Table of contents
1). Introduction
2). CoinBerry, Unibright, & CoinMetro hacks
3). Nexus Mutual founder hack
4). EasyFi hack
5). Bondly hack
6). Unreported hacks
7). MGNR and PolyPlay hacks
8). bZx hack
9). Steadefi and CoinShift hacks
10). Paxful and Noones accounts
11). Investigation results
12). Other Incidents
13). Acknowledgments
Introduction
Bluenoroff or APT38, more commonly referred to as Lazarus Group is a threat group which has been tied to the North Korean government since as early as 2009 primarily being financially motivated utilizing malware custom built for each target.
Early on, the threat group gained notoriety for cyberattacks such as Sony Pictures Hack in 2014 and $81M Bangladesh Bank heist in 2016 and in more recent years has shifted focus to targets in the cryptocurrency industry.
Analytics firms such as TRM and Chainalysis release annual reports summarizing crypto related incidents linked to DPRK and since 2017 they estimate between $3B to $4.1B has been stolen.
The research in this article closely follows 25 hacks targeting companies and individuals in the cryptocurrency space spanning from August 2020 to October 2023 by tracing the movements of funds to multiple accounts identified at P2P marketplaces where Lazarus Group exchanges stolen crypto for fiat.
2020 — CoinBerry, Unibright, & CoinMetro Hacks
CoinBerry Incident Summary
On August 24, 2020 the Canadian crypto exchange CoinBerry stopped processing withdrawals for 12+ hrs after $370K was drained from the Bitcoin and Ethereum hot wallets. While the exchange never publicly reported the incident, a lawsuit filed in 2022 revealed a software bug allowed 500 users to withdraw 120 BTC in 2020.
Theft address
0xA06957c9C8871ff248326A1DA552213AB26A11AE
1KcTk7kJMjYaCV3FXo5bzpjaZs2aK18ntz
Unibright Incident Summary
ON September 11, 2020 the Unbright team noticed unauthorized transfers of $400K from multiple wallets controlled by the team as the result of a private key compromise. The attacker immediately swapped the assets for ETH on decentralized exchanges.
Theft address
0x6C6357F30FCc3517c2E7876BC609e6d7d5b0Df43
CoinMetro Incident Summary
On October 6, 2020 the CoinMetro team observed unauthorized transfers of $750K worth of crypto assets from its hot wallets due to a security breach. As a result of the incident the Parsiq team made the decision to hard fork its token in an effort to prevent the attacker from further selling PRQ tokens and further protect users funds.
Theft address
0x044bf69ae74fcd8d1fc11da28adbad82bbb42351
1GVjvbVEYPkjCYCwJkC29t5pBWAQQd1g32
On-chain aspects
Funds from thefts such as CoinMetro, CoinBerry, Unibright, and individuals were transferred through intermediary wallets before consolidating in 0x0864 in early January 2021.
3000 ETH was deposited to Tornado Cash by 0x0864 on January 11, 2021 beginning at 2:54 am UTC and concluding at 9:14 am UTC.
0x0864b5ef4d8086cd0062306f39adea5da5bd2603
After 1814.49 ETH was transferred from 0x0864 to 0x1031 and 17 X 100 ETH was deposited to Tornado Cash on January 11,2021.
0x1031ffaf5d00c6bc1ee0978eb7ec196b1d164129
An additional 112.1 ETH was deposited to Tornado cash by 0x1031 from January 14–16, 2021.
45 X 100 ETH was withdrawn from Tornado Cash to a single address beginning on January 11, 2021 at 2:35 pm UTC and concluding on January 14, 2021 at 11:52 pm UTC.
0x05492cbc8fb228103744ecca0df62473b2858810
All Tornado Cash withdrawals for the month of January 2021 were reviewed and no additional withdrawals were found which shared similar characteristics. Additional comfort is gained with the demix as the Tornado withdrawal destination address connects back with the original theft address.
