How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020–2023

Table of contents

1). Introduction

2). CoinBerry, Unibright, & CoinMetro hacks

3). Nexus Mutual founder hack

4). EasyFi hack

5). Bondly hack

6). Unreported hacks

7). MGNR and PolyPlay hacks

8). bZx hack

9). Steadefi and CoinShift hacks

10). Paxful and Noones accounts

11). Investigation results

12). Other Incidents

13). Acknowledgments

Introduction

Bluenoroff or APT38, more commonly referred to as Lazarus Group is a threat group which has been tied to the North Korean government since as early as 2009 primarily being financially motivated utilizing malware custom built for each target.

Early on, the threat group gained notoriety for cyberattacks such as Sony Pictures Hack in 2014 and $81M Bangladesh Bank heist in 2016 and in more recent years has shifted focus to targets in the cryptocurrency industry.

Analytics firms such as TRM and Chainalysis release annual reports summarizing crypto related incidents linked to DPRK and since 2017 they estimate between $3B to $4.1B has been stolen.

The research in this article closely follows 25 hacks targeting companies and individuals in the cryptocurrency space spanning from August 2020 to October 2023 by tracing the movements of funds to multiple accounts identified at P2P marketplaces where Lazarus Group exchanges stolen crypto for fiat.

Table 0: Lazarus Group hacks from 2020–2023 covered in this article
Table 0: Lazarus Group hacks from 2020–2023 covered in this article

2020 — CoinBerry, Unibright, & CoinMetro Hacks

CoinBerry Incident Summary

On August 24, 2020 the Canadian crypto exchange CoinBerry stopped processing withdrawals for 12+ hrs after $370K was drained from the Bitcoin and Ethereum hot wallets. While the exchange never publicly reported the incident, a lawsuit filed in 2022 revealed a software bug allowed 500 users to withdraw 120 BTC in 2020.

Theft address

0xA06957c9C8871ff248326A1DA552213AB26A11AE

1KcTk7kJMjYaCV3FXo5bzpjaZs2aK18ntz

Unibright Incident Summary

ON September 11, 2020 the Unbright team noticed unauthorized transfers of $400K from multiple wallets controlled by the team as the result of a private key compromise. The attacker immediately swapped the assets for ETH on decentralized exchanges.

Theft address

0x6C6357F30FCc3517c2E7876BC609e6d7d5b0Df43

Source: https://twitter.com/Sjaaaakster/status/1304531302255910912
Source: https://twitter.com/Sjaaaakster/status/1304531302255910912
Source: https://t.me/unibright_io/211959
Source: https://t.me/unibright_io/211959

CoinMetro Incident Summary

On October 6, 2020 the CoinMetro team observed unauthorized transfers of $750K worth of crypto assets from its hot wallets due to a security breach. As a result of the incident the Parsiq team made the decision to hard fork its token in an effort to prevent the attacker from further selling PRQ tokens and further protect users funds.

Theft address

0x044bf69ae74fcd8d1fc11da28adbad82bbb42351

1GVjvbVEYPkjCYCwJkC29t5pBWAQQd1g32

Source: https://t.me/coinmetroupdates/601
Source: https://t.me/coinmetroupdates/601

On-chain aspects

Funds from thefts such as CoinMetro, CoinBerry, Unibright, and individuals were transferred through intermediary wallets before consolidating in 0x0864 in early January 2021.

3000 ETH was deposited to Tornado Cash by 0x0864 on January 11, 2021 beginning at 2:54 am UTC and concluding at 9:14 am UTC.

0x0864b5ef4d8086cd0062306f39adea5da5bd2603

After 1814.49 ETH was transferred from 0x0864 to 0x1031 and 17 X 100 ETH was deposited to Tornado Cash on January 11,2021.

0x1031ffaf5d00c6bc1ee0978eb7ec196b1d164129

An additional 112.1 ETH was deposited to Tornado cash by 0x1031 from January 14–16, 2021.

45 X 100 ETH was withdrawn from Tornado Cash to a single address beginning on January 11, 2021 at 2:35 pm UTC and concluding on January 14, 2021 at 11:52 pm UTC.

0x05492cbc8fb228103744ecca0df62473b2858810

All Tornado Cash withdrawals for the month of January 2021 were reviewed and no additional withdrawals were found which shared similar characteristics. Additional comfort is gained with the demix as the Tornado withdrawal destination address connects back with the original theft address.

TRM forensics graph
TRM forensics graph

Transfer laundered funds to P2P exchanges

Through a series of transactions, the funds sitting in 0x0549 were transferred through intermediary addresses and consolidated with funds from other Lazarus Group thefts before USDT was deposited to the P2P marketplace Paxful beginning in July 2022. In April 2023 they began using Noones, another P2P marketplace. They continue slowly transferring USDT in batches until November 2023.

