US Files Complaints to Recover Stolen Funds from Lazarus Group

As an analyst with years of experience in the digital forensics field, I’ve seen my fair share of cybercrimes, but the tactics employed by North Korea’s Lazarus Group are truly remarkable – and not in a good way. The recent seizure attempts by the U.S. government underscore the complexity and sophistication of these attacks.


In a move aimed at recovering funds, the American authorities have lodged two lawsuits aiming to confiscate approximately 2.67 million dollars’ worth of cryptocurrency that was illegally obtained by the notorious Lazarus Group from North Korea.

Court records show that as of October 4th at the U.S. District Court for the District of Columbia, authorities are endeavoring to recover around $1.7 million in Tether (USDT) allegedly taken from Deribit, a Panamanian crypto exchange on November 2022. The theft reportedly depleted over $2.8 million from the exchange’s hot wallet.

In the second instance, they are trying to retrieve approximately $972,000 worth of Bitcoin linked to Avalanche (BTC.b), which was taken from the Stake.com gambling site in September 2023. This theft resulted in over $42 million in total losses for the platform.

As an analyst, I’ve observed that in both instances, I’ve traced the funds to have been channeled via Tornado Cash, a popular cryptocurrency tumbler often employed by cybercriminals to launder their ill-gotten gains, rendering them difficult to trace.

To date, authorities have successfully seized five cryptocurrency wallets that were connected to the pilfered Tether in the Deribit heist, recouping approximately $1.7 million. Locating the remaining stolen assets has proven challenging due to the intricate means employed to conceal their trail.

In September 2024, the FBI released an alert detailing some of the Lazarus Group’s cunning strategies. One tactic they employ involves posing as recruiters and extending bogus job offers, particularly to individuals in tech or crypto sectors. The offer often appears genuine, complete with a downloadable application document.

Instead, it turns out that those files are not just ordinary documents; they’re disguised malware. Once a person downloads and opens the file, the malicious software secretly installs onto their device. This allows the cybercriminals to seize control of the victim’s personal information.

It appears these attacks could be part of a plan to financially support the North Korean government. As per a U.N. report dated March 2024, most of the earnings seem to be channeled towards their weapons development programs.

By August 2024, the on-chain detective ZackXBT uncovered evidence showing that around 25 different cryptocurrency projects were secretly targeted by North Korean programmers, who disguised their true identities to gain entry and make off with the funds.

Read More

Sorry. No data so far.

2024-10-09 19:00