images%2FVA3pHOUfqUGl19XW1CnXH.png&#038;w=3840&#038;q=75\" alt=\"Table 7: Steadefi &#038; Coinshift Tornado Cash 100 ETH deposits\"\/><figcaption class=\"wp-element-caption\">Steadefi and CoinShift Tornado Cash deposits of 100 ETH. Data: ZachXBT.<\/figcaption><\/figure>\n<p>Assets distributed across three addresses later ended up in a single wallet. After conversion to USDT, they were sent to the hackers&#8217; accounts on Paxful and Noones.\u00a0<\/p>\n<h2 class=\"wp-block-heading\"><strong>Investigation Results<\/strong><\/h2>\n<p>In total, accounts belonging to Lazarus Group on P2P platforms <a href=\"https:\/\/etherscan.io\/address\/0x246569f8b420c8d850c475c53d0d59973b3f08fc\">Paxful<\/a> and <a href=\"https:\/\/etherscan.io\/address\/0x2e1155cf5374cba058a04fd03ebd0ba19afe580d\">Noones<\/a> received $44 million from July 2022 to November 2023. The hackers later switched to new deposit addresses.\u00a0<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/zachxbt.mirror.xyz\/_next\/image?url=https%3A%2F%2Fimages.mirror-media.xyz%2Fpublication-images%2FPWPD9ub4GNZaREtX2aex1.png&#038;w=3840&#038;q=75\" alt=\"TRM forensics graph\"\/><figcaption class=\"wp-element-caption\">TRM forensic analysis graph. Data: TRM Labs.<\/figcaption><\/figure>\n<p>The entire amount was converted to fiat via bank transfers or cash withdrawals. Traditionally, the Lazarus Group uses Chinese OTC traders for this purpose.<\/p>\n<p>In November 2023, Tether blacklisted $374,000 of the funds stolen by hackers. An undisclosed amount was also frozen on centralized exchanges in the fourth quarter of 2023.<\/p>\n<p>Additionally, three out of four stablecoin issuers blocked an additional $3.4 million on addresses belonging to the cybercriminals.<\/p>\n<p>Previously, ForkLog reported that the Lazarus Group created a fake investor to attack the DeFi segment.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On-chain researcher ZachXBT tracked the movement of $200 million stolen by the Lazarus Group hackers in 25 cyberattacks from August 2020 to October 2023. Lazarus Group hacks in 2020\u20132023. Data: TRM Labs. 2020: CoinBerry, Unibright, and CoinMetro Hacks In August, the perpetrators withdrew $370,000 from the hot Bitcoin and Ethereum wallets of the Canadian crypto [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":13047,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1150,1202,1526,167,1314],"class_list":["post-13048","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-news-plus","tag-north-korea-dprk","tag-paxful","tag-research","tag-tornado-cash"],"aioseo_notices":[],"amp_enabled":true,"views":"43","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/13048","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=13048"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/13048\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/13047"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=13048"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=13048"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=13048"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}