Report Interpretation Analysis of North Korean Hackers, Phishing Groups and Money Laundering Tools

Lazarus Group

Updates in 2023

According to public information in 2023, as of June, no major cryptocurrency theft cases have been attributed to the North Korean hacker group Lazarus Group. Based on on-chain activities, Lazarus Group mainly laundered the stolen cryptocurrency funds from 2022, including the approximately $100 million lost in the attack on the Harmony cross-chain bridge on June 23, 2022.

However, subsequent facts have shown that Lazarus Group, besides laundering the stolen cryptocurrency funds from 2022, has been active in the dark, engaging in APT-related attack activities. These activities directly led to the “Dark 101 Days” in the cryptocurrency industry starting from June 3rd.

During the “Dark 101 Days,” a total of 5 platforms were hacked, with a total stolen amount exceeding $300 million, mainly targeting centralized service platforms.

Around September 12th, SlowMist, together with its partners, discovered a large-scale APT attack targeting the cryptocurrency industry by the Lazarus Group hacker group. The attack method is as follows: first, they engage in identity deception by using real-person verification to deceive the verification personnel and become genuine customers. They then make actual deposits. With this customer identity as a cover, they selectively deploy custom Mac or Windows trojans to official personnel and customers (attackers) during communication, gaining permissions to move laterally within the internal network. They lurk for a long time to achieve the goal of stealing funds.

The U.S. FBI is also concerned about major thefts in the cryptocurrency ecosystem and publicly stated in a press release that it was manipulated by North Korean hackers Lazarus Group. The following is a relevant press release from the FBI in 2023 regarding the North Korean hacker Lazarus Group:

• On January 23, the FBI confirmed (https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft) North Korean hackers Lazarus Group should be responsible for the Harmony Hack incident.

• On August 22, the FBI issued a notice (https://www.fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk) stating that the North Korean hacker organization Hacks involving Atomic Wallet, Alphapo and CoinsPaid stole a total of $197 million in cryptocurrency.

• On September 6, the FBI issued a press release (https://www.fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk) confirming that North Korean hackers Lazarus Group is responsible for the theft of $41 million from the Stake.com cryptocurrency gambling platform.

Analysis of money laundering methods

According to our analysis, the money laundering methods of North Korean hackers Lazarus Group have also continued to evolve over time. New money laundering methods will appear every once in a while. The timetable for changes in money laundering methods is as follows:

Gang profiling analysis

Based on the strong intelligence-related support of InMist intelligence network partners, the SlowMist AML team followed up and analyzed the data related to these stolen incidents and the hacker group Lazarus Group, and then obtained a partial portrait of the hacker group Lazarus Group:

• Often use European or Turkish identity as a disguise.
• Dozens of IP information, numerous email addresses information and some desensitized identity information have been obtained:
  • 111...49
  • 103...162
  • 103...205
  • 210...9
  • 103...29
  • 103...163
  • 154...10
  • 185...217

Wallet Drainers

Note: This section was written by Scam Sniffer, for which I would like to express my gratitude.

Overview

Wallet Drainers, a type of cryptocurrency-related malware, have achieved notable “success” in the past year. These software programs are deployed on phishing websites to deceive users into signing malicious transactions, thereby stealing assets from their cryptocurrency wallets. These phishing activities continuously target ordinary users in various forms, leading to significant financial losses for many who unwittingly sign these malicious transactions.

Stolen fund statistics

Over the past year, Scam Sniffer has detected Wallet Drainers stealing nearly $295 million from approximately 324,000 victims.

Trends

Notably, on March 11, nearly $7 million was stolen, primarily due to fluctuations in the USDC exchange rate and phishing sites impersonating Circle. There was also a significant spike in thefts around March 24, coinciding with the compromise of Arbitrum’s Discord and subsequent airdrop events.

Each peak in thefts is associated with community-wide events, which could be airdrops or hacking incidents

Noteworthy Wallet Drainers

After ZachXBT exposed Monkey Drainer, they announced their exit after being active for 6 months. Venom then took over most of their clientele. Subsequently, MS, Inferno, Angel, and Pink emerged around March. With Venom ceasing operations around April, most phishing groups shifted to using other services. With a 20% Drainer fee, they made at least $47 million by selling these services.

Wallet Drainers Trends

Analysis of the trend shows that phishing activities have been consistently growing. Moreover, each time a Drainer exits, a new one replaces it, such as Angel emerging as a replacement after Inferno announced its departure.

How do they initiate phishing activities?