Paxful deposit address:

0x246569f8b420c8d850c475c53d0d59973b3f08fc

0x593dc5e1ad81667bbfc90739dd2c09c926920e3b

Noones deposit address:

0x2e1155cf5374cba058a04fd03ebd0ba19afe580d

Transfer funds from theft to OTC trader

Additionally, in 2021 multiple transfers were made from the 0x9973 address to Wu Huihui, a China-based OTC trader. In April 2023, an indictment against Wu was unsealed alleging that he facilitated payments for DPRK and he was added to the OFAC SDN list.

TRM forensics graph
TRM forensics graph
Source: https://ofac.treasury.gov/recent-actions/20230424
Source: https://ofac.treasury.gov/recent-actions/20230424

December 2020 — Nexus Mutual founder (Hugh Karp) hack

Incident summary

On December 14, 2020 Hugh Karp, founder of Nexus Mutual was tricked into approving a malicious transaction that transferred out 370,000 NXM ($8.3M) after an attacker gained remote access to his computer and modified his Metamask extension.

On-chain aspects:

The post-mortem blog post by Hugh Karp lists the theft addresses on Bitcoin and Ethereum.

BTC theft address

3DZTKLmxo56JXFEeDoKU8C4Xc37ZpNqEZN

ETH theft address

0xad6a4ace6dcc21c93ca9dbc8a21c7d3a726c1fb1 0x03e89f2e1ebcea5d94c1b530f638cea3950c2e2b 0x09923e35f19687a524bbca7d42b92b6748534f25 0x0784051d5136a5ccb47ddb3a15243890f5268482 0x0adab45946372c2be1b94eead4b385210a8ebf0b

Source: https://x.com/hughkarp/status/1341063567408328705
Source: https://x.com/hughkarp/status/1341063567408328705

From December 16–17, 2020 the attacker deposited 137.1 BTC into the centralized mixing service ChipMixer in six deposits:

ChipMixer deposits — December 16

Deposit 1: 1 BTC at 9:55 am UTC

906b3436067e48f3355f8cb5266c0055787d8cd378d3fe99e7020eecdde2ca74

Deposit 2: 5 BTC at 10:09 am UTC

5ce61bc9bec2ff7a5291b48903441a39fab6df59934cf75b7cd1abee67ac8017

Deposit 3: 30 BTC deposited at 10:22 am UTC db0cd0f1cb5bd13b9b3249e6a560aaeddbd0134d0f678220e626b20a424473ce

Deposit 4: 50 BTC deposited at 11:44 am UTC 1586fec6363ba1d6bac3056e4aee0bc0b4fefdf37f6060850b2d9168c39e6683

Deposit 5: 41.99 BTC deposited at 13:51 pm UTC eb4854fb3ea8a3f5d87331b04bfc4daeac76343ebcbcaeff976551fadb5050cc

ChipMixer deposits — December 17

1aa32442bfcbee3981e038d50a05885d35fd1d4ec33af5a9bd40e5d1dc88a686

Hours after the deposits, a matching amount of 136 BTC was withdrawn from ChipMixer and bridged back to Ethereum via Ren Project and consolidated with funds from other thefts.

Withdrawals consolidate 1: 4.61 BTC at 10:14 am UTC 18b9481573afb349c499ed5469ed903db5289b7946daddc1961e945b3d4d3cb7 Withdrawals consolidate 2: 5.42 BTC at 12:39 pm UTC a88a7d86bbd780f42850472feffcb626684b3df7b2f7c062e3b12009224e609d Withdrawals consolidate 1 : 15 BTC at 12:56 pm UTC 0b6b1a990b6aab6edaef925c4af2a03f64c1a03ee98d3309f9557029af415f66 Withdrawals consolidate 2 : 60 BTC at 14:14 pm UTC 9726abb675bff14f512018a583693e815857829dc2459556938a491900638e21 Withdrawals consolidate 3 : 42 BTC at 23:33 pm UTC ffeb3dd56d0bde492cd08c0975edad38524f5ef003f55c258e75638044324acf Withdrawals consolidate 4: 9.1 BTC on December 17 at 7:17 am UTC a63eea88c4f9304e7e6c582a586b720c1dd50d671f8f6077143968eea2a3f97b

Ren Protocol ETH destination address: 0x78a9903af04c8e887df5290c91917f71ae028137

TRM forensics graph
TRM forensics graph
TRM forensics graph
TRM forensics graph
Table 1: December 16–17 ChipMixer deposit and withdrawals
Table 1: December 16–17 ChipMixer deposit and withdrawals

On the Ethereum side 2,571 ETH (25 X 100 ETH, 7 X 10 ETH, 1 X 1 ETH) was deposited into Tornado Cash from December 16–19 by theft address 0x0784051d5136a5ccb47ddb3a15243890f5268482

Beginning just hours after deposits the 0x78a Ren destination address started receiving withdrawals from Tornado Cash. 0x78a9903af04c8e887df5290c91917f71ae028137

While not being a 1:1 match we can gain confidence this demix is accurate as Lazarus Group linked the post-mix address with the original theft address on December 25, 2020 reducing the effectiveness of the anonymity set as seen in the TRM graph below:

TRM forensics graph
TRM forensics graph

March 2021 — ChipMixer Activity

In March 2021 Lazarus Group sold additional wNXM for renBTC before bridging 89.5 renBTC in total to Bitcoin via Ren Protocol and then depositing to ChipMixer.