Transfer laundered funds to P2P exchanges
Through a series of transactions, the funds sitting in 0x0549 were transferred through intermediary addresses and consolidated with funds from other Lazarus Group thefts before USDT was deposited to the P2P marketplace Paxful beginning in July 2022. In April 2023 they began using Noones, another P2P marketplace. They continue slowly transferring USDT in batches until November 2023.
Paxful deposit address:
0x246569f8b420c8d850c475c53d0d59973b3f08fc
0x593dc5e1ad81667bbfc90739dd2c09c926920e3b
Noones deposit address:
0x2e1155cf5374cba058a04fd03ebd0ba19afe580d
Transfer funds from theft to OTC trader
Additionally, in 2021 multiple transfers were made from the 0x9973 address to Wu Huihui, a China-based OTC trader. In April 2023, an indictment against Wu was unsealed alleging that he facilitated payments for DPRK and he was added to the OFAC SDN list.
December 2020 — Nexus Mutual founder (Hugh Karp) hack
Incident summary
On December 14, 2020 Hugh Karp, founder of Nexus Mutual was tricked into approving a malicious transaction that transferred out 370,000 NXM ($8.3M) after an attacker gained remote access to his computer and modified his Metamask extension.
On-chain aspects:
The post-mortem blog post by Hugh Karp lists the theft addresses on Bitcoin and Ethereum.
BTC theft address
3DZTKLmxo56JXFEeDoKU8C4Xc37ZpNqEZN
ETH theft address
0xad6a4ace6dcc21c93ca9dbc8a21c7d3a726c1fb1 0x03e89f2e1ebcea5d94c1b530f638cea3950c2e2b 0x09923e35f19687a524bbca7d42b92b6748534f25 0x0784051d5136a5ccb47ddb3a15243890f5268482 0x0adab45946372c2be1b94eead4b385210a8ebf0b
From December 16–17, 2020 the attacker deposited 137.1 BTC into the centralized mixing service ChipMixer in six deposits:
ChipMixer deposits — December 16
Deposit 1: 1 BTC at 9:55 am UTC
906b3436067e48f3355f8cb5266c0055787d8cd378d3fe99e7020eecdde2ca74
Deposit 2: 5 BTC at 10:09 am UTC
5ce61bc9bec2ff7a5291b48903441a39fab6df59934cf75b7cd1abee67ac8017
Deposit 3: 30 BTC deposited at 10:22 am UTC db0cd0f1cb5bd13b9b3249e6a560aaeddbd0134d0f678220e626b20a424473ce
Deposit 4: 50 BTC deposited at 11:44 am UTC 1586fec6363ba1d6bac3056e4aee0bc0b4fefdf37f6060850b2d9168c39e6683
Deposit 5: 41.99 BTC deposited at 13:51 pm UTC eb4854fb3ea8a3f5d87331b04bfc4daeac76343ebcbcaeff976551fadb5050cc
ChipMixer deposits — December 17
1aa32442bfcbee3981e038d50a05885d35fd1d4ec33af5a9bd40e5d1dc88a686
Hours after the deposits, a matching amount of 136 BTC was withdrawn from ChipMixer and bridged back to Ethereum via Ren Project and consolidated with funds from other thefts.
Withdrawals consolidate 1: 4.61 BTC at 10:14 am UTC 18b9481573afb349c499ed5469ed903db5289b7946daddc1961e945b3d4d3cb7 Withdrawals consolidate 2: 5.42 BTC at 12:39 pm UTC a88a7d86bbd780f42850472feffcb626684b3df7b2f7c062e3b12009224e609d Withdrawals consolidate 1 : 15 BTC at 12:56 pm UTC 0b6b1a990b6aab6edaef925c4af2a03f64c1a03ee98d3309f9557029af415f66 Withdrawals consolidate 2 : 60 BTC at 14:14 pm UTC 9726abb675bff14f512018a583693e815857829dc2459556938a491900638e21 Withdrawals consolidate 3 : 42 BTC at 23:33 pm UTC ffeb3dd56d0bde492cd08c0975edad38524f5ef003f55c258e75638044324acf Withdrawals consolidate 4: 9.1 BTC on December 17 at 7:17 am UTC a63eea88c4f9304e7e6c582a586b720c1dd50d671f8f6077143968eea2a3f97b
Ren Protocol ETH destination address: 0x78a9903af04c8e887df5290c91917f71ae028137
On the Ethereum side 2,571 ETH (25 X 100 ETH, 7 X 10 ETH, 1 X 1 ETH) was deposited into Tornado Cash from December 16–19 by theft address 0x0784051d5136a5ccb47ddb3a15243890f5268482
Beginning just hours after deposits the 0x78a Ren destination address started receiving withdrawals from Tornado Cash. 0x78a9903af04c8e887df5290c91917f71ae028137
While not being a 1:1 match we can gain confidence this demix is accurate as Lazarus Group linked the post-mix address with the original theft address on December 25, 2020 reducing the effectiveness of the anonymity set as seen in the TRM graph below:
March 2021 — ChipMixer Activity
In March 2021 Lazarus Group sold additional wNXM for renBTC before bridging 89.5 renBTC in total to Bitcoin via Ren Protocol and then depositing to ChipMixer.
