Crypto firms beware: Lazarus’ new malware can now bypass detection

October 2, 2023 Coin Telegraph

BlindingCan

The malware payload “LightlessCan" — used in fake job scams — is far more challenging to detect than its predecessor, warns cybersecurity researchers at ESET.

North Korean hacking collective Lazarus Group has been using a new type of “sophisticated” malware as part of its fake employment scams — which researchers warn is far more challenging to detect than its predecessor.

According to a Sept. 29 post from ESET’s senior malware researcher Peter Kálnai, while analyzing a recent fake job attack against a Spain-based aerospace firm, ESET researchers discovered a publicly undocumented backdoor named LightlessCan.

#ESET researchers unveiled their findings about an attack by the North Korea-linked #APT group #Lazarus that took aim at an aerospace company in Spain.

▶️ Find out more in a #WeekinSecurity video with @TonyAtESET. pic.twitter.com/M94J200VQx
— ESET (@ESET) September 29, 2023

The Lazarus Group’s fake job scam typically involves tricking victims with a potential offer of employment at a well-known firm. The attackers would entice victims to download a malicious payload masqueraded as documents to do all sorts of damage.

However, Kálnai says the new LightlessCan payload is a “significant advancement” compared to its predecessor BlindingCan.

“LightlessCan mimics the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions.”

“This approach offers a significant advantage in terms of stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools,” he said.

️‍♂️ Beware of fake LinkedIn recruiters! Find out how Lazarus group exploited a Spanish aerospace company via trojanized coding challenge. Dive into the details of their cyberespionage campaign in our latest #WeLiveSecurity article. #ESET #ProgressProtected
— ESET (@ESET) September 29, 2023

The new payload also uses what the researcher calls “execution guardrails” — ensuring that the payload can only be decrypted on the intended victim’s machine, thereby avoiding unintended decryption by security researchers.

Kálnai said that one case that involved the new malware came from an attack on a Spanish aerospace firm when an employee received a message from a fake Meta recruiter named Steve Dawson in 2022.

Soon after, the hackers sent over the two simple coding challenges embedded with the malware.

*The initial contact by the attacker impersonating a recruiter from Meta. Source: WeLiveSecurity.*

Cyberespionage was the main motivation behind Lazarus Group’s attack on the Spain-based aerospace firm, he added.

Since 2016, North Korean hackers have stolen an estimated $3.5 billion from cryptocurrency projects, according to a Sept. 14 report by blockchain forensics firm Chainalysis.

In September 2022, cybersecurity firm SentinelOne warned of a fake job scam on LinkedIn, offering potential victims a job at Crypto.com as part of a campaign dubbed “Operation Dream Job."

Meanwhile, the United Nations has beetrying to curtail North Korea’s cybercrime tactics at the international level — as it is understood North Korea is using the stolen funds to support its nuclear missile program.

Magazine: $3.4B of Bitcoin in a popcorn tin: The Silk Road hacker’s story

North Korean Hackers Lazarus Group Holds Over $46,000,000 in Bitcoin, Ethereum and Other Crypto: On-Chain Data

September 27, 2023 The Daily Hodl

North Korean Lazarus Group amasses over $40M in Bitcoin, data reveals

September 25, 2023 Coin Telegraph

Bitcoin

The North Korean hacking collective has at least $47 million in cryptocurrency, including Bitcoin, Ether, Binance Coin and various stablecoins, including Binance USD.

North Korean hacking collective Lazarus Group holds a whopping $47 million in cryptocurrency, most of which is in Bitcoin (BTC), new data shows.

According to data collated on Dune Analytics from 21.co — the parent company of 21Shares — wallets associated with the Lazarus Group currently hold around $47 million worth of digital assets, including $42.5 million in Bitcoin, $1.9 million in Ether (ETH), $1.1 million in Binance Coin (BNB) and an additional $640,000 in stablecoins, primarily BUSD.

However, the amount of crypto held appears to have dropped from the $86 million the group held on Sept. 6, a few days after the Stake.com hack in which Lazarus was implicated.

The Dune dashboard tracks 295 wallets identified by the U.S. Federal Bureau of Investigation (FBI) and Office of Foreign Assets Control (OFAC) as being owned by the hacking group, it noted.

*Lazarus Group crypto holdings. Source:* *Dune Analytics*

Surprisingly, the group does not hold any privacy coins such as Monero (XMR), Dash, or Zcash (ZEC) which are arguably much harder to trace.

