Summary: The US government is filing lawsuits to recover over $2.67 million stolen by North Korea’s Lazarus Group, linked to two significant cryptocurrency heists involving Deribit and Stake.com. The lawsuits highlight the group’s sophisticated money laundering techniques using virtual currency mixers and exchanges to obscure the trail of stolen funds.
Threat Actor: Lazarus Group | Lazarus Group
Victim: Deribit and Stake.com | Deribit, Stake.com
Key Point :
- The Lazarus Group is accused of stealing approximately $28 million from Deribit in 2022 and $41 million from Stake.com a year later.
- The stolen funds were laundered through various virtual currency exchanges and mixers, including Tornado Cash and Sinbad.
- Law enforcement has successfully frozen some assets and recovered portions of the stolen funds, totaling about $1.7 million in Tether and .099 BTC.
- The FBI is investigating multiple virtual currency heists linked to North Korean military hacking groups, including the Lazarus Group and APT38.
- The Lazarus Group is also believed to be responsible for the $234.9 million hack of the WazirX exchange.
The US government is attempting to claw back more than $2.67 million stolen by North Korea’s Lazarus Group, filing two lawsuits to force the forfeiture of millions in Tether and Bitcoin.
The first lawsuit stems from the 2022 Deribit hack, during which the North Korean criminals drained about $28 million from the crypto exchange’s hot wallet. The crooks then laundered the funds through virtual currency exchanges, the Tornado Cash mixer and virtual currency bridges in an attempt to cover their tracks.
“Although mixing services are used to obfuscate the trail of funds, law enforcement can sometimes trace the funds in and out – as they did here,” according to the court documents [PDF].
The feds ultimately recovered about $1.7 million worth of Tether in five frozen wallets.
About a year after the Lazarus Group allegedly Deribit, they supposedly stole another $41 million from Stake.com – an online casino and gambling site. That heist is the subject of the second lawsuit.
After breaking into Stake.com’s computer systems and stealing roughly tens of millions in virtual currency, “the North Koreans and their money laundering co-conspirators transferred the stolen funds through virtual currency bridges, several BTC addresses, and virtual currency mixers before consolidating funds and depositing the virtual currency at different virtual currency exchanges,” the forfeiture action notes [PDF] explain.
In this case, the Lazarus Group moved the stolen BTC through Bitcoin mixers Sinbad and Yonmix. Sinbad has since been sanctioned by the US government for laundering millions for the North Korean heists.
While law enforcement was able to freeze assets from seven transactions, “the North Koreans were able to transfer the majority of the stolen funds to the BTC blockchain,” according to the court documents.
The FBI was able to recover an additional .099 BTC, or about $6,270, from an eighth transaction. Then, on February 9 the Department of Justice served a federal seizure warrant for those funds, which were transferred to the government.
These, according to the lawsuits, are just a couple of the digital intrusions that the feds have linked to Kim Jong Un’s crew. As explained in the court documents:
The FBI is investigating several recent virtual currency heists perpetrated by North Korean military hacking groups, known within the cyber security community as both the Lazarus Group and APT38. Since at least late 2014, North Korean cyber actors have engaged in cyber attacks, intrusions, and attempted intrusions into computers and networks of, among others, US and foreign entertainment companies, US and foreign banks, US cleared defense contractors and energy companies, virtual currency exchanges, information security researchers, and pharmaceutical companies.
This same group of notorious crypto crooks is believed to be responsible for the $234.9 million WazirX exchange hack. ®
Source: https://www.theregister.com/2024/10/08/us_lazarus_group_crypto_seizure