US Govt. Moves to Seize $2.7 Million from Lazarus Hacks

Highlights:

• The U.S. Justice Department filed legal complaints to seize $2.7 million from Lazarus Group hacks.
• This amount includes Tether stablecoins and Avalanche-bridged Bitcoin, which were frozen during North Korean hackers’ attempts to launder the funds.
• The group is linked to various attacks, including the WazirX exchange hack in July 2024.

On October 4, 2024, the United States government filed two legal complaints to seize over $2.67 million in cryptocurrency stolen in two major hacks by the North Korean Lazarus hacking group. 

The forfeiture complaints seek to recover approximately $1.7 million worth of Tether (USDT), traced through the Tornado Cash mixer and linked to the North Korean Lazarus Group’s $28 million hack of the crypto options exchange Deribit in November 2022.

Additionally, United States law enforcement officials filed to recover around 15.5 Avalanche-bridged Bitcoin (BTC.b), currently valued at about $971,000, stolen in the group’s $41 million hack of the online crypto casino Stake.com.

Feds Move to Seize Millions in Crypto from North Korean Lazarus Group

On October 4, 2024, the U.S. government filed two legal actions to seize more than $2.67 million in digital assets stolen by the notorious North Korean Lazarus hacking group. The seizures target $1.7 million… pic.twitter.com/3YO4hSgMIc

— VERITAS PROTOCOL (@veritas_web3) October 6, 2024

Lazarus Group Laundered Funds from Deribit Hack Through Tornado Cash

The first filing focuses on how the Lazarus Group laundered money from the Deribit hack using Tornado Cash. North Korean hackers accessed Deribit’s hot wallet, converted $28 million into Ethereum, and funneled it through Tornado Cash, ultimately turning it into Tether stablecoins on the Tron blockchain.

Law enforcement traced the funds through Tornado by analyzing similar Ethereum wallets. These wallets received transfers within minutes, used the same cross-chain bridges, and shared transaction fee sources.

The hackers tried to convert Ethereum to USDT in three attempts. The first two were stopped when funds were frozen by law enforcement. In the third attempt, they successfully laundered the rest, leaving about $1.7 million in USDT frozen in five wallets.

Hacker Group Laundered Crypto from Stake.com Hack Through Multiple Stages

The second filing covers the Lazarus Group’s $41 million hack of Stake.com. The group laundered funds in three stages: converting stolen assets into BTC via Avalanche Bridge, moving them through mixers Sinbad and Yonmix, and converting them into stablecoins like USDT.

Law enforcement froze some funds in the first and third stages, though most were successfully transferred to Bitcoin. Despite tracing the funds through mixers, officials only recovered 0.099 BTC (worth about $6,270).

Lazarus Group Likely Behind Multiple Crypto Hacks

Seizing $2.7 million from Lazarus Group’s hacks of Deribit and Stake.com represents only a small portion of the attacks linked to the group. Onchain analysts suspect the Lazarus Group was also behind the July 2024 WazirX exchange hack, which resulted in approximately $235 million in losses.

An alarming report from on-chain detective ZackXBT on August 15 revealed a network of North Korean developers infiltrating at least 25 crypto projects. These developers used fake identities to access the projects, compromising code and stealing funds. ZackXBT indicated that all identified developers were likely part of a single organization.

1/ Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed.

Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities.

I then uncovered 25+ crypto projects with… pic.twitter.com/W7SgY97Rd8

— ZachXBT (@zachxbt) August 15, 2024

In September 2024, the United States Federal Bureau of Investigation (FBI) issued warnings about the Lazarus Group. The first warning addressed social engineering scams linked to the hacking group.

One scam involved sending fake job offers to unsuspecting users. The hackers built rapport with their victims and encouraged them to download malware disguised as job documents. This led to theft or loss of sensitive personal data.