Onchain researcher ZachXBT tracked the movement of $200 million stolen by Lazarus Group hackers as a result of 25 cyber attacks between August 2020 and October 2023.
Lazarus Group hacks in 2020-2023 Data: TRM Labs.2020: hacks of CoinBerry, Unibright and CoinMetro
In August, attackers withdrew $370,000 from the hot bitcoin and Ethereum wallets of the Canadian crypto exchange CoinBerry. In September — $400,000 from the Unbright platform, in October — $750,000 from CoinMetro.
Lazarus Group moved the funds from these three thefts through intermediate wallets before consolidating them at one address in early January 2021.
Then the funds were transferred in parts to the hackers' account in Tornado Cash, and then withdrawn to the Ethereum address, after which they combined with assets obtained from other thefts of the group.
The schedule of the forensic examination. Data: TRM Labs.In the same year, several transfers were received by an over-the-counter trader from China, Wu Huihui, who was later included in the OFAC sanctions list.
From July 2022 to November 2023, USDT was withdrawn in small batches to the Paxful and Noones P2P platforms.
December 2020: Hacking of Nexus Mutual Founder Hugh Karp
On December 14, hackers gained remote access to Karp's computer and stole 370,000 NXM ($8.3 million) from his MetaMask.
From December 16 to December 17, 137.1 BTC of this amount was transferred to the centralized mixing service ChipMixer in six transactions. A few hours later, 136 BTC were withdrawn back to Ethereum through the Ren Project and consolidated with funds from other thefts.
The schedule of the forensic examination. Data: TRM Labs.After going through Tornado Cash, the assets ended up on a new Ren wallet.
In March 2021, the stolen cryptocurrency was repeatedly run between the bitcoin and Ethereum networks via ChipMixer. In April, a small part of BTC was sold Wu Huihui. The remaining amounts were transferred to the Bixin exchange, the Paxful and Noones platforms.
April 2021: Hacking of EasyFi founder Ankitt Gaur
By analogy with the previous case, $81 million in various tokens was stolen from Gaura through a malicious version of MetaMask.
Then the assets went to new addresses using cross-chain transfers, then went to ChipMixer and returned to the Ethereum network via the Ren protocol.
In June 2022, funds from two addresses were transferred to new EOA addresses, from where they were consolidated with other illegally obtained cryptocurrencies. Then, among other funds, they went to the Binance exchange.
Another batch of funds was withdrawn to new Ethereum wallets in the form of renBTC via ChipMixer, subsequently exchanged for DAI and wBTC.
The final movements again led the researchers to Paxful and Noones, where assets in the form of USDT were received in small batches until November 2023.
The schedule of the forensic examination. Data: TRM Labs.July 2021: Breaking into Bondly
The damage from the incident amounted to $8.5 million in Ethereum, BSC and Polygon.
All assets passed the Tornado Cash mixer and were transferred to new Ethereum addresses via multi-chain bridges.
In June 2022, combined with other stolen funds, they ended up on Binance. And again, until November 2023, USDT shipments went to Paxful and Noones.
August and September 2021: Unknown hacks
Due to the compromise of the private key, several people lost $2 million. The hackers immediately converted the assets into ETH, transferred them to a single address and sent them to Tornado Cash.
Through an intermediate wallet, the funds were combined with other illegal income and distributed to exchanges.
The schedule of the forensic examination. Data: TRM Labs.October 2021: Hacking of MGNR and PolyPlay
MGNR lost $24 million. The assets converted to Ethereum passed through Tornado Cash in two parts and ended up on previously used Lazarus Group wallets. Since the summer of 2022, USDT has been going to Paxful and Noones.
PolyPlay's damage amounted to $1.6 million. The laundering took place according to a similar scheme.
November 2021: Hacking of bZx
A phishing attack on the protocol brought hackers $55 million. All cryptocurrency after Tornado Cash was additionally mixed with previously laundered assets from the hacks listed above and received by Paxful.
August 2023: Steadefi and CoinShift hacks
User losses amounted to $1.2 million. In the case of Steadefi, hackers pretended to be an employee of the Spirit Blockchain Group investment fund.
CoinShift has not publicly announced the incident, but funds from multisig wallets linked to the founder of the platform were simultaneously withdrawn on August 16.
The stolen Ethereum from both hacks went in parts to Tornado Cash with a difference of several minutes.
Steadefi and CoinShift deposits on Tornado Cash for 100 ETH. Data: ZachXBT.The assets distributed to three addresses were subsequently transferred to a single wallet. After converting to USDT, they were credited to the hackers' accounts in Paxful and Noones.
The results of the investigation
In total, the accounts belonging to Lazarus Group on the Paxful and Noones P2P platforms received $44 million between July 2022 and November 2023. Later, the hackers switched to new deposit addresses.
The schedule of the forensic examination. Data: TRM Labs.The entire amount was converted into fiat via bank transfers or cash withdrawals. Traditionally, Lazarus Group uses the services of Chinese over-the-counter traders for this purpose.
In November 2023, Tether blacklisted $374,000 of the funds stolen by hackers. An unnamed amount is also frozen on centralized exchanges in the fourth quarter of 2023.
In addition, three of the four issuers of stablecoins blocked an additional $3.4 million on addresses belonging to cybercriminals.
Earlier, ForkLog reported that Lazarus Group created a fake investor to attack the DeFi segment.