March 10th–29.98 renBTC was bridged to Bitcoin via Ren Protocol and deposited to ChipMixer in one transaction. Five hours later a matching amount of 29.92 BTC was withdrawn from ChipMixer and bridged via Ren back to Ethereum where the funds consolidate with other stolen funds in 0x0864b from the CoinMetro hack and unreported individual hacks.

0x0864b5ef4d8086cd0062306f39adea5da5bd2603

TRM forensics graph
TRM forensics graph
Table 2: NXM ChipMixer deposits & withdrawals
Table 2: NXM ChipMixer deposits & withdrawals

March 20th — 13.13 renBTC was bridged to Bitcoin and immediately bridged back to Ethereum via Ren Protocol and consolidates with stolen funds from the CoinMetro hack before 67.63 renBTC was bridged back to Bitcoin and four deposits were made to ChipMixer. Shortly after the deposits five withdrawals were made from ChipMixer in matching amounts adjusted for fees.

Funds were bridged via Ren from Bitcoin to Ethereum where they consolidate with the NXM batch laundered in December 2020 in 0xb27.

0xb27d40fb4a7975e6f4e6bd7f9fbf6e8d53bf8298

TRM forensics graph
TRM forensics graph
Table 3: NXM hack ChipMixer deposits and withdrawals
Table 3: NXM hack ChipMixer deposits and withdrawals

March 31st — 46.49 renBTC was bridged to Bitcoin via Ren and five deposits were made ChipMixer. Within minutes of the deposits six addresses begin receiving withdrawals in matching amounts. Funds were bridged back to the same destination address 0x58e5 on Ethereum.

Table 4: NXM hack ChipMixer deposits and withdrawals
Table 4: NXM hack ChipMixer deposits and withdrawals

The accuracy of this demix can be confirmed since the withdrawal address of 1.56 BTC connects to the original NXM theft address from funds bridged via Ren in November 2020. This is highlighted in pink in the TRM graph below.

TRM forensics
TRM forensics

Transfer laundered funds to P2P exchanges:

In April 2021 19.96 BTC was bridged from Ethereum to Bitcoin via Ren where it was transferred to Wu Huihui, an OFAC sanctioned OTC trader.

$11M from 0xb27 was transferred to a Bixin deposit address from May 24-July 10, 2021 .

February 2023 the remaining funds in 0xb27 were transferred to 0xcbf0 where they consolidated with funds from other thefts and were deposited to Paxful and Noones.

Bixin deposit address

0x8e7f5d85c3587725b1188d3cc04ca814ab60cdce

Paxful deposit address

0x593dc5e1ad81667bbfc90739dd2c09c926920e3b

Noones deposit address

0x2e1155cf5374cba058a04fd03ebd0ba19afe580d

TRM forensics graph
TRM forensics graph

April 2021 — EasyFi founder (Ankitt Gaur) hack

Incident Summary

April 19, 2021 EasyFi team observed large unauthorized transfers of EASY tokens from team wallets controlled by the founder Ankitt Gaur after his device had been injected with a malicious version of Metamask allowing the attacker to gain control of the private keys resulting in $81M stolen.

Source: https://x.com/ankittgaur/status/1384253351492087819
Source: https://x.com/ankittgaur/status/1384253351492087819

Further analysis revealed that a few days prior Ankitt Gaur had received a phishing email to his personal email address via sendgrid which appeared as if it had been sent from the Pantera Capital founder Dan.

Phishing email
Phishing email

Notably this type of attack resembled what happened to Hugh Karp (Nexus Mutual Founder) in December 2020.

On-chain aspects

$6M of USD/DAI/USDT of liquidity was removed from protocol pools and 2.98M EASY was transferred to 0x4371

0x437147DA920714feC4822F0666D940945f9c972B

The attacker can be linked to Nexus Mutual, CoinMetro, Unibright, Coinberry, and multiple individual thefts on-chain as addresses from each incident transfer ETH to 0x3149 in March-April 2021.

0x31499e03303dd75851a1738e88972cd998337403

TRM forensics graph
TRM forensics graph

April 2021 — Laundering

From April 20–21, 2021 a total of 209.64 BTC from the theft address was bridged from Ethereum and deposited to ChipMixer from the hack.