Meanwhile, Lazarus crypto wallets are still highly active with the most recent transaction being recorded on September 20.

21.co also noted that the group’s holdings are likely to be much higher than what has been reported. “We should note that this is a lower-bound estimation of Lazarus Group’s crypto holdings based on publicly available information,” it stated.

On September 13, Cointelegraph reported that the Lazarus group carried out the attack on crypto exchange CoinEx, which lost at least $55 million.

The FBI has also fingered Lazarus for the Alphapo, CoinsPaid, and Atomic Wallet hacks, which collectively added up to more than $200 million that the group stole in 2023.

However, Chainalysis reported that crypto thefts by North Korea-linked hackers are down a whopping 80% from 2022. As of mid-September, North Korea-linked groups had stolen a total of $340.4 million in crypto, down from a record $1.65 billion in pilfered digital assets in 2022.

Late last week, United States federal authorities warned of "significant risk" for potential attacks on U.S. healthcare and public health sector entities by the Lazarus Group.

Magazine: $3.4B of Bitcoin in a popcorn tin: The Silk Road hacker’s story

Criminals more reliant on cross-chain bridges than ever after mixer crackdowns

September 20, 2023 Coin Telegraph

Avalanche Bridge

The sanction of cryptocurrency mixer Tornado Cash in August caused the first major shift, but that is now accelerating even faster than projected.

Cybercriminals have accelerated their shift away from crypto mixers for cross-chain bridges over the past year, according to blockchain forensics firm Elliptic.

In June and July, nearly all of the crypto stolen was laundered through cross-chain bridges, Elliptic’s data shows a complete reversal from the first half of 2022.

In a Sept. 18 blog post, Elliptic explained the cross-chain crime trend is due to the “crime displacement” effect — where criminals move to a new method to carry out the illicit activity when the existing method gets over-policed. However, the shift to cross-chain bridges is rising ahead of their projections.

*Proportion of funds laundered between cryptocurrency mixers and cross-chain bridges between January 2022 and July 2023. Source: Elliptic.*

Between July and September 2022, the ratio of laundered funds passing through mixers vs. cross-chain bridges flipped, corresponding to the U.S. Office of Foreign Asset Control’s sanctioning of Tornado Cash in August 2022, said the firm.

Elliptic said many cybercriminals, like the North Korean-backed Lazarus Group, flocked to the Avalanche bridge after the sanctions.

This same bridge was reportedly used recently by the Lazarus Group to facilitate some of the stolen funds in Stake’s $41 million exploit on Sept. 4, according to blockchain security firm CertiK.

Crypto mixers saw a small comeback between November 2022 and January 2023, due to the shutdown of RenBridge — which closed in December after its financer, Alameda Research collapsed from FTX’s bankruptcy.

Elliptic estimates that RenBridge facilitated $500 million in laundered funds throughout its operation.

However, shortly after, criminals have moved back to cross-chain bridges again, even more than before.

Chain-hopping via bridges has become one of the most popular money laundering methods for illicit actors. That's been a problem for crypto investigators — until now. Meet TRM Phoenix — automated cross-chain tracing through 12+ bridges & services: https://t.co/OziATjlO4P pic.twitter.com/7QsLthn180
— TRM Labs (@trmlabs) August 25, 2022

Elliptic said that criminals may be preferring cross-chain bridges as it is difficult for blockchain forensic firms to track illicit activity across chains in a scalable manner.

“Criminals are aware that legacy blockchain analytics solutions do not have the means to trace illicit blockchain activity across blockchains or tokens in a programmatic or scalable manner.”

In addition, many of these stolen tokens are only exchangeable through cross-chain bridges, while most of these DeFi services do not require identity verification to use, Elliptic explained.

The firm estimates that $4 billion in illicit or high-risk cryptocurrencies have been laundered through cross-chain bridges since 2020.

Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story

3 steps crypto investors can take to avoid hacks by the Lazarus Group

September 17, 2023 Coin Telegraph

Coin Telegraph

The Lazarus Group has mastered the art of stealing crypto investors’ assets. Here are a few tips on how investors can protect their portfolios.

Cryptocurrency users frequently fall prey to online hacks with Mark Cuban being just the latest high-profile example how nearly a million dollars can leave your digital wallet.

It is possible to substantially bolster the security of your funds by heeding three simple guidelines that will be outlined in this article. But before delving into these, it's crucial to understand the type of threat that exists today.

