North Korea's Lazarus hacking group allegedly has turned back to an old service in order to launder $23 million stolen during an attack in November.
Investigators at blockchain research company Elliptic said on Friday that in the last day they had seen the funds - part of the $112.5 million stolen from the HTX cryptocurrency exchange in November - laundered through the Tornado Cash mixing service.
The use of Tornado Cash stood out to Elliptic because the service was sanctioned by U.S. authorities in August 2022, prompting Lazarus actors to turn to another mixing service called Sinbad.io.
Elliptic said it has been tracking the $112.5 million stolen from HTX since the exchange attributed the incident to Lazarus.
The funds were held without movement until March 13, when Elliptic saw some go through Tornado Cash.
Other blockchain security companies confirmed they also saw the funds move across the blockchain.
North Korean hackers have to use services like Tornado Cash and Sinbad.io in order to obfuscate the source of their stolen funds and cash out what they take during the numerous crypto hacks launched over the last three years.
The proceeds help the regime dodge international sanctions related to its weapons programs, according to the U.S. government.
According to the Treasury Department, North Korean hackers used Sinbad and its predecessor Blender.io to launder a chunk of the $100 million stolen on June 3 from customers of Atomic Wallet, as well as significant portions of the more than $620 million stolen from Axie Infinity and the $100 million taken from Horizon Bridge - two of the largest crypto thefts on record.
Researchers estimate that North Korean groups stole about $1.7 billion worth of cryptocurrency in 2022 and about $1 billion in 2023.
Lazarus Group has been operating for more than 10 years, and according to U.S. officials has stolen over $2 billion worth of cryptocurrency to help fund the North Korean government's activities - including its weapons of mass destruction and ballistic missile programs.
The group itself was sanctioned by the U.S. government in 2019.
Jonathan has worked across the globe as a journalist since 2014.
Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.
He previously covered cybersecurity at ZDNet and TechRepublic.
This Cyber News was published on therecord.media. Publication date: Fri, 15 Mar 2024 18:40:04 +0000