FBI says North Korean hackers preparing to cash out after high-profile crypto hacks

FBI says North Korean hackers preparing to cash out after high-profile crypto hacks 1

The U.S. government said it believes North Korean hackers are preparing to cash out millions of dollars stolen during a spate of high-profile crypto hacks.

On Tuesday, the FBI warned cryptocurrency companies about recent blockchain activity connected to the theft of hundreds of millions of dollars in cryptocurrency by malicious actors affiliated with the North Korea-backed Lazarus Group, also known as APT38 and “TraderTraitor.”

The FBI said that over the past 24 hours, it had tracked approximately 1,580 Bitcoin — worth more than $40 million — that the North Korean hackers are currently holding in six separate crypto wallets. The FBI said these funds were stolen during “several” cryptocurrency heists.

This includes the theft of virtual currency from Atomic Wallet in June, which saw the hackers compromise an estimated 5,500 customer wallets to steal funds worth more than $100 million. Blockchain analysis firm Elliptic previously said it assessed with a “high level of confidence” that the Lazarus Group was behind the attack, and noted that the laundering of the stolen crypto assets followed “a series of steps that exactly match those employed to launder the proceeds of past hacks perpetrated by Lazarus Group.”

The FBI also linked Lazarus Group hackers to the theft of $60 million in virtual currency from centralized crypto payment provider AlphaPo and $37 million from cryptocurrency wallet provider CoinsPaid.

CoinsPaid, which was forced to halt operations for four days due to the incident, said in a July post-mortem of the attack that it suspected that Lazarus Group was responsible.

The wallet provider also confirmed that it was compromised after hackers contacted CoinsPaid employees via LinkedIn with high-paying job offers — a popular tactic employed by North Korea — to entice them into downloading malware-laced JumpCloud software. JumpCloud was recently breached by North Korean hackers as part of efforts to target cryptocurrency customers, which multiple cybersecurity firms linked to Lazarus Group.

In its advisory, the FBI warned that the North Korean hackers are preparing to cash out the $40 million in stolen funds in the coming days. Crypto organizations are urged to examine recent blockchain data linked to six Bitcoin addresses shared by the FBI and “be vigilant in guarding against transactions directly with, or derived from the addresses.”

“The FBI will continue to expose and combat the DPRK’s use of illicit activities — including cybercrime and virtual currency theft — to generate revenue for the regime,” the FBI added. North Korea is known for using crypto thefts to fund its internationally sanctioned nuclear weapons program.

Lazarus Group has been previously been tied to several other crypto exchange hacks, including the theft of $100 million in crypto assets from Harmony’s Horizon Bridge and the theft of $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain made for the popular play-to-earn game Axie Infinity.

According to a recent report from blockchain intelligence company TRM Labs, North Korean hackers have stolen almost $2 billion in cryptocurrency since 2018 over more than 30 attacks — including almost $1 billion in 2022 alone. Lazarus Group has stolen approximately $200 million in 2023 so far, according to the report, accounting for over 20% of all stolen crypto this year.

The U.S. government has announced a $10 million reward for information on members of state-sponsored North Korean threat groups, including the notorious Lazarus Group.