March 10th–29.98 renBTC was bridged to Bitcoin via Ren Protocol and deposited to ChipMixer in one transaction. Five hours later a matching amount of 29.92 BTC was withdrawn from ChipMixer and bridged via Ren back to Ethereum where the funds consolidate with other stolen funds in 0x0864b from the CoinMetro hack and unreported individual hacks.
0x0864b5ef4d8086cd0062306f39adea5da5bd2603
March 20th — 13.13 renBTC was bridged to Bitcoin and immediately bridged back to Ethereum via Ren Protocol and consolidates with stolen funds from the CoinMetro hack before 67.63 renBTC was bridged back to Bitcoin and four deposits were made to ChipMixer. Shortly after the deposits five withdrawals were made from ChipMixer in matching amounts adjusted for fees.
Funds were bridged via Ren from Bitcoin to Ethereum where they consolidate with the NXM batch laundered in December 2020 in 0xb27.
0xb27d40fb4a7975e6f4e6bd7f9fbf6e8d53bf8298
March 31st — 46.49 renBTC was bridged to Bitcoin via Ren and five deposits were made ChipMixer. Within minutes of the deposits six addresses begin receiving withdrawals in matching amounts. Funds were bridged back to the same destination address 0x58e5 on Ethereum.
The accuracy of this demix can be confirmed since the withdrawal address of 1.56 BTC connects to the original NXM theft address from funds bridged via Ren in November 2020. This is highlighted in pink in the TRM graph below.
Transfer laundered funds to P2P exchanges:
In April 2021 19.96 BTC was bridged from Ethereum to Bitcoin via Ren where it was transferred to Wu Huihui, an OFAC sanctioned OTC trader.
$11M from 0xb27 was transferred to a Bixin deposit address from May 24-July 10, 2021 .
February 2023 the remaining funds in 0xb27 were transferred to 0xcbf0 where they consolidated with funds from other thefts and were deposited to Paxful and Noones.
Bixin deposit address
0x8e7f5d85c3587725b1188d3cc04ca814ab60cdce
Paxful deposit address
0x593dc5e1ad81667bbfc90739dd2c09c926920e3b
Noones deposit address
0x2e1155cf5374cba058a04fd03ebd0ba19afe580d
April 2021 — EasyFi founder (Ankitt Gaur) hack
Incident Summary
April 19, 2021 EasyFi team observed large unauthorized transfers of EASY tokens from team wallets controlled by the founder Ankitt Gaur after his device had been injected with a malicious version of Metamask allowing the attacker to gain control of the private keys resulting in $81M stolen.
Further analysis revealed that a few days prior Ankitt Gaur had received a phishing email to his personal email address via sendgrid which appeared as if it had been sent from the Pantera Capital founder Dan.
Notably this type of attack resembled what happened to Hugh Karp (Nexus Mutual Founder) in December 2020.
On-chain aspects
$6M of USD/DAI/USDT of liquidity was removed from protocol pools and 2.98M EASY was transferred to 0x4371
0x437147DA920714feC4822F0666D940945f9c972B
The attacker can be linked to Nexus Mutual, CoinMetro, Unibright, Coinberry, and multiple individual thefts on-chain as addresses from each incident transfer ETH to 0x3149 in March-April 2021.
