A prolific North Korean state-backed hacking group has been linked to recent attacks on Atomic Wallet customers which resulted in estimated losses of $35m.
The firm, which provides decentralized wallets supporting over 500 coins and tokens, revealed last weekend that some customers were complaining that their funds had been drained.
Read more on Lazarus: US Slaps Sanctions on Three North Korean Cyber Groups.
Shortly after Infosecurity reported the initial story, blockchain analysis company Elliptic claimed the money trail had led it to Lazarus.
“At Elliptic, we have identified a large number of victim wallets, allowing the stolen funds to be traced in our software. Exchanges and other crypto businesses using Elliptic’s tools can identify any deposits originating from the hack,” it explained.
“Our Investigations Team is also following the transaction trail. Elliptic analysis of the thief’s transactions leads us to attribute this hack to North Korea’s Lazarus Group, with a high level of confidence.”
This attribution is based on several factors, most notably:
- The process of laundering the stolen cryptocurrency follows exactly the same series of steps that Lazarus has used before
- The services used to launder the assets, including the Sinbad mixer, have also been used by Lazarus in the past
- It is possible that the stolen cryptocurrency has been combined in wallets that already hold digital money stolen in previous Lazarus heists
Elliptic claimed that if it’s right, this will be the first time Lazarus has been publicly blamed for a cryptocurrency heist since it stole $100m from Horizon Bridge in 2022.
North Korean state-backed hackers are unusual in that they focus not just on cyber-espionage but also amassing funds for the Kim Jong-un regime’s missile and nuclear program.
A report from earlier in the week claimed that the country makes around 50% of its foreign currency income from such attacks. It may have stolen billions of dollars over recent years, according to some estimates.