FBI has clear evidence on the Lazarus Group

The Lazarus Group is a North Korean state-sponsored hacking group, known for their sophisticated attacks linked to various cyberattacks and cybercriminal activities, including the WannaCry ransomware attack.

WannaCry disrupted critical services in numerous organizations, including healthcare institutions and government agencies by encrypting files on infected computers and demanding a ransom payment in Bitcoin (BTC).

One of its earliest crypto-related hacks was the breach of South Korean crypto exchange Yapizon (later rebranded to Youbit) in April 2017, resulting in the theft of 3,831 Bitcoin, worth over $4.5 million at the time.

The Lazarus Group's activities in the cryptocurrency space have raised concerns about its ability to generate funds for the North Korean regime and evade international sanctions. For instance, in 2022 the group was tied to a number of high-profile cryptocurrency hacks, including the theft of $620 million from Axie Infinity bridge Ronin.

The Federal Bureau of Investigation (FBI) blamed Lazarus Group for the Alphapo, CoinsPaid and Atomic Wallet hacks, stating that losses from all of these hacks add up to over $200 million the group has stolen in 2023.

This month, the FBI have attributed Lazarus Group to a $41 million hack of the crypto gambling site Stake, which was carried out through a spear-phishing campaign that targeted some of its employees.

Lastly, according to blockchain security firm SlowMist, the $55 million hack of the crypto exchange CoinEx was carried out by the North Korean state sponsored hackers.

Most hacks involve social engineering and exploit human error

Contrary to what movies usually display, meaning hackers either gaining physical access to devices or brute forcing passwords, most hacks occur through phishing and social engineering. The attacker relies on human curiosity or greed to entice the victim.

Those hackers may pose as customer support representatives or other trusted figures in order to trick victims into giving up their personal information.

For instance, a hacker might impersonate a company's IT support and call an employee, claiming they need to verify their login credentials for a system update. To build trust, the attacker might use public information about the company and the target's role.

Phishing attacks involve sending deceptive emails or messages to trick recipients into taking malicious actions. An attacker might impersonate a reputable organization, such as a bank, and send an email to a user, asking them to click on a link to verify their account. The link takes them to a fraudulent website where their login credentials are stolen.

Baiting attacks offer something enticing to the victim, such as free software or a job opportunity. An attacker poses as a recruiter and creates a convincing job posting on a reputable job search website. To further establish trust, they may even conduct a fake video interview, and later inform the candidate that they have been selected. The hackers proceed by sending a seemingly innocuous file, like a PDF or a Word document, which contains malware.

How crypto investors can avoid hacks and exploits

Luckily, despite the increasing sophistication and capabilities of hackers today, there are three simple steps you can take to keep your funds safe. Namely:

Use hardware wallets for long-term storage of your crypto assets, not directly connected to the internet, making them highly secure against online threats like phishing attacks or malware. They provide an extra layer of protection by keeping your private keys offline and away from potential hackers.

*Common crypto hardware wallets. Source: Enjin*

Enable Two-Factor Authentication, or 2FA, on all your crypto exchange and wallet accounts. This adds an extra security step by requiring you to provide a one-time code generated by an app like Google Authenticator or Authy. Even if an attacker manages to steal your password, they won't be able to access your accounts.
Be extremely cautious when clicking on links on emails and social media. Scammers often use enticing offers or giveaways to lure victims. Use separate "burner" accounts or wallets for experimenting with new decentralized applications and for airdrops to reduce the risk of losing your funds.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

North Korean crypto hacks down 80% but that could change overnight: Chainalysis

September 15, 2023 Coin Telegraph

chainalysis

Crypto bad actors from the DPRK have stolen $340.4 million in 2023, down from $1.7 billion from the prior year, but that's no reason to feel at ease.

Cryptocurrency stolen by North Korea-linked hackers is down a whopping 80% from 2022 — but a blockchain forensics firm says it isn’t necessarily a sign of progress.

As of Sept. 14, 2023, North Korea-linked hackers have stolen a total of $340.4 million worth of cryptocurrency, down from a record $1.65 billion reported funds stolen in 2022.

*Cryptocurrency funds stolen by North Korean-backed groups between 2016-2023. Source: Chainalysis*

“The fact that this year’s numbers are down is not necessarily an indicator of improved security or reduced criminal activity,” Chainalysis said in a Sept. 14 report. “We must remember that 2022 set a dismally high benchmark.”

