This week the FBI issued a release confirming that the theft of approximately $41 million in crypto assets from Stake.com, an online casino and betting platform, was the work of North Korea’s Lazarus Group. Lazarus stole these assets from Stake-controlled addresses on Ethereum, Binance Smart Chain (BSC), and Polygon blockchains and, as of yesterday, had moved them into the 40 crypto addresses identified in the FBI’s press release.
TRM's on-chain analysis of the hack and the post-theft movement of funds confirms DPRK involvement. The ETH and BSC assets have, for the most part, been swapped into unfreezable native assets but remain parked. The Polygon/MATIC were swapped and bridged via Squid Router. Those swaps generally went from MATIC to USDT or USDC and were moved to Avalanche. On Avalanche, they were swapped into wrapped BTC, then bridged to Bitcoin, where they now sit, parked. This type of activity is a hallmark of recent Lazarus Group exploits.
As described in TRM’s recent report on North Korean crypto thefts, the Avalanche Bridge has become North Korean hacker's vehicle of choice to move funds to and from the Bitcoin blockchain.
According to the FBI, and a recent report from TRM, these same DPRK actors are also responsible for several other large scale attacks stealing more than $200 million so far in 2023. According to the FBI, this amount includes, but is not limited to, approximately $60 million of virtual currency from Alphapo and CoinsPaid on or about July 22, 2023, and approximately $100 million of virtual currency from Atomic Wallet on or about June 2, 2023. According to TRM, North Korean cyber actors have stolen over $2 billion in cryptocurrency over the last five years.
The FBI has previously provided information to the public regarding the DPRK’s attacks against Harmony’s Horizon bridge and Sky Mavis’ Ronin Bridge and put out a cybersecurity advisory on TraderTraitor. In addition, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the Lazarus Group in 2019.
The FBI's recent spate of public announcements, confirming North Korean involvement in a series of hacks, are part of a larger effort by the US government to arm industry with the knowledge necessary to reject, block, and freeze crypto assets under North Korea's control. By publicizing exactly which addresses North Korea is known to control, the FBI is making it vastly easier for compliance professionals to identify and block suspicious deposits by North Korean hackers.
North Korean cybercriminals continue to evolve
Even in the last year, North Korea’s laundering tactics have shifted. In 2022 North Korean actors tended to move stolen funds quickly to Ethereum based mixer Tornado Cash as the majority of hacks occurred on Ethereum or other EVM blockchains. Funds were then bridged to Bitcoin via the Ren Bridge, where they were laundered again via ChipMixer, a then-popular Bitcoin mixing service.
However, Tornado Cash was the target of OFAC sanctions in August 2022 and ChipMixer was taken down by law enforcement earlier this year making it more difficult for Lazarus Group to use those mixers. After the Tornado Cash sanctions, earlier this year we saw funds from the Harmony Bridge hack - dormant since their initial laundering through Tornado Cash in the summer of 2022 - suddenly move through a variety of services and offloaded to apparent OTC brokers. This new laundering model essentially involves the bridging of funds to Bitcoin via the Avalanche Bridge - a much lower cost and still-functional alternative to the Ren Bridge - then laundering through Sinbad, a Bitcoin mixer that has emerged as the go-to mixer for North Korean cybercriminals. From there, North Korea’s hackers typically then move funds back to a chain like Avalanche, as we saw in the Stake.com hack, with possible detours to other, more obscure chains like BTTC, before ultimately ending up on the Tron blockchain via the SWFT Bridge, a Tron bridging service most popular with Chinese-speaking crypto users.
Once on Tron, the stolen funds, which have almost always already been converted to USDT, are then apparently liquidated with high-volume, high-value addresses that appear to be most likely be Over-the-Counter brokers, likely servicing illicit Chinese crypto traders.
The Role of Blockchain Intelligence in Following North Korean Stolen Funds
The Stake.com hack, and the post theft movement of funds, is another example of North Korea’s evolved obfuscation techniques in a multi and cross-chain ecosystem. Blockchain intelligence – blockchain data enriched with open-source and proprietary threat intelligence – as represented by TRM Forensics, enables investigators to follow the money in cryptocurrency to ultimately identify threat actors and seize illicit funds including funds stolen and laundered by North Korea.
In 2019, in response to the growing number of blockchains and the growing use of different chains by cybercriminals, TRM Labs introduced cross-chain analytics in TRM Forensics, our flagship tracing tool. This enables investigators to trace funds from multiple blockchains and multiple assets in a single visualization.
In 2022, TRM identified the growing use of chain-hopping as an obfuscation technique, and introduced TRM Phoenix, the industry’s first solution for automatically tracing the flow of funds across blockchains through bridges and other services.
As North Korea continues to attack the growing crypto ecosystem, the ability to follow stolen funds is more critical than ever, and, as North Korea’s laundering methodologies evolve so must the tools investigators rely on.
Addresses identified in the FBI release:
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.