0x31499e03303dd75851a1738e88972cd998337403
April 2021 — Laundering
From April 20–21, 2021 a total of 209.64 BTC from the theft address was bridged from Ethereum and deposited to ChipMixer from the hack.
A volume and timing analysis was performed and from April 20–21, 2021 a total of 209.5 BTC was withdrawn from ChipMixer matching the amount deposited adjusted for fees. There were no other withdrawals during that period which showed similar characteristics.
209.22 BTC from the Chipmixer withdrawals were consolidated to two addresses on April 22, 2021 and then bridged back to Ethereum using Ren protocol.
Ren bridge source transaction —
Amount: 179.47 BTC
84b7c4a2b79d454bbb1636d6d872ed367bbcf4b664193b7b8baded8675085935
Date: April 22, 2021 at 2:00 AM UTC
35TjCuKRbKcofxnKG2EkC8B66ZNXKqE1aN
Amount: 29.75 BTC
3e3b2950c72f863642db0a1bd248be3009ba65e9fa950d5a3094a7b1d7b14e2e
Date: April 22, 2021 at 2:00 AM UTC
3M8VZjtAqi51LsMuRGGY9mhPvQk5hvubvt
Ren bridge destination transaction —
0xbeb56f2ad2b41339c377cbdb713e88b565af5bba407de24edaabf473a82967fd
0x313d06759af5696d6ee3f5965408e9c5b658fb7e
0x75c6615cdcdd5ce97c1c30357c64762ab3ab8fa0357fe290b8b6e3afd3a85463
0xe0c79066488a15b70361ad8268d713b05944a4fe
Funds received to 0x313 and 0xe0c7 mostly stays dormant until June 2022 when funds were transferred to new EOA addresses and consolidate with stolen funds from other thefts tied to Lazarus group.
In June 2022 $4.9M from multiple hacks was then transferred to two Binance deposit addresses:
0x27a9d7d17d72a5a67115dbf381b121b51d8b5dd8
0xabef0df725ef5d2f0354c59ea3ccb161abc11515
April 28, 2021 another batch of 6.31 renBTC was bridged to Bitcoin using Ren Protocol and then deposited to ChipMixer at 7:20 am UTC.
0a6f220fdc821ec1743a9a201e16a038d474b1554520e9922734e6c62628e7b2
Minutes later at 7:29 am UTC an address received 6.305 BTC from ChipMixer matching the amount deposited adjusted for fees.
4e35b2214a12f8d49cdd0100d71f7573ee47dd6a575e149eb1529285b7effff9
All funds were bridged back to Ethereum address 0xe0c7 using Ren bridge.
0xe0c79066488a15b70361ad8268d713b05944a4fe
Transfer laundered funds to P2P exchanges
Through a series of transactions, the funds sitting in 0xe0c7 and 0x313d were converted to DAI and wBTC, transferred through intermediary addresses, consolidate with funds from other Lazarus Group thefts , and USDT was deposited to the P2P marketplace Paxful beginning in July 2022. In April 2023 they began using Noones, another P2P marketplace. They continued slowly sending USDT in batches until November 2023.
Paxful deposit address
0x246569f8b420c8d850c475c53d0d59973b3f08fc
0x593dc5e1ad81667bbfc90739dd2c09c926920e3b
Noones deposit address
0x2e1155cf5374cba058a04fd03ebd0ba19afe580d
July 2021 — Bondly hack
Incident summary
On July 14, 2021 Brandon Smith, CEO of Bondly Finance fell victim to an attack where the malicious actor gained access to a password account containing the recovery phrase for his hardware wallet. Soon after the attacker transferred ownership of the Bondly token contract to themselves and $8.5M of assets belonging to the team.
On-chain aspects
The post-mortem blog post by Bondly co-founder Harry Liu highlights the theft addresses on Ethereum, BSC, and Polygon.
