It was a very active weekend for Lazarus, an infamous North Korean hacker group, as they made fund transfers from the Harmony Bridge hack. Notably, the group carried out a transfer amounting to $63.5m (~41,000 ETH).
Erasing the stolen funds’ trail
Lazarus Group has, over time, become very efficient in its methods to launder its money through various platforms to prevent detection by authorities. Through a Twitter post, “ZachXBT,” a blockchain sleuth, has revealed the details of the transactions of various Ethereum assets that went through Railgun. Railgun is a smart contract privacy platform that jumbles transactions using zero-knowledge proofs.
Previously, the Group’s funds were on Tornado Cash, an anonymizing service, very common with bad actors utilizing the crypto industry to launder their dirty money.
The analyst traced the transactions through over 350 addresses and estimated that Railgun sent around 41,000 ETH to various addresses before they deposited the crypto on different exchanges. Even though he did not specify the exchanges, he said that the Lazarus Group usually quickly withdraws the assets on these exchanges.
In a recent Twitter post, Binance’s CEO CZ revealed that his exchange previously detected Harmony One hacker fund movement when they tried to launder money via Binance. As a result, the exchange froze the accounts. The Binance CEO notes that this time, the hacker used Huobi, but they were able to step in and help the exchange freeze the involved accounts, hence recovering 124 BTC in total.
Lazarus Group’s focus on the DeFi industry
Reports named Lazarus Group as the main link to the Harmony Attack of June 2022. Around $100 million was stolen from the Harmony Bridge hack. The hackers used Tornado demixing capabilities, which allowed them to launder the money.
Previously, the Group has been linked to other hacks amounting to over $2 billion over the years. Over time, it has changed its strategy to focus on the fast-growing DeFi industry since 2022. Another hack it was linked to was the Ronin Bridge exploit that allowed them to gain $600 million within the same period. Through October, they were also associated with several phishing emails to crypto exchanges in Japan.
A recent report by Kaspersky identifies Lazarus group’s subgroup, BlueNoroff, to have created several fictitious domain names that impersonate venture capital firms and banks. The company detected these attacks as early as January 2022, directed at organizations dealing with smart contracts, DeFi, Blockchain, and the FinTech industry.