Notorious Hackers of 2020, Lazarus Group Looks for New Money Laundering Opportunities

More than half of the cryptocurrency stolen in 2020 was attributed to the KuCoin exchange hack, which we can now publicly connect to the Lazarus Group, the infamous North Korea-linked APT responsible for hacking numerous cryptocurrency exchanges over the past few years.

10 June 2021

According to The 2021 Crypto Crime Report hackers managed to steal $ 275 million worth of cryptocurrency from KuCoin, making it the largest cryptocurrency theft of the year and the third largest ever. KuCoin claims to have returned most of the funds. Later in this section, we’ll take a closer look at this hack and share the details of how the Lazarus Group’s money laundering strategy changed in 2020.

Who is The Lazarus Group?

The Lazarus Group is a cybercriminal syndicate working on behalf of the North Korean government. Lazarus has been responsible for numerous cryptocurrency exchange attacks, such as the 2019 UpBit hack, which resulted in the loss of more than  $ 49 million in cryptocurrency. Overall, the group is believed to have stolen around $ 1.75 billion worth of cryptocurrency during the time it was active. Experts believe that the proceeds from the Lazarus Group hacks are channeled into North Korea’s nuclear weapons program, therefore countering their activities is of a paramount importance to international security and stability. 

In 2020 the US government took action against the notorious hackers. Officials sanctioned two Chinese citizens who assisted Lazarus in  their crypto funds laundering scheme and a confiscation complaint has been filed against 280 cryptocurrency addresses linked to the Lazarus Group hacks.However, that doesn’t change the fact thatLazarus Group still managed to carry out the largest cryptocurrency theft in a year, stealing approximately $ 275 million of cryptocurrency from the KuCoin exchange, which represents more than half of all cryptocurrency stolen in 2020. According to the CEO of KuCoin, the hack happened after cybercriminals gained access to the exchange’s private keys and hot wallets. Shortly thereafter, he announced that the exchange had returned $ 204 million in stolen funds.

We were able to attribute these hack to the Lazarus Group in part because the KuCoin hackers applied a particular money laundering strategy that Lazarus has often used in the past. The strategy involves sending the stolen funds to the mixers as structured payments of the same size – usually slightly less than a round number in bitcoins – the exact number varies depending on the size of the total amount of funds that need to be laundered. Lazarus usually waits for each payment to be withdrawn, which must be confirmed by the mixer, before sending a new one, thus minimizing losses in the event of a mixer failure. Once funds are mixed, the Lazarus Group usually sends funds to OTC brokers. The KuCoin hackers used this exacts strategy for some of the stolen funds.   Additionally, the two deposit addresses to which the Lazarus Group sent their stolen cryptocurrency also received funds associated with the Harvest Finance hack, leading to the speculation that the Lazarus Group may have been involved in this attack as well. However, this has not yet been confirmed.

New tricks in the book

One of the new aspects of the KuCoin hack was how the Lazarus Group used DeFi platforms to launder some of the stolen funds. DeFi platforms allow users to exchange one type of cryptocurrency for another without a centralized platform ever holding users’ funds. The lack of storage means that many DeFi platforms believe they do not need to receive KYC information from their customers, making it easier for cybercriminals to transfer funds with greater anonymity.

First, the cybercriminals moved the stolen cryptocurrency from their wallet to an intermediary, and from there they sent it to Uniswap toexchange for ETH. As a DeFi platform, Uniswap allows users to switch between ETH and multiple types of ERC-20 tokens without having to store funds on Uniswap, meaning users do not need to provide KYC information. Users simply send funds to Uniswap from one address and receive the equivalent amount back (minus minimum fees) to the same address in the selected token. In this case the Kucoin crackers sent 12,552.96 ETH to Uniswap from the address “0xC194 …” and received 360.60 ETH back to the same address. If investigators did not already know that the hackers were in control of the wallet that sent and received these funds, it would be difficult to track the movement of funds and determine the swap.

The use of DeFi platforms at the Lazarus Group nearly doubled in 2020, with the group’s use of major exchanges declining. While exchanges received the main part of the funds stolen by the Lazarus Group in 2019, much of that volume went to mixers in 2020. The switch may be  caused by increase of exchanges security following a civil complaint from the DOJ in August, showing how Lazarus Group hackers often move stolen funds across exchanges, and from OTC brokers using listed addresses on exchanges.

However, even if the Lazarus Group does not send such a high percentage of funds for services, they are using more and more unique deposit addresses in money laundering services. This trend intensified in September 2019 and has continued since then. The Lazarus Group generally favors deposit addresses in a group of 20 different exchanges.In December 2019, the Lazarus group had 470 separate cryptocurrency addresses in the top 20 exchanges that received at least $ 1,000 worth of stolen cryptocurrency. By the end of December 2020, this number had grown to 2078. This suggests that the Lazarus Group is distributing its funds around more people to reduce the risk of any address being identified and frozen. It also follows the pattern of adaptability on the part of the Lazarus Group – each year their money laundering strategy changes as crypto exchange services improve their security.