TRM forensics graph
TRM forensics graph
Table 5: EasyFi hack ChipMixer deposits April 20–21, 2021
Table 5: EasyFi hack ChipMixer deposits April 20–21, 2021

A volume and timing analysis was performed and from April 20–21, 2021 a total of 209.5 BTC was withdrawn from ChipMixer matching the amount deposited adjusted for fees. There were no other withdrawals during that period which showed similar characteristics.

Table 6: EasyFi hack Chipmixer withdrawals
Table 6: EasyFi hack Chipmixer withdrawals

209.22 BTC from the Chipmixer withdrawals were consolidated to two addresses on April 22, 2021 and then bridged back to Ethereum using Ren protocol.

Ren bridge source transaction —

Amount: 179.47 BTC

84b7c4a2b79d454bbb1636d6d872ed367bbcf4b664193b7b8baded8675085935

Date: April 22, 2021 at 2:00 AM UTC

35TjCuKRbKcofxnKG2EkC8B66ZNXKqE1aN

Amount: 29.75 BTC

3e3b2950c72f863642db0a1bd248be3009ba65e9fa950d5a3094a7b1d7b14e2e

Date: April 22, 2021 at 2:00 AM UTC

3M8VZjtAqi51LsMuRGGY9mhPvQk5hvubvt

Ren bridge destination transaction —

0xbeb56f2ad2b41339c377cbdb713e88b565af5bba407de24edaabf473a82967fd

0x313d06759af5696d6ee3f5965408e9c5b658fb7e

0x75c6615cdcdd5ce97c1c30357c64762ab3ab8fa0357fe290b8b6e3afd3a85463

0xe0c79066488a15b70361ad8268d713b05944a4fe

Funds received to 0x313 and 0xe0c7 mostly stays dormant until June 2022 when funds were transferred to new EOA addresses and consolidate with stolen funds from other thefts tied to Lazarus group.

In June 2022 $4.9M from multiple hacks was then transferred to two Binance deposit addresses:

0x27a9d7d17d72a5a67115dbf381b121b51d8b5dd8

0xabef0df725ef5d2f0354c59ea3ccb161abc11515

TRM forensics graph
TRM forensics graph

April 28, 2021 another batch of 6.31 renBTC was bridged to Bitcoin using Ren Protocol and then deposited to ChipMixer at 7:20 am UTC.

0a6f220fdc821ec1743a9a201e16a038d474b1554520e9922734e6c62628e7b2

Minutes later at 7:29 am UTC an address received 6.305 BTC from ChipMixer matching the amount deposited adjusted for fees.

4e35b2214a12f8d49cdd0100d71f7573ee47dd6a575e149eb1529285b7effff9

All funds were bridged back to Ethereum address 0xe0c7 using Ren bridge.

0xe0c79066488a15b70361ad8268d713b05944a4fe

TRM forensics graph
TRM forensics graph

Transfer laundered funds to P2P exchanges

Through a series of transactions, the funds sitting in 0xe0c7 and 0x313d were converted to DAI and wBTC, transferred through intermediary addresses, consolidate with funds from other Lazarus Group thefts , and USDT was deposited to the P2P marketplace Paxful beginning in July 2022. In April 2023 they began using Noones, another P2P marketplace. They continued slowly sending USDT in batches until November 2023.

Paxful deposit address

0x246569f8b420c8d850c475c53d0d59973b3f08fc

0x593dc5e1ad81667bbfc90739dd2c09c926920e3b

Noones deposit address

0x2e1155cf5374cba058a04fd03ebd0ba19afe580d

TRM forensics graph
TRM forensics graph

July 2021 — Bondly hack

Incident summary

On July 14, 2021 Brandon Smith, CEO of Bondly Finance fell victim to an attack where the malicious actor gained access to a password account containing the recovery phrase for his hardware wallet. Soon after the attacker transferred ownership of the Bondly token contract to themselves and $8.5M of assets belonging to the team.

Source: https://x.com/forjofficial/status/1415543486141636612
Source: https://x.com/forjofficial/status/1415543486141636612

On-chain aspects

The post-mortem blog post by Bondly co-founder Harry Liu highlights the theft addresses on Ethereum, BSC, and Polygon.

Ethereum, BSC, and Polygon theft address

0xc433d50dd0614c81ee314289ec82aa63710d25e8

Laundering July 2021

Tornado Cash deposits — BSC

Through a series of transactions, 48 X 100 BNB was deposited to Tornado Cash by the attacker beginning on July 15, 2021 at 5:41 am UTC and concluded on July 16, 2021 at 6:33 am UTC.

Tornado Cash deposits — Ethereum

Through a series of transactions, 5X 100 ETH and 52 X 100,000 DAI was deposited to Tornado Cash by the attacker beginning on July 15, 2021 at 8:15 am UTC and concluding on July 16, 2021 at 2:17 am UTC. On August 11, 2021 an additional 202 ETH was deposited to Tornado Cash.

