North Korean hackers try offloading crypto and partly succeed

A North Korean hacker group tried to launder cryptocurrency worth $63 million that it stole last year, but its attempts were partially blocked by crypto exchanges, according to blockchain experts.

A chart uploaded by blockchain sleuth ZachXBT to Twitter details attempts by the Pyongyang-backed Lazarus Group to launder funds stolen during last year's Horizon Bridge heist from Jan. 13 to 14. [SCREEN CAPTURE]

A North Korean hacker group tried to launder cryptocurrency worth $63 million that it stole last year, but its attempts were partially blocked by crypto exchanges, according to blockchain experts.

According to a blockchain sleuth who goes by the Twitter handle ZachXBT on Monday, the hacker organization — known to intelligence officials and cybersecurity experts as the Lazarus Group — moved approximately 41,000 ETH ($63.5 million) from Jan. 13 to 14 onto cryptocurrency exchanges Binance, OKX and Huobi.

The cryptocurrency stash moved by Lazarus to the three exchanges was stolen last June from Horizon Bridge, a U.S. crypto start-up that allows users to transfer their crypto assets from one blockchain to another.

The hack, which was one of the biggest cryptocurrency heists last year, involved the theft of different types of cryptocurrencies including ETH, BNB, USDT, USDC and Dai, according to blockchain analytics firm Elliptic.

Elliptic said the Lazarus hackers used different types of decentralized exchanges to convert the stolen assets to ETH — including Tornado Cash, a cryptocurrency “tumbler” or service that mixes suspicious cryptocurrency funds with others to obscure their origin.

The Office of Foreign Assets Control of the U.S. Department of the Treasury blacklisted Tornado Cash in August, accusing it of laundering more than $7 billion in virtual currencies, including the entire $455 million believed to have been stolen last year by the Lazarus Group.

ZachXBT said Lazarus used Railgun, a tool that anonymizes crypto transactions, to try and mask the origin of the Ethereum-denominated funds as it tried to moved them over the weekend.

He also shared over 350 IP addresses associated with the hacker group.

Binance CEO Changpeng Zhao tweeted that the exchange had detected previous laundering attempts by the hacker group and frozen its accounts, adding that it assisted Huobi in freezing the accounts used by Lazarus during its weekend fund movements.

Zhao said the two exchanges succeeded in recovering 124 bitcoin ($2.6 million), leaving open the possibility that Lazarus succeeded in exchanging most of its stolen Ethereum for bitcoin.

Huobi was able to detect and prevent the hacker from attempting to launder funds, according to crypto entrepreneur Justin Sun, whose investment company About Capital owns Huobi.

Cryptocurrency theft has emerged as an increasingly important tool in Pyongyang’s arsenal to evade sanctions after successive United Nations Security Council resolutions targeted Pyongyang’s usual ways of raising foreign currency.

In the past, North Korea focused on narcotics manufacturing and trading, arms sales to anti-Western and non-aligned countries, and counterfeiting U.S. dollars to illicitly raise money for its weapons programs.

Mandatory remittances from North Korean workers dispatched abroad by the regime also helped Pyongyang amass foreign currency, as did exports of monumental bronze statues made by the state-owned Mansudae Art Studio to authoritarian rulers in Benin, Congo, Zimbabwe and Angola.

The broadening of international sanctions in August and December 2017 to cover labor and art exports by the North have led the regime to ratchet up its illicit operations in cryptocurrencies.

Over the past five years, Pyongyang is estimated to have raised approximately $1.6 billion through cryptocurrency heists and trading, according to various investigators and experts.

BY MICHAEL LEE [lee.junhyuk@joongang.co.kr]