- Lazarus nabbed at least $293 million from victims across six heists.
- The cybercriminal group has been linked to North Korea’s nuclear weapons programme.
- The group’s most recent hack took place on December 31, setting the stage for a perilous 2024.
Lazarus ravaged the crypto world in 2023, with at least $293 million in stolen funds attributed to the North Korean cybercrime cabal.
That was a fraction of what it nabbed in 2022 — a staggering $1.7 billion.
But the thefts show Lazarus Group and North Korea-linked hackers “continue to evolve in sophistication” in both tactics and money-laundering channels, Erin Plante, vice president of investigations at Chainalysis, told DL News.
The threat of Lazarus will rise with crypto prices as many expect a new bull market.
With more capital flowing into the industry, criminals will be tempted to launch more attacks, increasing the pressure on organisational security, as highlighted by smart contract auditing firm CertiK in a January report.
Analysts suggested an $82 million hack of Orbit Bridge on New Years’ Eve may be the most recent attack by Lazarus. If true, it would bookend a year that saw five other hacks across exchanges, wallet providers, and payment processors.
DL News reported in April that the rogue nation is using crypto loot to fund its nuclear weapons programme.
If the group is to maintain its stream of illicit income, it will have to develop new ways around and through an increasingly tight security landscape.
Plante pointed to the use of Russia-based exchanges to launder funds in 2023, on the back of a much-publicised meeting between North Korean dictator Kim Jong-Un and Russia’s Vladimir Putin — a well-known strategy for criminals to abscond with stolen crypto.
Authorities in the West are fighting back. In September, the US Federal Bureau of Investigation identified Lazarus as responsible for numerous hacks, and rolled out sanctions against associated wallets.
Plante added: “Law enforcement capabilities are also evolving to keep pace with these hackers, making Lazarus Group’s efforts harder and less fruitful over the years.”
Crypto must learn from past mistakes, according to CertiK.
With that in mind, let’s look at the hacks attributed to Lazarus in 2023:
Atomic Wallet: $100 million
Lazarus’s biggest heist of the year was the Atomic Wallet hack, which netted $100 million of customer funds drained directly from their wallets.
Analytics firm Elliptic identified Lazarus as the culprit just days after the hack, though the initial estimate of losses was only $35 million.
Angered users and investors subsequently sued Atomic via the Colorado District Court, alleging that “many users lost their entire portfolios.”
Alphapo: $60 million
In July, Lazarus gained access to the private keys of payment processor Alphapo’s hot wallets and drained about $60 million in funds.
Hack update: An additional $37M stolen on TRON & BTC from this hack has been located.
— ZachXBT (@zachxbt) July 25, 2023
This now brings the total amount stolen to $60M.
This hack appears to likely have been done by Lazarus as they create a very distinct fingerprint on-chain. pic.twitter.com/ACGSXiDwW3
Alphapo serves as a payment processor for a number of online gambling services, including HypeDrop, Bovada, and Ignition.
The FBI confirmed Lazarus as the culprit in September.
Coinex: $55 million
A September hack of global cryptocurrency exchange Coinex saw $55 million taken from compromised hot wallets.
The Hong Kong-based exchange halted withdrawals and deposits for 10 days following the attack.
Elliptic identified Lazarus as responsible a few days later.
#CoinExResponseUpdate - We have identified and isolated the suspicious wallet addresses linked to the hack:$ETH:
— CoinEx Global (@coinexcom) September 12, 2023
*0xce013682eddefaca8c94fe56a43a04212ebe4673
*0x8bf8cd7F001D0584F98F53a3d82eD0bA498cC3dE
*0xCC1AE485b617c59a7c577C02cd07078a2bcCE454…
Stake.com: $41 million
Stake.com, an Australian-Curaçaoan online casino known for recruiting celebrity endorsers was hit for $41 million.
Lazarus was able to make unauthorised transactions from several Stake hot wallets. Stake co-founder Edward Craven told DL News the platform’s private keys were not compromised, despite claims by blockchain experts to the contrary.
Lazarus was identified as responsible by the FBI in its September wave of sanctions.
Three hours ago, unauthorised tx’s were made from Stake’s ETH/BSC hot wallets.
— Stake.com (@Stake) September 4, 2023
We are investigating and will get the wallets up as soon as they’re completely re-secured.
User funds are safe.
BTC, LTC, XRP, EOS, TRX + all other wallets remain fully operational.
Coinspaid: $37 million
Estonia-based Coinspaid, an ecosystem for crypto payments, suffered a $37 million hack in July.
Lazarus carried out the attack using social engineering, in which malicious actors use various methods such as identity fraud and impersonation to gain the trust of victims, with the end goal of obtaining sensitive information including passwords or private keys.
Following the attack, Coinspaid conducted an internal investigation with the help of blockchain intelligence firm Match Systems, which determined Lazarus to be the attacker.
Coinspaid was attacked again on January 6 for $7.5 million, according to web3 security firm Cyvers, though it is unclear who was responsible.
🚨UPDATE🚨After more investigation, our system has detected more unauthorized transactions on #BNB too involving @coinspaid
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) January 6, 2024
Hacker has got another $1M worth of digital assets 924K BSC-USD and 268.5 $BNB.
All together total loss is $7.5M
Hacker's address:… https://t.co/877vBm0Uah pic.twitter.com/xD6tg9QznK
Orbit Bridge — $82 million
On the last day of the year, Orbit Bridge was the victim of a signature exploit that saw $82 million in funds stolen.
Observers including MetaMask developer Taylor Monahan and blockchain intelligence firm Match Systems attributed the hack to Lazarus, while Orbit requested the crypto community refrain from disseminating rumours about the hack.
Orbit Chain team is fully committed to retrieving the lost assets of Orbit Bridge.
— Orbit Chain (@Orbit_Chain) January 8, 2024
Given our primary focus on recovering 'user' assets among all assets stolen from Orbit Bridge, all assets owned by the Orbit Bridge team will remain stationary until full restoration is achieved,…
If the Orbit hack was indeed carried out by Lazarus, it was the second-biggest hack of the year for the group — a disturbing finale for 2023.
Tyler Pearson is a Markets Correspondent at DL News. If you’ve got a hot crypto tip, please reach out at ty@dlnews.com.