Tornado Cash withdrawals — BSC

From July 17–19th 47 X 100 BNB was withdrawn to 0x4197 on BSC. This matches the deposits 1:1 as one of the Tornado deposits was withdrawn to the depositor 0xc433.

0x419787019b991ac2c765a14467d177c6c0b05c00

Funds were then bridged from BSC to Ethereum via Multichain bridge and consolidated with the Ethereum withdrawals.

Tornado Cash withdrawals — Ethereum

From July 16–20th 35 X 100,000 DAI and 3 X 100 ETH was withdrawn to 0x365 consolidating with the 100 BNB Tornado Cash withdrawals.

0x365d2c5220989a068d8b0e95625875c55166297b

From July 22–29th 14 X 100,000 DAI and 2 X 100 ETH was withdrawn to 0xe0c7 consolidating with funds from the EasyFi hack. From August 12–23th 2 X 100 ETH was withdrawn to 0xe0c7.

0xe0c79066488a15b70361ad8268d713b05944a4fe

On July 24th 2 X 100,000 DAI was withdrawn to 0xdef5 which received $7.4M from 0xe0c7 in a series of transactions.

0xdef57ccb20b1f2eaee0c64aab3280350f84cb0fc

The remaining 1 X 100,000 DAI withdrawal was made to 0x996f.

0xd7589fdf5c035ce5d432e5af64b13b77802b7451315f460ce1bda8a4e7c89240

0x996f5ccbf2856137744603b382de559b78a096fc

TRM forensics graph
TRM forensics graph

The Tornado Cash 100,000 DAI pool sees little activity and the 52 deposits made by the Bondly attacker increased the pool by 15% significantly reducing the effectiveness of the anonymity set. The graph below shows the cumulative balance of the 100,000 DAI pool from July 11–25, 2021 shows a sudden increase in deposits before matching withdrawals.

Tornado Cash 100,000 DAI pool balance from Jul-11–2021 to Jul-25–2021
Tornado Cash 100,000 DAI pool balance from Jul-11–2021 to Jul-25–2021

In June 2022 $4.9M laundered from hacks such as Nexus Mutual, EasyFi, and Bondly was transferred to two Binance deposit addresses:

0x27a9d7d17d72a5a67115dbf381b121b51d8b5dd8

0xabef0df725ef5d2f0354c59ea3ccb161abc11515

Transfer laundered funds to P2P exchanges

Through a series of transactions, the funds sitting in 0xe0c7 and 0x365d were transferred through intermediary addresses and consolidate with funds from other Lazarus Group thefts such as EasyFi and the Nexus Mutual founder before USDT was deposited to the P2P marketplace Paxful beginning in July 2022. In April 2023 they began using Noones, another P2P marketplace. They continue slowly sending USDT in batches until November 2023.

Paxful deposit address

0x246569f8b420c8d850c475c53d0d59973b3f08fc

0x593dc5e1ad81667bbfc90739dd2c09c926920e3b

Noones deposit address

0x2e1155cf5374cba058a04fd03ebd0ba19afe580d

TRM forensics
TRM forensics

August and September 2021 — Unreported Hacks

August and September 2021 saw multiple individuals hacked for $2M likely due to private key compromise. Indicators of the thefts include on-chain connections to known hacks such as FinNexus, assets transferred out from victims wallets and immediately sold for ETH, and activity in victims wallets stopped after transfers were made.

Theft address

0x5271b379f3e1954e20791142d734596a3de28efd

0xc35a06d02471acc48e552e99d8b860bac73cbe9d

0x40d7b7A55dd51ee94A9a4788311e39CB362Fe1Ea

Funds from the multiple thefts consolidated in 0x5271 before 581 ETH was deposited to Tornado Cash on September 15, 2021 beginning at 10:13 am UTC.

591 ETH was withdrawn from Tornado Cash to a single address on September 20, 2021 beginning at 12:20 am UTC.

0x5b24da735fd5835ec5afb5abf9f3e89270e609c8

TRM forensics graph
TRM forensics graph

The $2M withdrawn from the mixer was transferred to an intermediary address before consolidating with funds from other Lazarus Group thefts and deposited to exchanges. Comfort is gained the demix is accurate as the Paxful deposit address 0x246 links the Tornado Cash withdrawals to the deposits.

Paxful deposit address

0x246569f8b420c8d850c475c53d0d59973b3f08fc

TRM forensics graph
TRM forensics graph

October 2021 —  MGNR and PolyPlay Hack

MGNR hack incident summary

On October 8, 2021 the trading firm mgnr.io had $24M worth of assets drained from their wallets as the result of a private key compromise. In a deleted post on X (formerly Twitter) the team shared they had been targeted in a sophisticated cyber attack after receiving a Pantera Capital phishing email via SendGrid similarly to Ankitt Gaur from EasyFi. The team noted that private keys to hot wallets had been temporarily shared between multiple team members.

