North Korea’s Lazarus Group moves funds through Tornado Cash

TRM InsightsInsights
North Korea’s Lazarus Group moves funds through Tornado Cash

April 28, 2022

Through a low-key sanctions designation on April 14, the U.S. Treasury Department announced that North Korea, officially known as the Democratic People’s Republic of Korea (”DPRK”), was behind last month's Ronin bridge hack, the largest crypto hack to date. Specifically, the Office of Foreign Assets Control released a list of entities associated with North Korean state-sponsored hacking group Lazarus, including this crypto Ethereum address:

0x098B716B8Aaf21512996dC57EB0615e2383E2f96

The FBI announced later the same day that it was, “able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29.”

On April 22, OFAC added three additional Ethereum addresses associated with the hack to its specially designated (SDN) list. The addresses designated by OFAC had interacted with the originally sanctioned address and at one point held roughly 50,000 of the stolen ETH.

The funds were moved through Tornado Cash, the most popular mixer on the Ethereum blockchain, which recently announced efforts to use sanctions screening tools.

Despite this, the Ronin hackers/Lazarus group have continued to deposit tens of thousands of ETH since April 4th. The amounts involved are so large, however, that they have tested the capacity of Tornado Cash; the almost continuous flow of funds has enabled everyone from amateur blockchain sleuths to professional analytics companies to search the flows out of the mixer for clues on the funds' destinations. Some of these efforts have been successful.

TRM Graph (click to expand)

North Korea has long engaged in cyberattacks on cryptocurrency businesses to raise funds to fund its weapons programs, nuclear proliferation and other destabilizing activities. To accomplish its goals, North Korea has built several professional teams — known collectively to outside observers as the Lazarus Group — to conduct the cyber attacks and to launder the stolen funds.

In February of 2020, the US Department of Justice unsealed an indictment against North Korean hackers that, line by line, described North Korea’s highly targeted, sophisticated effort to use social engineering, ICO scams, and other methods to breach cyber security systems, infiltrate cryptocurrency businesses and steal funds at unprecedented speed and scale. The economic incentives for North Korea are powerful; hundreds of millions of dollars in pure profit represent an enormous share of overall North Korean hard currency earnings, especially in its post-COVID period of heightened trade isolation.  Insights on the Lazarus Group's attacks on crypto businesses can be found here and here.

As demonstrated by the Ronin hack, Lazarus Group now commonly uses multiple mixing services and other sophisticated obfuscation techniques. Given that North Korea is ultimately not concerned with being caught, Lazarus often to moves funds quickly to an off ramp rather than engage in lengthy and expensive obfuscation techniques. For further details on North Korea’ cyberattacks on cryptocurrency businesses, please see this February report by the Center for New American Security, in conjunction with TRM, and check out this series of TRM Talks with North Korea experts on Lazarus group and the continued attacks on cryptocurrency businesses.

About TRM Labs

TRM provides blockchain intelligence to help financial institutions, cryptocurrency businesses, and public agencies detect, investigate, and manage crypto-related fraud and financial crime. TRM's risk management platform includes solutions for transaction monitoring and wallet screening, entity risk scoring - including VASP due diligence - and source and destination of funds tracing. These tools enable a rapidly growing cohort of organizations around the world to safely embrace cryptocurrency-related transactions, products, and partnerships.

Want more content like this?

This is some text inside of a div block.

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Subscribe to our latest insights
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
You can unsuscribe at any time. Read our Privacy Policy.