DPRK
Image: Planet Volumes via Unsplash

North Korea’s Lazarus hackers behind recent crypto heists: FBI

The FBI has attributed three recent cyberattacks on cryptocurrency platforms to the North Korean government’s APT38 hacking group — known by many researchers as Lazarus or TraderTraitor.

June saw three headline-grabbing incidents involving cryptocurrency companies: a $100 million hack of Atomic Wallet on June 2, as well as two June 22 attacks in which cybercriminals stole $60 million from Alphapo and $37 million from CoinsPaid.

Representatives of all three companies intimated at the time that North Korean hackers were behind the incidents, but the FBI officially attributed the attacks to Lazarus hackers on Tuesday and warned that Pyongyang is likely to attempt to cash out the stolen proceeds.

“The FBI is warning cryptocurrency companies of recent blockchain activity connected to the theft of hundreds of millions of dollars in cryptocurrency. Over the last 24 hours, the FBI tracked cryptocurrency stolen by the Democratic People's Republic of Korea (DPRK) TraderTraitor-affiliated actors,” the agency said.

“The FBI believes the DPRK may attempt to cash out the bitcoin worth more than $40 million dollars. The FBI investigation found the TraderTraitor-affiliated actors moved approximately 1,580 bitcoin from several cryptocurrency heists.”

In the advisory, they provided bitcoin addresses and said companies should “be vigilant in guarding against transactions directly with, or derived from [them].”

A banner year

For years, the Lazarus Group has carried out some of the most brazen cryptocurrency heists the industry has seen.

The FBI previously attributed the $100 million hack of Harmony’s Horizon bridge and the $600 million hack of Sky Mavis’ Ronin Bridge to the same North Korean hackers.

Blockchain research firm Chainalysis found that 2022 was a banner year for hackers targeting cryptocurrency firms, with about $3.8 billion in total stolen from companies in the industry, up from $3.3 billion in 2021.

Chainalysis noted that much of the hacking activity was led by groups associated with the North Korean military, which has prioritized cryptocurrency hacks in an effort to fund its nuclear weapons program.

Hackers with North Korea’s Lazarus Group and others were responsible for $1.7 billion worth of cryptocurrency theft in 2022, shattering their own records. Chainalysis noted that in 2020, the country’s total exports were just $142 million, making the crypto hacks a “sizable chunk of the nation’s economy.”

North Korean groups led the way in their targeting of DeFi platforms specifically, making $1.1 billion off of attacks. The U.S. Treasury has openly accused North Korea of being involved in the theft of about $7.8 million from a cryptocurrency platform called Nomad.

Hackers from the country used the cryptocurrency mixing service Tornado Cash through much of last year to launder funds, but in August the U.S. Treasury Department sanctioned the company.

The government reissued sanctions on the company in November, accusing the platform of helping North Korean government hackers launder more than $455 million stolen in March 2022.

Several cryptocurrency companies, including Coinbase, lost a lawsuit last week to remove the sanctions after a judge threw out claims that there was no single sanctionable entity behind the service.

Following the sanctions, Chainalysis found that North Korean actors began to diversify their use of mixing services. While some funds are still laundered through Tornado Cash, the country’s hackers also use services like Sinbad, a relatively new Bitcoin mixer.

“As we’ve seen in many North Korea-directed hacks, the hackers bridge the stolen funds from the Ethereum blockchain — including a portion of the funds stolen in the Axie Infinity hack — to Bitcoin, then send that Bitcoin to Sinbad,” Chainalysis researchers said.

In December and January, North Korea-linked hackers sent $24.2 million worth of Bitcoin to Sinbad.

The FBI said on Tuesday that it will “continue to expose and combat the DPRK’s use of illicit activities — including cybercrime and virtual currency theft — to generate revenue for the regime.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.