“In reality, we are only one large hack away from crossing the billion-dollar threshold of stolen funds for 2023.”

Over the past 10 days, North Korea’s Lazarus Group has been linked to two separate hacks — Stake ($40 million) on Sept. 4 and CoinEx ($55 million) on Sept. 12, combining for a loss of over $95 million.

With the latest two hacks, North Korea-linked attacks have made up for about 30% of all crypto funds stolen in hacks this year, noted Chainalysis.

*Funds stolen from North Korean hacking groups vs others between 2016 and 2023. Source: Chainalysis*

North Korea turns to dubious exchanges, mixers

Meanwhile, Chainalysis has found that North Korean hackers have become increasingly reliant on certain Russian-based exchanges to launder illicit funds over the last few years.

The firm said North Korea has been using various Russian-based exchanges since 2021. One of the largest laundering events involved $21.9 million in funds transferred from Harmony’s $100 million bridge hack on June 24, 2022.

United States-sanctioned cryptocurrency mixers Tornado Cash and Blender have also been used by Lazarus Group in the Harmony Bridge hack and other high-profile hacks committed by the group.

We've observed instances of DPRK-linked hackers sending funds to Russian services since 2021. But this year's transfer of $21.9M stolen from Harmony to a high-risk Russian exchange is an escalation of that activity. You can see examples of some of those transactions below. pic.twitter.com/S9cDxlk9Hu
— Chainalysis (@chainalysis) September 14, 2023

The United Nations is making an effort to curtail North Korea’s cybercrime tactics at the international level — as it is understood North Korea is using the stolen funds to support its nuclear missile program.

Meanwhile, the firm hopes increased smart contract audits will make life tougher for these hackers.

Magazine: Deposit risk: What do crypto exchanges really do with your money?

Hackers behind $41M Stake heist shifts BNB, MATIC in latest move: CertiK

September 12, 2023 Coin Telegraph

Hackers behind M Stake heist shifts BNB, MATIC in latest move: CertiK

Beosin

A total of $4.8 million in funds have now been moved by the hacker to Bitcoin and now Avalanche.

The hackers behind cryptocurrency casino Stake’s $41 million hack have shifted another $328,000 million worth of Polygon (MATIC) and Binance Coin (BNB) tokens — its latest moves following the Sept. 4 exploit, according to blockchain security firm CertiK.

The most recent transfer involved 300 BNB tokens worth about $61,500 to an externally owned address “0x695…” which were then bridged to the Avalanche blockchain on Sept. 11 at 4:09 pm UTC.

Another 520,000 MATIC tokens worth over $266,000 were also moved to Avalanche seven hours earlier at 7:18 am UTC.

#CertiKSkynetAlert

We are seeing a further movement of funds from the Stake exploiter.

520k MATIC was swapped and bridged to Avalanche before being bridged to BTC as per other fund movements from the exploiter.

See more on Skynet https://t.co/Sdsfh29AoF
— CertiK Alert (@CertiKAlert) September 11, 2023

The 520,000 MATIC and 300 BNB — totaling $328,000 — add to the $4.5 million in stolen funds that were bridged to the Bitcoin blockchain (in the form of BTC) on Sept. 7, according to blockchain security firm Arkham.

The total $4.8 million transferred however only represents 1.2% of the total $41 million stolen from the hackers.

Over the past 24 hours, the Hacker has been gradually bridging funds to the BTC Blockchain using a series of new wallets on Polygon and Avalanche.

They have so far bridged $4.5M to BTC addresses, with the remaining $36M still held on ETH/BNB/Polygon. pic.twitter.com/fiMy62ABwL
— Arkham (@ArkhamIntel) September 7, 2023

It is understood the hacker gained access to the private key of Stake’s Binance Smart Chain and Ethereum hot wallets to perpetrate the hack on Sept. 4.

The United States Federal Bureau of Investigation believes North Korea’s Lazarus Group was behind the exploit.

Estimated funds lost from hacks, scams passes $1 billion

With $41 million stripped from Stake, the industry’s malicious actors have now taken the cryptocurrency hacks and scams toll to well over $1 billion in 2023.

CertiK previously reported the figure to be $997 million at the end of August, though several attacks in the last two weeks will push the figure over the $1 billion mark.

In September, a cryptocurrency whale lost $24 million in staked Ether (ETH) in a phishing attack on Sept. 6, and Vitalik Buterin’s X (formerly Twitter) account was then compromised on Sept. 9, where the hacker then lured several victims into a nonfungible token scam which totaled $691,000.