Ethereum, BSC, and Polygon theft address
0xc433d50dd0614c81ee314289ec82aa63710d25e8
Laundering July 2021
Tornado Cash deposits — BSC
Through a series of transactions, 48 X 100 BNB was deposited to Tornado Cash by the attacker beginning on July 15, 2021 at 5:41 am UTC and concluded on July 16, 2021 at 6:33 am UTC.
Tornado Cash deposits — Ethereum
Through a series of transactions, 5X 100 ETH and 52 X 100,000 DAI was deposited to Tornado Cash by the attacker beginning on July 15, 2021 at 8:15 am UTC and concluding on July 16, 2021 at 2:17 am UTC. On August 11, 2021 an additional 202 ETH was deposited to Tornado Cash.
Tornado Cash withdrawals — BSC
From July 17–19th 47 X 100 BNB was withdrawn to 0x4197 on BSC. This matches the deposits 1:1 as one of the Tornado deposits was withdrawn to the depositor 0xc433.
0x419787019b991ac2c765a14467d177c6c0b05c00
Funds were then bridged from BSC to Ethereum via Multichain bridge and consolidated with the Ethereum withdrawals.
Tornado Cash withdrawals — Ethereum
From July 16–20th 35 X 100,000 DAI and 3 X 100 ETH was withdrawn to 0x365 consolidating with the 100 BNB Tornado Cash withdrawals.
0x365d2c5220989a068d8b0e95625875c55166297b
From July 22–29th 14 X 100,000 DAI and 2 X 100 ETH was withdrawn to 0xe0c7 consolidating with funds from the EasyFi hack. From August 12–23th 2 X 100 ETH was withdrawn to 0xe0c7.
0xe0c79066488a15b70361ad8268d713b05944a4fe
On July 24th 2 X 100,000 DAI was withdrawn to 0xdef5 which received $7.4M from 0xe0c7 in a series of transactions.
0xdef57ccb20b1f2eaee0c64aab3280350f84cb0fc
The remaining 1 X 100,000 DAI withdrawal was made to 0x996f.
0xd7589fdf5c035ce5d432e5af64b13b77802b7451315f460ce1bda8a4e7c89240
0x996f5ccbf2856137744603b382de559b78a096fc
The Tornado Cash 100,000 DAI pool sees little activity and the 52 deposits made by the Bondly attacker increased the pool by 15% significantly reducing the effectiveness of the anonymity set. The graph below shows the cumulative balance of the 100,000 DAI pool from July 11–25, 2021 shows a sudden increase in deposits before matching withdrawals.
In June 2022 $4.9M laundered from hacks such as Nexus Mutual, EasyFi, and Bondly was transferred to two Binance deposit addresses:
0x27a9d7d17d72a5a67115dbf381b121b51d8b5dd8
0xabef0df725ef5d2f0354c59ea3ccb161abc11515
Transfer laundered funds to P2P exchanges
Through a series of transactions, the funds sitting in 0xe0c7 and 0x365d were transferred through intermediary addresses and consolidate with funds from other Lazarus Group thefts such as EasyFi and the Nexus Mutual founder before USDT was deposited to the P2P marketplace Paxful beginning in July 2022. In April 2023 they began using Noones, another P2P marketplace. They continue slowly sending USDT in batches until November 2023.
Paxful deposit address
0x246569f8b420c8d850c475c53d0d59973b3f08fc
0x593dc5e1ad81667bbfc90739dd2c09c926920e3b
Noones deposit address
0x2e1155cf5374cba058a04fd03ebd0ba19afe580d
August and September 2021 — Unreported Hacks
August and September 2021 saw multiple individuals hacked for $2M likely due to private key compromise. Indicators of the thefts include on-chain connections to known hacks such as FinNexus, assets transferred out from victims wallets and immediately sold for ETH, and activity in victims wallets stopped after transfers were made.
Theft address
0x5271b379f3e1954e20791142d734596a3de28efd
0xc35a06d02471acc48e552e99d8b860bac73cbe9d
0x40d7b7A55dd51ee94A9a4788311e39CB362Fe1Ea
Funds from the multiple thefts consolidated in 0x5271 before 581 ETH was deposited to Tornado Cash on September 15, 2021 beginning at 10:13 am UTC.