Source: https://web.archive.org/web/20211014032211/https://twitter.com/mgnr_io/status/1448489258029703168/
Source: https://web.archive.org/web/20211014032211/https://twitter.com/mgnr_io/status/1448489258029703168/
Phishing email
Phishing email

MGNR hack on-chain aspects

A blog post by the user CryptoCat in January 2022 revealed addresses from the theft by detailing mgnr.io wallets which sold Maple Finance tokens on October 8, 2021. The author mistakenly attributes the actions to the team instead of the hack.

MGNR hack October 2021 laundering

All assets from compromised mgnr.io wallets on EVM chains were bridged and swapped before being consolidated into 0x577 where the attacker deposited 4900 ETH from the incident to Tornado Cash beginning on October 8, 2021 at 4:37 am UTC and concluding on October 12, 2021 at 6:16 am UTC. Another address connected to the attacker deposited 210 ETH to Tornado Cash during this period.

A few days after 0xdef5 which received $4.3M from the EasyFi and Bondly hacks earlier in the year received 700 ETH from Tornado Cash.

0xdef57ccb20b1f2eaee0c64aab3280350f84cb0fc

Another address 0x1398 received 4500 ETH from Tornado Cash which previously had received $15.2M from the EasyFi and Bondly hacks earlier in the year.

0x1398db28ca00d9f943355d6b57ab28a61110bfef

TRM forensics graph
TRM forensics graph

While 1 X 100 ETH withdrawal is missing from the Tornado Cash demix for the 100 ETH pool there were no other withdrawals during that period which showed similar characteristics.

MGNR hack January 2022 laundering

On January 14, 2022 another 6 X 100 ETH and 5 X 10 ETH from an address connected to the theft was deposited to Tornado Cash. Just 24 hours later 4 X 100 ETH and 5 X 10 ETH was withdrawn to 0x964 before being transferred to 0x1398 further strengthening the demix due to the multiple denominations withdrawn over a sustained period of time.

TRM forensics graph
TRM forensics graph

Transfer laundered funds to P2P exchanges

Through a series of transactions, the funds sitting in 0xdef, 0x964, and 0xefdd were transferred through intermediary addresses and consolidate with funds from other Lazarus Group hacks such as EasyFi, Bondly, and the Nexus Mutual founder before USDT was deposited to the P2P marketplace Paxful beginning in July 2022. In April 2023 they began using Noones, another P2P marketplace. They continue slowly sending USDT in batches until November 2023.

Paxful deposit address

0x246569f8b420c8d850c475c53d0d59973b3f08fc

0x593dc5e1ad81667bbfc90739dd2c09c926920e3b

Noones deposit address

0x2e1155cf5374cba058a04fd03ebd0ba19afe580d

TRM forensics graph
TRM forensics graph

PolyPlay Incident Summary

October 28, 2021 in a series of transactions, multiple wallets controlled by the PolyPlay team saw unauthorized transfers of $1.6M indicating a private key compromise. In a deleted post on X (formerly Twitter) the PolyPlay team shared the wallet address of the attacker and a Binance listing phishing email they received.

https://web.archive.org/web/20211028211901/https://twitter.com/PolyPlayCoin/status/1453833668196249605
https://web.archive.org/web/20211028211901/https://twitter.com/PolyPlayCoin/status/1453833668196249605
Source: https://web.archive.org/web/20211028211901/https://twitter.com/PolyPlayCoin/status/1453833668196249605
Source: https://web.archive.org/web/20211028211901/https://twitter.com/PolyPlayCoin/status/1453833668196249605

On-chain aspects

Theft Address

0x0040c81b7de0953e5b9fc056700479cace1b7500

350 ETH from the incident was then deposited to Tornado Cash on November 8, 2021 and 320 ETH was withdrawn 90 minutes later to an address connected to other Lazarus Group hacks. Funds were later deposited to Paxful and Noones accounts.

Paxful deposit address:

0x246569f8b420c8d850c475c53d0d59973b3f08fc

0x593dc5e1ad81667bbfc90739dd2c09c926920e3b

Noones deposit address:

0x2e1155cf5374cba058a04fd03ebd0ba19afe580d

TRM forensics graph
TRM forensics graph

November 2021 — bZx Hack

Incident Summary

On November 3, 2021 the lending protocol bZx had $55M drained on the BSC and Polygon deployments after a bZx developer fell victim to a phishing attack after running a script on his personal computer granting the malicious actor access to their private keys.

In a post mortem update the bZx core team shared that they worked with Kaspersky to analyze the incident and reached the conclusion it was likely Lazarus Group as their security team had analyzed prior attacks carried out by the group finding similarities in the tools and phishing email received.

