North Korean Lazarus Group Linked To DMM Bitcoin Hack

As an experienced cybersecurity analyst, I’ve seen my fair share of hacks and cyber exploits in the crypto space. The recent DMM Bitcoin hack, which resulted in a massive loss of $305 million, is particularly concerning due to its connection to the North Korean Lazarus Group.


As an analyst, based on recent findings by crypto sleuth ZachXBT, I believe it’s plausible that the North Korean cybercrime syndicate, Lazarus Group, could be behind the DMM Bitcoin hack earlier this year. The evidence includes a trail of funds transfers from wallets linked to Lazarus, as well as striking similarities in their money laundering techniques and off-chain indicators.

The DMM Bitcoin Stolen Funds In Motion

One way to rephrase this in clear and natural language: Stealing from a cryptocurrency exchange or protocol is a challenge in itself, but successfully laundering the ill-gotten gains without detection is another formidable task. For instance, the DMM Bitcoin heist resulted in over $305 million worth of losses, as reported by ZachXBT.

Based on the monitoring of funds moving in and out of the platform, a grand total of $35 million has been transferred to Huione Guarantee exchange this month. According to ZachXBT’s investigation, a wallet linked to the Lazarus Group has been blacklisted by the stablecoin issuer. This wallet holds approximately $29.6 million and is located on the Tron blockchain.

A wallet identified by the label “TNVaK….s4Ug8” is estimated to have received around fourteen million dollars in cryptocurrency transactions within a three-day span following the DMM Bitcoin hack. To clarify the sequence of events for the benefit of the crypto community, ZachXBT provided an explanation.

As a financial analyst, I would describe the money laundering trail for funds transferred from the DMM Bitcoin hack to Huione as follows: Approximately three-quarters of the illicit bitcoin proceeds were routed through this particular entity.

1. Transfer Bitcoins from the hack to the mixing service

— ZachXBT (@zachxbt) July 14, 2024

Initially, the stolen funds from DMM Bitcoin were transferred to a mixing service. Subsequently, those funds were further moved out of the mixer and transformed into Ethereum or Avalanche through THORChain, Threshold, or the Avalanche bridge. Finally, the hackers exchanged the BTC for USDT on the Tron network using SWFT.

In the final step, it is assumed that the true source and intended destination of the pilfered funds were effectively hidden.

A Different Hacking Trend

In the modern realm of Web3, hacks and cyber attacks are regrettably common occurrences. Just recently, Coingape reported an instance of this: a security breach at Squarespace, a provider of IT services, which in turn powers Compound Finance and Celer Network. The consequences were website outages for these protocols, but fortunately, no funds were stolen during the attack.

In most cases, exploits result in financial losses for funds. Yet, certain projects are occasionally successful in negotiating terms that allow for refunds. Nevertheless, no such refunds have been reported in connection to the Lazarus Group’s exploits. It remains to be seen if the recent disclosure from ZachXBT will bring any resolution. The DMM Bitcoin hack continues to stand out as one of the most significant industry breaches this year.

Read More

2024-07-14 19:34