Lazarus group turns to Garantex to launder stolen assets

The Lazarus Group, known for its cybercriminal activities, has shifted its focus to Garantex, an OFAC-sanctioned exchange, to trade stolen assets for bitcoin (BTC). 

This move comes despite significant efforts from various stakeholders, including on-chain monitor Elliptic, exchange partners, and the wider community, to freeze the stolen funds held in Atomic Wallet.

The Lazarus Group, a state-sponsored hacking group with alleged links to North Korea, has a long history of conducting high-profile cyber attacks targeting cryptocurrency exchanges, financial institutions, and other lucrative targets.

In this instance, their attention has turned to Garantex, an exchange subject to sanctions by the U.S. Office of Foreign Assets Control (OFAC).

Earlier this month, the Sinbad.io mixer, a service regularly utilized by the Lazarus Group, was being used to launder the stolen funds.

Elliptic noted that the hackers’ stolen money from Garantex was still being mixed via the Sinbad.io exchange.

The Treasury Department blacklisted Blender.io (the previous version of Sinbad.io) in May 2022 because of North Korea’s use of the site to “support its malicious cyber activities and money-laundering of stolen virtual currency.”

Up to $35 million in digital assets were stolen from user accounts on the cryptocurrency wallet service Atomic Wallet on June 3. Atomic announced the hiring of blockchain security and analysis firm Chainalysis five days after the event occurred. 

The Harmony Bridge attack and the Ronin Bridge hack occurred within the last year, and both have been tied to the renowned North Korean cyber group Lazarus Group.