Source: https://web.archive.org/web/20211105125919/https://twitter.com/bZxHQ/status/1456603269355094021
Source: https://web.archive.org/web/20211105125919/https://twitter.com/bZxHQ/status/1456603269355094021
Phishing email
Phishing email

On-chain aspects

A preliminary post-mortem published by the bZx team shared wallet addresses involved with the hack.

Theft addresses:

0x74487eed1e67f4787e8c0570e8d5d168a05254d4

0xafad9352eb6bcd085dd68268d353d0ed2571af89

0x0ACC0e5faA09Cb1976237c3a9aF3D3d4b2f35FA5

0x967bb571f0fc9ee79c892abf9f99233aa1737e31

0x6abcA33faeb7deb1E61220e31054f8d6Edacbc81

0x1ae8840ceaef6eec4da1b1e6e5fcf298800b46e6

Connections between theft addresses

The Bondly attacker was directly connected to the bZx hack from November 2021 as the 0xc43 theft address funded one of the addresses used by the bZx attacker on Polygon as well transferred funds on Ethereum to an intermediary address which received funds from another address involved in the bZx hack listed in the post-mortem blog post. Notably both attacks also share similar characteristics in the sense as the hacker gained access to a password and manipulated the protocols smart contracts after.

On-chain the incident is also connected to other hacks such as mgnr.io, Polyplay, Wonderhero and ANKR founder as dust leftover in theft addresses was swept to a single address in February 2022.

0x2d7554062664050294640891a122019a68ac5a2b

TRM forensics graph
TRM forensics graph

bZx hack laundering

Tornado Cash deposits:

  • 8600 ETH from the theft was deposited to Tornado Cash from November 15–18, 2021 by 0x20d9

  • 2360 ETH from the theft was deposited to Tornado Cash on December 13, 2021 by 0x20d9

Tornado Cash withdrawals:

  • 4100 ETH likely from the theft was withdrawn to 0x7c6 from December 3–10, 2021.

    0xc7c6d42875fd091faa16ad0225f587158f47fce4

  • 940 ETH likely from the theft was withdrawn to 0x683 on December 18, 2021

    0x683c3d42325ca1beb2475f443c916832f0bd10f2

  • 1000 ETH likely from the theft was withdrawn to 0x785b on December 23, 2021.

Reviewed all Tornado withdrawals 400 ETH or more from November 15 — December 31, 2021 and no other withdrawals during this period shared similar characteristics of laundering patterns from other Lazarus Group thefts.

TRM forensics graph
TRM forensics graph

Post-Mix connections to theft addresses

While only a partial demix of 6,400 ETH from the hack comfort is gained as on-chain the Paxful deposit addresses 0x2465 and 0x593d are connected to Coinberry, CoinMetro, Nexus Mutual, FinNexus, PolyPlay, bZx hacks linking the original theft addresses from multiple incidents to the Tornado withdrawals.

TRM forensics graph
TRM forensics graph

August 2023 — Steadefi & CoinShift Hacks

Steadefi Incident summary

On August 7, 2023 the Steadedefi team made a post on X (formerly Twitter) informing the community its deployer wallet had been compromised and an attacker had transferred ownership of all lending and strategy vaults to an address the attacker controlled, allowing them to drain $1.2M of users assets.

A recent DPRK report published by the United Nations from March 2024 revealed a Steadefi team member had been in contact with someone on Telegram pretending to work at a fund named “Spirit Blockchain Group” where the attacker sent a malicious file disguised as a presentation for their investment fund which the Steadefi team member downloaded.

Source: https://x.com/steadefi/status/1688619454178144264
Source: https://x.com/steadefi/status/1688619454178144264
Source:https://www.un.org/securitycouncil/sanctions/1718/panel_experts/reports S/2024/215 7 March 2024
Source:https://www.un.org/securitycouncil/sanctions/1718/panel_experts/reports S/2024/215 7 March 2024

Steadefi On-Chain Aspects

In a post on X (formerly Twitter) the Steadefi team shared the wallet of the attacker.

Theft address

0x9cf71f2ff126b9743319b60d2d873f0e508810dc

Coinshift Incident Summary

While no public statements have been made about the incident, due to the sudden transfers of assets from multisig wallets tied to the founder on which were sold immediately August 16, 2023 it is likely the founder was a victim of a private key compromise.

Coinshift On-Chain Aspects

Theft address

0x979ec2af1aa190143d294b0bfc7ec35d169d845c

0x68c4a151d436ec1c5448d225a97bd19cce4dfed0

0xbcd5b968a79a04bf2bb942a449f10c20a7121ed8

0x4c7c2b39e3d642d452adfca632939a60b1baacf7

August 2023 Laundering

624.3 ETH was deposited to Tornado Cash by 0xe10d from the Steadefi hack in August 2023.

900 ETH was deposited to Tornado Cash by 0x68c4 from the Coinshift hack in August 2023.

Further evidence that the attacks were done by the entity is shown through the overlap between deposits made to the Tornado Cash 100 ETH pool within minutes of each other by the Steadefi and Coinshift attacker on August 23, 2023.

