Comprehensive Report on North Korean Hackers, Phishing Groups, and Money Laundering in 2023

SlowMist
9 min readJan 10, 2024

The preceding article offered an in-depth analysis of the blockchain security landscape in 2023. This article shifts the focus to the developments of the North Korean hacking collective Lazarus Group, significant phishing syndicates, and certain money laundering instruments throughout 2023.

Lazarus Group in 2023

Based on publicly available information from 2023, as of June, there have been no significant cryptocurrency thefts attributed to the North Korean hacker group, Lazarus Group. Analysis of blockchain activity suggests that the Lazarus Group has primarily been engaged in laundering cryptocurrency funds stolen in 2022. This includes approximately $100 million lost in the June 23, 2022 attack on the Harmony cross-chain bridge.

However, subsequent developments revealed that the Lazarus Group was not only laundering stolen cryptocurrency funds. They were also actively involved in Advanced Persistent Threat (APT) attacks during their operational downtime. These covert activities precipitated the ‘Dark 101 Days’ in the cryptocurrency industry, starting from June 3.

During this ‘Dark 101 Days’ period, a total of five platforms were breached, with the stolen amount exceeding $300 million. The targets were predominantly centralized service platforms.

Around September 12, SlowMist and its partners detected a large-scale Advanced Persistent Threat (APT) attack by the hacker group Lazarus Group targeted at the cryptocurrency industry. The attack methodology was as follows: The hackers first impersonated identities, deceiving auditors through real-person verification to become legitimate customers, and then made actual deposits. Under the guise of these customer identities, the attackers strategically deployed custom Trojans for Mac or Windows to official personnel during communications with multiple officials and customers (attackers). After gaining access, they moved laterally within the network, remaining undetected for an extended period, ultimately to steal funds.

The U.S. FBI is also closely monitoring significant thefts within the cryptocurrency ecosystem and has publicly disclosed incidents orchestrated by the North Korean hacker group Lazarus Group in its press releases. Below are the FBI press releases from 2023 regarding the Lazarus Group’s activities:

On January 23, the FBI confirmed that the Lazarus Group was responsible for the Harmony Hack incident.

On August 22, the Federal Bureau of Investigation (FBI) issued a notice stating that the North Korean hacker organization was involved in the hacking attacks on Atomic Wallet, Alphapo, and CoinsPaid, stealing a total of $197 million in cryptocurrency.

On September 6, the Federal Bureau of Investigation (FBI) confirmed that the Lazarus Group was responsible for the theft of $41 million from the Stake.com cryptocurrency gambling platform.

Money Laundering Methods

According to our analysis, the money laundering methods of the Lazarus Group have been evolving over time. New laundering techniques emerge periodically, and the timeline of these changes in laundering methods is outlined in the following table:

Profile of Lazarus

With the substantial intelligence support from our InMist’s intelligence network and partners, we conducted follow-up analysis on data related to the theft incidents and the hacker group Lazarus Group, leading to the development of a partial profile of the group:

They commonly use European and Turkish identities as disguises.

Dozens of IP addresses, several email addresses, and some anonymized identity information have been obtained:

111…49

103…162

103…205

210…9

103…29

103…163

154…10

185…217

Wallet Drainers

Note: The information this section was by ScamSniffer, to whom we are extend our thanks.

Overview

Wallet Drainers, a type of malicious software related to cryptocurrencies, have achieved significant ‘success’ over the past year. These programs are deployed on phishing sites to deceive users into signing malicious transactions, subsequently stealing assets from their cryptocurrency wallets. These phishing activities, in various forms, continuously prey on ordinary users, leading to significant financial losses for many who unwittingly sign these malicious transactions.

Theft Statistics

Over the past year, Scam Sniffer has monitored Wallet Drainers and found that they have stolen nearly $295 million in assets from approximately 320,000 victims.

Theft Trends

It’s worth mentioning that on March 11th, nearly $7 million was stolen. The majority was due to fluctuations in the USDC exchange rate and phishing websites impersonating Circle. There was also a significant amount of theft around March 24th, coinciding with the hacking of Arbitrum’s Discord and subsequent airdrops.

Each peak in theft is associated with a group-related events, which could be airdrops or hacking incidents.

Noteworthy Wallet Drainers

After ZachXBT exposed Monkey Drainer, they soon announced their exit after being active for six months, and then Venom took over most of their clients. Subsequently, MS, Inferno, Angel, Pink also emerged around March. With Venom ceasing services around April, most phishing gangs shifted to using other services. Based on a 20% Drainer fee, they made at least $47 million in profits by selling their services.

Wallet Drainers Trend

Analyzing the trend reveals that phishing activities have been consistently growing. Furthermore, whenever a Drainer exits, a new one emerges to take its place. For instance, recently when Inferno announced its withdrawal, Angel seemed to become the new substitute.