591 ETH was withdrawn from Tornado Cash to a single address on September 20, 2021 beginning at 12:20 am UTC.
0x5b24da735fd5835ec5afb5abf9f3e89270e609c8
The $2M withdrawn from the mixer was transferred to an intermediary address before consolidating with funds from other Lazarus Group thefts and deposited to exchanges. Comfort is gained the demix is accurate as the Paxful deposit address 0x246 links the Tornado Cash withdrawals to the deposits.
Paxful deposit address
0x246569f8b420c8d850c475c53d0d59973b3f08fc
October 2021 — MGNR and PolyPlay Hack
MGNR hack incident summary
On October 8, 2021 the trading firm mgnr.io had $24M worth of assets drained from their wallets as the result of a private key compromise. In a deleted post on X (formerly Twitter) the team shared they had been targeted in a sophisticated cyber attack after receiving a Pantera Capital phishing email via SendGrid similarly to Ankitt Gaur from EasyFi. The team noted that private keys to hot wallets had been temporarily shared between multiple team members.
MGNR hack on-chain aspects
A blog post by the user CryptoCat in January 2022 revealed addresses from the theft by detailing mgnr.io wallets which sold Maple Finance tokens on October 8, 2021. The author mistakenly attributes the actions to the team instead of the hack.
MGNR hack October 2021 laundering
All assets from compromised mgnr.io wallets on EVM chains were bridged and swapped before being consolidated into 0x577 where the attacker deposited 4900 ETH from the incident to Tornado Cash beginning on October 8, 2021 at 4:37 am UTC and concluding on October 12, 2021 at 6:16 am UTC. Another address connected to the attacker deposited 210 ETH to Tornado Cash during this period.
A few days after 0xdef5 which received $4.3M from the EasyFi and Bondly hacks earlier in the year received 700 ETH from Tornado Cash.
0xdef57ccb20b1f2eaee0c64aab3280350f84cb0fc
Another address 0x1398 received 4500 ETH from Tornado Cash which previously had received $15.2M from the EasyFi and Bondly hacks earlier in the year.
0x1398db28ca00d9f943355d6b57ab28a61110bfef
While 1 X 100 ETH withdrawal is missing from the Tornado Cash demix for the 100 ETH pool there were no other withdrawals during that period which showed similar characteristics.
MGNR hack January 2022 laundering
On January 14, 2022 another 6 X 100 ETH and 5 X 10 ETH from an address connected to the theft was deposited to Tornado Cash. Just 24 hours later 4 X 100 ETH and 5 X 10 ETH was withdrawn to 0x964 before being transferred to 0x1398 further strengthening the demix due to the multiple denominations withdrawn over a sustained period of time.
Transfer laundered funds to P2P exchanges
Through a series of transactions, the funds sitting in 0xdef, 0x964, and 0xefdd were transferred through intermediary addresses and consolidate with funds from other Lazarus Group hacks such as EasyFi, Bondly, and the Nexus Mutual founder before USDT was deposited to the P2P marketplace Paxful beginning in July 2022. In April 2023 they began using Noones, another P2P marketplace. They continue slowly sending USDT in batches until November 2023.
Paxful deposit address
0x246569f8b420c8d850c475c53d0d59973b3f08fc
0x593dc5e1ad81667bbfc90739dd2c09c926920e3b
Noones deposit address
0x2e1155cf5374cba058a04fd03ebd0ba19afe580d
PolyPlay Incident Summary
October 28, 2021 in a series of transactions, multiple wallets controlled by the PolyPlay team saw unauthorized transfers of $1.6M indicating a private key compromise. In a deleted post on X (formerly Twitter) the PolyPlay team shared the wallet address of the attacker and a Binance listing phishing email they received.
On-chain aspects
Theft Address
0x0040c81b7de0953e5b9fc056700479cace1b7500
350 ETH from the incident was then deposited to Tornado Cash on November 8, 2021 and 320 ETH was withdrawn 90 minutes later to an address connected to other Lazarus Group hacks. Funds were later deposited to Paxful and Noones accounts.
