State-backed North Korean cybercrime group Lazarus has been linked to numerous large-scale blockchain exploits over the last few years. Now, the hackers have started consolidating the stolen funds from different exploits in order to launder them through decentralized networks.
Blockchain sleuths zachXBT and tayvano found a direct link between the crypto drained from the Harmony bridge, Atomic Wallet, CoinsPaid and Alphapo hacks, with the cumulative amount of stolen funds estimated at around $290 million.
The way these attacks were carried out, coupled with the subsequent movement of stolen funds into certain wallets gave blockchain security experts strong reason to believe that the Lazarus group was behind them.
Tracing the funds on-chain, the two researchers found that the hackers moved $8.5 million worth of these funds across 300 addresses and three different blockchains.
A few nights back, @zachxbt and I stumbled on a crazy direct link btwn funds stolen from Coinspaid/Alphapo <> Atomic Wallet <> Harmony.
Last night, ~$8.5m of the funds from Coinspaid/Alphapo (w/ some leftovers from Atomic Wallet) went flying across 300+ addies on 3 chains.
😳 https://t.co/onn6v75JxW pic.twitter.com/10DNH11F6L
— Tay 💖 (@tayvano_) August 3, 2023
Over the course of five hours, the hackers split 4600 ETH across 125 new Ethereum addresses, before pushing these funds to Avalanche, and then Bitcoin. According to tayvano, 290 BTC sits in 125 Bitcoin addresses, and each of these wallets holds between one and three BTC.
“Most amazingly, during this entire laundry sesh, there were a total of 514 txns that moved from either ETH->AVAX or AVAX->BTC via the same services being used to launder (“launder”) these stolen funds. 500 txns were moving stolen funds from Alphapo/Coinspaid/Atomic Wallet,” tayvano said on Twitter.
The on-chain researcher also noted that this is the fifth time the Lazarus group has laundered millions of dollars over the last few weeks.
Where do these funds ultimately end up? According to zachXBT, these funds go to over-the-counter (OTC) traders on the Tron network.
Usually nowadays it ends up going to OTCs on Tron
— ZachXBT (@zachxbt) August 1, 2023
Earlier this year, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned three individuals in China for aiding with Lazarus’ money laundering activities. Two of these conspirators were OTC crypto traders, based in China and Hong Kong, who converted millions of stolen crypto into fiat currency on behalf of Lazarus. The third individual then coordinated with the OTC traders to support weapons production and purchase goods on behalf of the government through the OFAC-sanctioned entity Korea Kwangson Banking Corp (KKBC).