So how do they initiate phishing activities?”

The methods for phishing websites to acquire traffic can be broadly categorized as follows:

  1. Hacking Attacks
  • Hacking of official project Discord and Twitter accounts
  • Attacks on the frontend of official projects or the libraries they use

2. Organic Traffic

  • Airdrops of NFTs or Tokens
  • Exploitation of expired Discord links
  • Spam reminders and comments on Twitter

3. Paid Ads

  • Google search ads
  • Twitter ads

Although hacking attacks have a wide impact, they are often quickly responded to, with the entire community taking action usually within 10–50 minutes. Airdrops, organic traffic, paid advertisements, and the exploitation of expired Discord links are less likely to be noticed. In addition to these methods, there are also more targeted personal direct message phishing attacks.

Common phishing signatures

For different types of assets, there are various methods to initiate malicious phishing signatures. The above are some common phishing signature methods for different asset classes. Drainers decide what type of malicious phishing signature to launch based on the type of assets in the victim’s wallet.

From the case of using GMX’s signalTransfer to steal Reward LP tokens, we can see that their phishing methods for specific assets have become highly sophisticated.

Increasing Use of Smart Contracts

  1. Multicall

Starting with Inferno, they also began to invest more resources in using contract technology. For example, in the case of Split fees, two transactions are required, which could potentially be cancelled by the victim before the second transfer if not executed quickly enough. Therefore, to increase efficiency, they utilize multilcall for more effective asset transfers.

2. CREATE2 & CREATE

To bypass certain wallet security verifications, they have also started to experiment with using create2 or create to dynamically generate temporary addresses. This makes the blacklists used by wallets ineffective and increases the difficulty of phishing. Without signing, you don’t know to which address the assets will be transferred, and temporary addresses are not meaningful for analysis. This represents a significant change compared to last year.

Phishing Websites

An analysis of the number of phishing websites clearly shows that phishing activities are steadily increasing every month. This is largely related to the stable services provided by wallet drainers.

Above are the main domain registrars used by these phishing websites. By analyzing the server addresses, it’s evident that most of them use Cloudflare to hide their real server addresses.

Money Laundering Tools

Sinbad

Sinbad is a bitcoin mixer established on October 5, 2022, that obscures transaction details to hide the flow of funds on the blockchain.

The U.S. Treasury Department describes Sinbad as a ‘virtual currency mixer and a primary money laundering tool for the North Korean hacker organization Lazarus Group sanctioned by OFAC. Sinbad processed funds from the Horizon Bridge and Axie Infinity hacks, as well as funds related to sanctions, drug trafficking, child pornography, and other illegal sales on the dark web.

The transaction below is an example of The Lazarus Group using Sinbad in the laundering process.

https://oxt.me/transaction/2929e9d0055a431e1879b996d0d6f70aa607bb123d12bfad42e1f507d1d200a5

Tornado Cash

https://dune.com/misttrack/mixer-2023

Tornado Cash is a fully decentralized, non-custodial protocol that improves transaction privacy by breaking the on-chain link between source and destination addresses. To protect privacy, Tornado Cash uses a smart contract that accepts deposits of ETH and other tokens from one address and allows withdrawals to different addresses, thus sending ETH and other tokens to any address while hiding the sending address.

In 2023, users deposited a total of 342,042 ETH (about $614 million) into Tornado Cash and withdrew 314,740 ETH (about $567 million).

eXch

https://dune.com/misttrack/mixer-2023

In 2023, users deposited a total of 47,235 ETH (about $90.14 million) into eXch and 25,508,148 ERC20 stablecoins (about $25.5 million).

Railgun

Railgun uses zk-SNARKs cryptographic technology to make transactions completely invisible. Railgun ‘shields’ users’ tokens within its privacy system, making every transaction appear on the blockchain as sent from the Railgun contract address.

In early 2023, the FBI stated that the North Korean hacker group Lazarus Group used Railgun to launder over $60 million stolen from Harmony’s Horizon Bridge.

Conclusion

This article introduces the dynamics of the North Korean hacker group Lazarus Group in 2023. The SlowMist security team continues to monitor this hacker group and has summarized and analyzed its dynamics and money laundering methods, creating a profile of the group. Phishing groups have been rampant in 2023, causing huge financial losses to the blockchain industry. These groups display a ‘relay’ characteristic in their actions, posing significant challenges to industry security. We thank the Web3 anti-fraud platform Scam Sniffer for disclosing information about the phishing group Wallet Drainers, as we believe this content is important for understanding their operating methods and profit situation. Finally, we introduced the money laundering tools commonly used by hackers.

Download the full report:

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.