Paxful deposit address:
0x246569f8b420c8d850c475c53d0d59973b3f08fc
0x593dc5e1ad81667bbfc90739dd2c09c926920e3b
Noones deposit address:
0x2e1155cf5374cba058a04fd03ebd0ba19afe580d
November 2021 — bZx Hack
Incident Summary
On November 3, 2021 the lending protocol bZx had $55M drained on the BSC and Polygon deployments after a bZx developer fell victim to a phishing attack after running a script on his personal computer granting the malicious actor access to their private keys.
In a post mortem update the bZx core team shared that they worked with Kaspersky to analyze the incident and reached the conclusion it was likely Lazarus Group as their security team had analyzed prior attacks carried out by the group finding similarities in the tools and phishing email received.
On-chain aspects
A preliminary post-mortem published by the bZx team shared wallet addresses involved with the hack.
Theft addresses:
0x74487eed1e67f4787e8c0570e8d5d168a05254d4
0xafad9352eb6bcd085dd68268d353d0ed2571af89
0x0ACC0e5faA09Cb1976237c3a9aF3D3d4b2f35FA5
0x967bb571f0fc9ee79c892abf9f99233aa1737e31
0x6abcA33faeb7deb1E61220e31054f8d6Edacbc81
0x1ae8840ceaef6eec4da1b1e6e5fcf298800b46e6
Connections between theft addresses
The Bondly attacker was directly connected to the bZx hack from November 2021 as the 0xc43 theft address funded one of the addresses used by the bZx attacker on Polygon as well transferred funds on Ethereum to an intermediary address which received funds from another address involved in the bZx hack listed in the post-mortem blog post. Notably both attacks also share similar characteristics in the sense as the hacker gained access to a password and manipulated the protocols smart contracts after.
On-chain the incident is also connected to other hacks such as mgnr.io, Polyplay, Wonderhero and ANKR founder as dust leftover in theft addresses was swept to a single address in February 2022.
0x2d7554062664050294640891a122019a68ac5a2b
bZx hack laundering
Tornado Cash deposits:
-
8600 ETH from the theft was deposited to Tornado Cash from November 15–18, 2021 by 0x20d9
-
2360 ETH from the theft was deposited to Tornado Cash on December 13, 2021 by 0x20d9
Tornado Cash withdrawals:
-
4100 ETH likely from the theft was withdrawn to 0x7c6 from December 3–10, 2021.
0xc7c6d42875fd091faa16ad0225f587158f47fce4
-
940 ETH likely from the theft was withdrawn to 0x683 on December 18, 2021
0x683c3d42325ca1beb2475f443c916832f0bd10f2
-
1000 ETH likely from the theft was withdrawn to 0x785b on December 23, 2021.
Reviewed all Tornado withdrawals 400 ETH or more from November 15 — December 31, 2021 and no other withdrawals during this period shared similar characteristics of laundering patterns from other Lazarus Group thefts.
Post-Mix connections to theft addresses
While only a partial demix of 6,400 ETH from the hack comfort is gained as on-chain the Paxful deposit addresses 0x2465 and 0x593d are connected to Coinberry, CoinMetro, Nexus Mutual, FinNexus, PolyPlay, bZx hacks linking the original theft addresses from multiple incidents to the Tornado withdrawals.
August 2023 — Steadefi & CoinShift Hacks
Steadefi Incident summary
On August 7, 2023 the Steadedefi team made a post on X (formerly Twitter) informing the community its deployer wallet had been compromised and an attacker had transferred ownership of all lending and strategy vaults to an address the attacker controlled, allowing them to drain $1.2M of users assets.
A recent DPRK report published by the United Nations from March 2024 revealed a Steadefi team member had been in contact with someone on Telegram pretending to work at a fund named “Spirit Blockchain Group” where the attacker sent a malicious file disguised as a presentation for their investment fund which the Steadefi team member downloaded.