The table below shows 15 X 100 ETH deposited to the Tornado Cash 100 ETH pool from both incidents.

Table 7: Steadefi & Coinshift Tornado Cash 100 ETH deposits
Table 7: Steadefi & Coinshift Tornado Cash 100 ETH deposits

Within 24 hrs of the deposits to the Tornado Cash 100 ETH pool, matching amounts were withdrawn to three addresses and later consolidated to a single address on October 12, 2023.

0x5d65aeb2bd903bee822b7069c1c52de838f11bf8

Table 8: Steadefi and Coinshift Tornado Cash 100 ETH withdrawals
Table 8: Steadefi and Coinshift Tornado Cash 100 ETH withdrawals
TRM forensics graph
TRM forensics graph

Transfer laundered funds to P2P exchange accounts

Through a series of transactions, the funds sitting in 0x5d were converted to USDT, transferred through intermediary addresses and deposited to P2P marketplaces Paxful and Noones in November 2023. The Paxful deposit address 0x2465 has been reused for other Lazarus Group hacks such as EasyFi, Bondly, and Nexus Mutual.

Paxful deposit address

0x246569f8b420c8d850c475c53d0d59973b3f08fc

0x0258c2af4fe694df026cca55d17feebd5b361acc

0x3af55ab7edbca175f80f3a7ddeac5dabf611347b

Noones deposit address

0x4272200ef626d409e9bac681aa0efdb653a9ef0b

TRM forensics graph
TRM forensics graph

Paxful and Noones accounts receive $44M from Lazarus Group hacks through July 2022– November 2023

Paxful deposit address

$12.8M deposits from July 2022 — November 2023

0x246569f8b420c8d850c475c53d0d59973b3f08fc

$12.1M total deposits from January 2023 — November 2023

0x593dc5e1ad81667bbfc90739dd2c09c926920e3b

Noones deposit address

$14.3M total deposits from April 2023 — November 2023

0x2e1155cf5374cba058a04fd03ebd0ba19afe580d

November 25, 2023 Lazarus group began using new Paxful and Noones deposit addresses. Full list can be found here.

TRM forensics graph
TRM forensics graph

Converting $44M to fiat on P2P marketplaces Paxful and Noones

OSINT analysis was conducted and I identified two users which were active on Paxos and Noones and displayed trading volume consistent with the amount deposited from the hacks.

EasyGoatfish351

FairJunco470

The timing of activity on these accounts further matches the deposit. Very few other accounts on Paxful and Noones showed similar levels of trading volume. Taken together, it is very likely that these were the accounts being used.

Screenshot from Paxful
Screenshot from Paxful
Screenshot from Paxful
Screenshot from Paxful
Screenshot from Noones
Screenshot from Noones

Additionally, the hot wallet outflows for Noones and Paxful were analyzed and no matching crypto withdrawals of similar volumes were observed, indicating USDT was likely being exchanged for bank transfers or cash after deposits were made to the site.

Historically Lazarus Group has used Chinese OTC traders to convert crypto to fiat.

Results of the investigation

At the time of this article 374K USDT was blacklisted by Tether in November 2023 and an undisclosed amount was frozen at centralized exchanges in Q4 2023.

3 of 4 stablecoin issuers have blacklisted an additional $3.4M sitting in a group of addresses. This article will be updated after the 4th follows suit.

Other connected incidents

Exchange user hack — January 2021

Source address: 1HmXdQx3TCVibvjPAp3BrR7awbe6Gtbz6A
Source address: 1HmXdQx3TCVibvjPAp3BrR7awbe6Gtbz6A

Arthur0x hack — March 2022

Source: https://twitter.com/Arthur_0x/status/1506167899437686784
Source: https://twitter.com/Arthur_0x/status/1506167899437686784
Source address:0xb09e66b66b7daa35699496ff560e1034990e5e3a
Source address:0xb09e66b66b7daa35699496ff560e1034990e5e3a

Geracoin & Darshan hack — September & October 2022

Source: https://twitter.com/GeraCoin/status/1567538962410995713
Source: https://twitter.com/GeraCoin/status/1567538962410995713
Source address: 0xb25caeb548c40c564d2067a69a913cae14750dc0
Source address: 0xb25caeb548c40c564d2067a69a913cae14750dc0

Maverick Founder hack — October 2023

Phishing email
Phishing email
Source address: 0x6f79657e33ff6816349c81e2e9852d76b39370c2
Source address: 0x6f79657e33ff6816349c81e2e9852d76b39370c2

A special thanks to

for their contributions and guidance with the investigation.

Subscribe to Investigations By ZachXBT
Receive the latest updates directly to your inbox.
Verification
This entry has been permanently stored onchain and signed by its creator.