FBI Warns Over $40 Million Bitcoin Liquidation by DPRK Hackers

Reading Time: 3 minutes
  • The US government has issued a warning that North Korean hackers are suspected of preparing to convert millions of dollars stolen in recent crypto hacks
  • The FBI linked the Lazarus Group, associated with North Korea, to the theft of over 1,580 bitcoins (worth over $40 million) from multiple crypto wallets
  • Cryptocurrency companies have been alerted to monitor Bitcoin addresses and transactions linked to these activities

The United States government has issued a cautionary alert indicating its belief that North Korean hacking groups are actively strategizing to convert millions of dollars stolen during a series of high-profile cryptocurrency hacks. This development comes as part of an ongoing concern over the involvement of state-sponsored threat actors in cybercrimes, particularly those affiliated with North Korea. The agency says that tens of millions of dollars in bitcoin could be liquidated as hackers conduct the final stage of their multiple thefts.

1,580 Bitcoin Moved on Monday

The FBI’s warning was posted on its website Tuesday, with the agency alerting cryptocurrency companies to recent blockchain activities linked to the theft of substantial sums of cryptocurrency, amounting to hundreds of millions of dollars. These nefarious activities are believed to be orchestrated by malicious actors associated with the North Korea-backed Lazarus Group. This group is also recognized under aliases like APT38 and “TraderTraitor.”

The FBI disclosed that on Monday they tracked approximately 1,580 bitcoin, equivalent to a value of more than $40 million, being moved. This substantial amount is currently held across six separate cryptocurrency wallets, with the funds believed to have been extracted through several cryptocurrency heists, with various incidents contributing to the total.

One such incident involved the breach of Atomic Wallet in June, where an estimated 5,500 customer wallets were compromised, resulting in the theft of over $100 million worth of cryptocurrency. Blockchain analysis firm Elliptic had previously connected the Lazarus Group to this attack, attributing their findings to the distinctive patterns and laundering techniques observed.

Additionally, the FBI linked the Lazarus Group to the theft of $60 million in virtual currency from centralized cryptocurrency payment provider AlphaPo and another $37 million from CoinsPaid, a cryptocurrency wallet provider. The latter’s operations were disrupted for four days due to the attack. In their post-mortem analysis, CoinsPaid indicated a strong suspicion of Lazarus Group involvement.

Modus Operandi Revealed

This chain of events also uncovered an interesting modus operandi employed by the hackers. The Lazarus Group approached CoinsPaid employees via LinkedIn, offering alluring job opportunities as part of their tactics. This strategy, which is commonly associated with North Korea, led employees to inadvertently download malware-laced JumpCloud software. This incident underscored the lengths to which these hacking groups go to compromise their targets.

The FBI’s advisory carries a grave implication: North Korean hackers are allegedly poised to convert the stolen $40 million into real-world currency in the near future. This warning has prompted crypto organizations to closely analyze recent blockchain data associated with the six Bitcoin addresses provided by the FBI, with a call to be vigilant against transactions originating from these addresses.

In a broader context, the FBI stated, “The FBI will continue to expose and combat the DPRK’s use of illicit activities — including cybercrime and virtual currency theft — to generate revenue for the regime.” North Korea’s penchant for using cryptocurrency thefts to finance its internationally prohibited nuclear weapons program underscores the severity of the situation.

$2 Billion Stolen Since 2018

The Lazarus Group’s track record is riddled with involvement in several other significant crypto exchange hacks. This includes the theft of $100 million in cryptocurrency assets from Harmony’s Horizon Bridge and an even more staggering $540 million from the Ethereum-based sidechain Ronin Network, which is associated with the popular play-to-earn game Axie Infinity.

Highlighting the ongoing concerns, a recent report from blockchain intelligence firm TRM Labs reveals that North Korean hackers have managed to abscond with nearly $2 billion in cryptocurrency through over 30 cyberattacks since 2018, with almost $1 billion being stolen just in 2022. In 2023, the Lazarus Group is said to have taken approximately $200 million in stolen crypto, constituting over 20% of the total crypto stolen this year.

To address this threat, the U.S. government has announced a substantial reward of $10 million for information leading to the identification and apprehension of members of state-sponsored North Korean threat groups, with the Lazarus Group in particular garnering considerable attention and concern.