Report: how Lazarus Group laundered $200 million from 25 attacks on the crypto market

Onchain researcher ZachXBT tracked the movement of $200 million stolen by Lazarus Group hackers as a result of 25 cyberattacks between August 2020 and October 2023.

Lazarus Group hacks in 2020–2023. Data: TRM Labs.

2020: CoinBerry, Unibright and CoinMetro hacks

In August, attackers withdrew $370,000 from the hot Bitcoin and Ethereum wallets of the Canadian crypto exchange CoinBerry. In September — $400,000 from the Unbright platform, in October — $750,000 from CoinMetro.

Lazarus Group moved funds from these three thefts through intermediate wallets before consolidating them into one address in early January 2021.

The funds were then transferred in parts to the hackers' Tornado Cash account, and then withdrawn to an Ethereum address, after which they were combined with assets obtained from other thefts of the group.

Forensic examination schedule. Data: TRM Labs.

That same year, several transfers went to Chinese over-the-counter trader Wu Huihui, who was later designated by OFAC .

From July 2022 to November 2023, USDT was withdrawn in small batches to the P2P platforms Paxful and Noones.

December 2020: Nexus Mutual founder Hugh Karp hacked

On December 14, hackers gained remote access to Karp’s computer and stole 370,000 NXM ($8.3 million) from his MetaMask.

From December 16 to 17, 137.1 BTC of this amount went to the centralized mixing service ChipMixer in six transactions. A few hours later, 136 BTC were transferred back to Ethereum via the Ren Project and consolidated with funds from other thefts.

Forensic examination schedule. Data: TRM Labs.

Having passed through Tornado Cash, the assets ended up in a new Ren wallet.

In March 2021, the stolen cryptocurrency was repeatedly passed between the Bitcoin and Ethereum networks using ChipMixer. In April, a small part of BTC was sold to Wu Huihui. The remaining amounts went to the Bixin exchange, Paxful and Noones platforms.

April 2021: EasyFi founder Ankitta Gaur hacked

Similar to the previous case, $81 million in various tokens was stolen from Gaura through a malicious version of MetaMask.

Next, the assets went to new addresses using cross-chain transfers, then went to ChipMixer and returned to the Ethereum network via the Ren protocol.

In June 2022, funds from two addresses arrived at new EOA addresses, from where they were consolidated with other illegally obtained cryptocurrencies. Then, among other funds, they went to the Binance exchange.

Another batch of funds was withdrawn to new Ethereum wallets in the form of renBTC via ChipMixer, subsequently exchanged for DAI and wBTC.

The final movements again led researchers to Paxful and Noones, where USDT assets arrived in small quantities until November 2023.

Forensic examination schedule. Data: TRM Labs.

July 2021: Bondly hack

The damage from the incident amounted to $8.5 million in Ethereum, BSC and Polygon.

All assets went through the Tornado Cash mixer and through multi-chain bridges arrived at new Ethereum addresses.

In June 2022, combined with other stolen funds, they ended up on Binance. And again, until November 2023, USDT lots went to Paxful and Noones.

August and September 2021: unknown hacks

Several people lost $2 million due to private key compromise. The hackers immediately converted the assets into ETH, transferred them to a single address and sent them to Tornado Cash.

Through an intermediate wallet, the funds were combined with other illegal proceeds and distributed among exchanges.

Forensic examination schedule. Data: TRM Labs.

October 2021: MGNR and PolyPlay hack

MGNR lost $24 million. Assets converted to Ethereum passed through Tornado Cash in two parts and ended up in previously used Lazarus Group wallets. Since the summer of 2022, USDT has gone to Paxful and Noones.

Damage to PolyPlay amounted to $1.6 million. Laundering followed a similar pattern.

November 2021: bZx hack

Phishing attack on the protocol brought hackers $55 million. All cryptocurrency after Tornado Cash was additionally mixed with previously laundered assets from the hacks listed above and went to Paxful.

August 2023: Steadefi and CoinShift hacks

User losses amounted to $1.2 million. In the case of Steadefi, the hackers pretended to be an employee of the investment fund Spirit Blockchain Group.

CoinShift did not publicly announce the incident, but funds from multisig wallets linked to the founder of the platform were immediately withdrawn on August 16.

The stolen Ethereum from both hacks went in parts to Tornado Cash within a few minutes of each other.

Steadefi and CoinShift deposits on Tornado Cash for 100 ETH. Data: ZachXBT.

The assets distributed to three addresses subsequently ended up in a single wallet.. After converting to USDT, they arrived at the hackers’ accounts in Paxful and Noones.

Investigation results

In total, Lazarus Group accounts on P2P platforms Paxful and Noones received $44 million between July 2022 and November 2023. Subsequently, the hackers switched to new deposit addresses.

Forensic examination schedule. Data: TRM Labs.

This entire amount was converted into fiat through bank transfers or cash receipts. Traditionally, for this purpose, Lazarus Group resorts to the services of Chinese over-the-counter traders.

In November 2023, Tether blacklisted $374,000 of funds stolen by hackers.. An undisclosed amount is also frozen on centralized exchanges in the fourth quarter of 2023.

In addition, three of the four stablecoin issuers blocked an additional $3.4 million in addresses belonging to cybercriminals.

ForkLog previously reported that Lazarus Group created a fake investor to attack the DeFi segment.