Steadefi On-Chain Aspects
In a post on X (formerly Twitter) the Steadefi team shared the wallet of the attacker.
Theft address
0x9cf71f2ff126b9743319b60d2d873f0e508810dc
Coinshift Incident Summary
While no public statements have been made about the incident, due to the sudden transfers of assets from multisig wallets tied to the founder on which were sold immediately August 16, 2023 it is likely the founder was a victim of a private key compromise.
Coinshift On-Chain Aspects
Theft address
0x979ec2af1aa190143d294b0bfc7ec35d169d845c
0x68c4a151d436ec1c5448d225a97bd19cce4dfed0
0xbcd5b968a79a04bf2bb942a449f10c20a7121ed8
0x4c7c2b39e3d642d452adfca632939a60b1baacf7
August 2023 Laundering
624.3 ETH was deposited to Tornado Cash by 0xe10d from the Steadefi hack in August 2023.
900 ETH was deposited to Tornado Cash by 0x68c4 from the Coinshift hack in August 2023.
Further evidence that the attacks were done by the entity is shown through the overlap between deposits made to the Tornado Cash 100 ETH pool within minutes of each other by the Steadefi and Coinshift attacker on August 23, 2023.
The table below shows 15 X 100 ETH deposited to the Tornado Cash 100 ETH pool from both incidents.
Within 24 hrs of the deposits to the Tornado Cash 100 ETH pool, matching amounts were withdrawn to three addresses and later consolidated to a single address on October 12, 2023.
0x5d65aeb2bd903bee822b7069c1c52de838f11bf8
Transfer laundered funds to P2P exchange accounts
Through a series of transactions, the funds sitting in 0x5d were converted to USDT, transferred through intermediary addresses and deposited to P2P marketplaces Paxful and Noones in November 2023. The Paxful deposit address 0x2465 has been reused for other Lazarus Group hacks such as EasyFi, Bondly, and Nexus Mutual.
Paxful deposit address
0x246569f8b420c8d850c475c53d0d59973b3f08fc
0x0258c2af4fe694df026cca55d17feebd5b361acc
0x3af55ab7edbca175f80f3a7ddeac5dabf611347b
Noones deposit address
0x4272200ef626d409e9bac681aa0efdb653a9ef0b
Paxful and Noones accounts receive $44M from Lazarus Group hacks through July 2022– November 2023
Paxful deposit address
$12.8M deposits from July 2022 — November 2023
0x246569f8b420c8d850c475c53d0d59973b3f08fc
$12.1M total deposits from January 2023 — November 2023
0x593dc5e1ad81667bbfc90739dd2c09c926920e3b
Noones deposit address
$14.3M total deposits from April 2023 — November 2023
0x2e1155cf5374cba058a04fd03ebd0ba19afe580d
November 25, 2023 Lazarus group began using new Paxful and Noones deposit addresses. Full list can be found here.
Converting $44M to fiat on P2P marketplaces Paxful and Noones
OSINT analysis was conducted and I identified two users which were active on Paxos and Noones and displayed trading volume consistent with the amount deposited from the hacks.
EasyGoatfish351
FairJunco470
The timing of activity on these accounts further matches the deposit. Very few other accounts on Paxful and Noones showed similar levels of trading volume. Taken together, it is very likely that these were the accounts being used.
Additionally, the hot wallet outflows for Noones and Paxful were analyzed and no matching crypto withdrawals of similar volumes were observed, indicating USDT was likely being exchanged for bank transfers or cash after deposits were made to the site.
Historically Lazarus Group has used Chinese OTC traders to convert crypto to fiat.
Results of the investigation
At the time of this article 374K USDT was blacklisted by Tether in November 2023 and an undisclosed amount was frozen at centralized exchanges in Q4 2023.
3 of 4 stablecoin issuers have blacklisted an additional $3.4M sitting in a group of addresses. This article will be updated after the 4th follows suit.
Other connected incidents
Exchange user hack — January 2021
Arthur0x hack — March 2022
Geracoin & Darshan hack — September & October 2022
Maverick Founder hack — October 2023
A special thanks to
for their contributions and guidance with the investigation.