These phishing websites mainly acquire traffic through several methods:

• Hacker Attacks:
  • Official project Discord and Twitter accounts being hacked
  • Attacks on the front end of official projects or the libraries they use
• Organic Traffic
  • Airdropping NFTs or Tokens
  • Exploiting expired Discord links
  • Spam reminders and comments on Twitter
• Paid Traffic
  • Google ad search
  • Twitter Ads

Although hacker attacks have a wide impact, the community often reacts promptly, typically within 10-50 minutes. In contrast, airdrops, organic traffic, paid advertising, and exploiting expired Discord links are less noticeable.

Common Phishing Signatures

Different types of assets have different ways of initiating malicious phishing signatures. The above are some common phishing signature methods for different types of assets. Drainers will decide what kind of malicious phishing signature to initiate based on the types of assets the victim’s wallet holds.

For instance, from the case of exploiting GMX’s signalTransfer to steal Reward LP tokens, it’s evident that the phishing techniques have become highly sophisticated and tailored for specific assets.

Increase Use of Smart Contracts

1）Multicall

Starting with Inferno, there has been an increased focus on using contract technology. For instance, in cases where splitting transaction fees requires two separate transactions, the process might not be fast enough. This could allow the victim to revoke authorization before the second transfer. To enhance efficiency, they began using multicall for more effective asset transfers.

2）CREATE2 & CREATE

To bypass some wallet security checks, they also started experimenting with create2 or create to dynamically generate temporary addresses. This approach renders wallet-based blacklists ineffective and complicates research into phishing activities. Since you can’t know where the assets will be transferred without signing, and temporary addresses don’t offer much analytical value, this poses a significant challenge. This marks a substantial change compared to last year.

Phishing Website

Analyzing the number of phishing websites reveals a steady monthly increase in phishing activities, closely tied to the availability of stable wallet drainer services.

The domains used by these phishing websites are mainly registered with specific domain registrars. Analysis of server addresses shows that most use Cloudflare to hide their real server locations.

Money Laundering Tools

Sinbad

Sinbad is a Bitcoin mixer established on October 5, 2022. It obscures transaction details to hide the flow of funds on the blockchain.

The U.S. Department of the Treasury describes Sinbad as a “virtual currency mixer, a primary money laundering tool for the North Korean hacking group Lazarus, designated by OFAC.” Sinbad has handled funds from the Horizon Bridge and Axie Infinity hacking incidents and has also transferred funds related to activities such as “evading sanctions, drug trafficking, purchasing materials related to child sexual exploitation, and engaging in other illegal sales on the dark web market.”

The Alphapo hackers (Lazarus Group) used Sinbad in their money laundering process, as seen in transactions like:

(https://oxt.me/transaction/2929e9d0055a431e1879b996d0d6f70aa607bb123d12bfad42e1f507d1d200a5)

Tornado Cash

(https://dune.com/misttrack/mixer-2023)

Tornado Cash is a fully decentralized, non-custodial protocol that improves transaction privacy by breaking the on-chain link between source and destination addresses. To protect privacy, Tornado Cash uses a smart contract that accepts ETH and other token deposits from one address and allows them to withdraw to a different address, i.e. sending ETH and other tokens to any address in a way that hides the sending address. .

In 2023, users deposited a total of 342,042 ETH (approximately $614 million) into Tornado Cash, and withdrew a total of 314,740 ETH (approximately $567 million) from Tornado Cash.

eXch

(https://dune.com/misttrack/mixer-2023)

In 2023, users deposited a total of 47,235 ETH (approximately $90.14 million) to eXch, and a total of 25,508,148 ERC20 stablecoins (approximately $25.5 million) were deposited to eXch.

Railgun

Railgun uses zk-SNARKs cryptographic technology to make transactions completely invisible. Railgun “shields” the user’s tokens within its privacy system, so that each transaction appears to be sent from the Railgun contract address on the blockchain.

In early 2023, the FBI stated that the North Korean hacker group Lazarus Group used Railgun to launder over $60 million in funds stolen from Harmony’s Horizon Bridge.

Conclusion

This article introduces the activities of the North Korean hacker group, Lazarus Group, in the year 2023. The SlowMist security team has been continuously monitoring this hacker group and has summarized and analyzed their dynamics and money laundering methods to create a profile of the group. In 2023, fishing gangs have become rampant, causing massive financial losses to the blockchain industry. These gangs operate in a coordinated manner, presenting a “relay” pattern of attacks. Their continuous and large-scale attacks pose significant challenges to the industry’s security. We would like to express our gratitude to the Web3 anti-fraud platform, Scam Sniffer, for their disclosure of the phishing gang, Wallet Drainers. We believe that this information is of great significance for understanding their working methods and profit situation. Lastly, we also provide an introduction to the money laundering tools commonly used by hackers.

Download the full report:

https://www.slowmist.com/report/2023-Blockchain-Security-and-AML-Annual-Report(EN).pdf

Disclaimer：

1. This article is reprinted from [SlowMist Technology]. All copyrights belong to the original author [slow fogsecurity team]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.