Cryptocurrencies worth over $2.67 billion have been stolen by North Korean hackers, reportedly tied to the infamous Lazarus Group. This criminal organization has been on the U.S. government’s radar for years due to their involvement in large-scale thefts. The Lazarus Group's cybercrime activities have included some high-profile hacks, such as the theft of $1.7 million from the unregulated trading platform Deribit in 2022 and $970,000 from gambling chain Stake.com in 2023. They have used money-laundering software like Tornado Cash to obscure their tracks. According to analysis firms like Chainalysis and TRM Labs, since 2017, the group has stolen between $3 and $4.1 billion, primarily from cryptocurrency exchanges.

Despite efforts to remain undetected by using cryptocurrency mixers and multiple wallets, law enforcement agencies have stayed hot on their trail. The U.S. government has now filed two lawsuits against the North Korean hackers in an effort to seize at least $1.7 million of the stolen digital assets. To combat these thefts, various measures have already been implemented. In November 2023, Tether blacklisted $374,000 linked to Lazarus, and several cryptocurrency exchanges froze an undisclosed amount of the stolen funds. Furthermore, three out of four stablecoin issuers blacklisted $3.4 million in the last quarter of 2023. However, Lazarus remains an ongoing threat in the cryptocurrency world.

The “Lazarus Lore”: A Long History of Cybercrime

The Lazarus Group, also known by names such as APT38 or Bluenoroff, has been active since at least 2009. However, the group's cybercriminal activities date back even further, with early attacks like the 2014 Sony Pictures hack and the 2016 Bangladesh Bank heist, where $81 million was stolen. While the group initially focused on high-profile data theft and bank robberies, they have since shifted their focus to cryptocurrencies. Lazarus members are highly skilled and well-equipped, utilizing sophisticated techniques to carry out their attacks. Their tactics are often referred to as expert social engineering.

A particularly troubling attack involved a member of Lazarus gaining access to Steadifi by tricking a team member into downloading a malicious file from a supposed fund manager on Telegram. Another case involved the Treasury management and infrastructure platform Coinshift, where the group stole over $900,000 in Ethereum. Lazarus is known for acting swiftly; they can launder stolen funds within minutes of an attack. Once the assets are converted to stablecoins, they use peer-to-peer (P2P) exchanges to convert the funds into cash, making it difficult to track their activity. Despite these challenges, U.S. authorities are now determined to recover the stolen funds. Whether they will succeed remains to be seen.