The three incidents would take CertiK’s August figure to at least $1.04 billion.

Crypto Hacks And Scams Reach Nearly a Billion Dollars In 2023!

⚔️ThreatSlayer is your security sidekick that keeps you safe! pic.twitter.com/pZmPCdZzP2
— Interlock (@interlockweb3) September 11, 2023

Other recent incidents include Pepe (PEPE) coin’s withdrawal incident which set back investors $13.2 million, Exactly Protocol’s $7.3 million exploit and an exposed security vulnerability on Balancer which did $2.1 million in damage.

Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story

Stake hack of $41M was performed by North Korean group: FBI

September 7, 2023 Coin Telegraph

Stake hack of M was performed by North Korean group: FBI

alphapo

After investigating, the FBI concluded that the hack of crypto gambling site Stake was carried out by North Korean hackers Lazarus Group.

The $41 million hack of crypto gambling site Stake was carried out by the North Korean Lazarus Group, the Federal Bureau of Investigation (FBI) stated in an announcement on Sept. 7. This group has stolen more than $200 million of crypto in 2023, the announcement stated.

[JUST IN] FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stakehttps://t.co/Kq1tpjNuC5
— snailnews (@snailnews_) September 7, 2023

Stake is a crypto gambling platform that offers casino games and sports betting. It was the victim of a cyberattack on Sept. 4 that drained over $41 million worth of cryptocurrency from its hot wallets. The Stake team stated that the hacker only obtained a small percentage of funds and that users would not be affected.

According to the FBI statement on Sept. 7, the agency has carried out an investigation and has concluded that the attack was performed by the Lazarus Group, a notorious cybercrime organization believed to be associated with the Democratic People’s Republic of Korea (DPRK). DPRK is also known as “North Korea.”

The FBI listed the addresses where the stolen funds are now held, which exist on the Bitcoin, Ethereum, BNB Smart Chain and Polygon networks. It recommended that all crypto protocols and businesses review the addresses used in the hack and avoid transacting with them, stating:

“Private sector entities are encouraged to review the previously released Cyber Security Advisory on TraderTraitor and examine the blockchain data associated with the above-referenced virtual currency addresses and be vigilant in guarding against transactions directly with, or derived from, those addresses.”

The agency also blamed Lazarus for the Alphapo, CoinsPaid and Atomic Wallet hacks, stating that losses from all of these hacks add up to over $200 million the group has stolen in 2023. Alphapo is a payment processor that suffered over $65 million in suspicious withdrawals on July 23. CoinsPaid, another payments firm, lost over $37 million through social engineering sometime in late July. And Atomic Wallet users lost a whopping $100 million in June through an unknown exploit.

Crypto payment gateway CoinsPaid suspects Lazarus Group in $37M hack

July 27, 2023 Coin Telegraph

Crypto payment gateway CoinsPaid suspects Lazarus Group in M hack

chainalysis

CoinsPaid said it is now working with Estonian law enforcement and several blockchain security firms are assisting to minimize the impact of the July 22 exploit.

Cryptocurrency payments platform CoinsPaid has pointed the finger at North Korean state-backed Lazarus Group as being behind the hacking of its internal systems, which allowed them to steal $37.3 million on July 22.

“We suspect Lazarus Group, one of the most powerful hacker organisations, is responsible,” CoinsPaid explained in a July 26 post.

While CoinsPaid didn’t explain how the money was stolen exactly, the incident forced the firm to halt operations for four days.

CoinsPaid is back to processing after being hit by a hacker attack. Сlient’s funds were not affected and are fully available.

More details in our blog: https://t.co/XukI4ZTTLw pic.twitter.com/XjkKjjsluE
— CoinsPaid (@coinspaid) July 26, 2023

CoinsPaid confirmed that operations are back up and running in a new, limited environment.

The firm added that customer funds remain intact but considerable damage was done to the platform and the firm’s balance sheet.

Despite the huge exploit, CoinsPaid believes the cybercrime organization were chasing a much larger sum:

“We believe Lazarus expected the attack on CoinsPaid to be much more successful. In response to the attack, the company's dedicated team of experts has worked tirelessly to fortify our systems and minimize the impact, leaving Lazarus with a record-low reward.”

CoinsPaid filed a report with Estonian law enforcement three days after the hack to further investigate the exploit. In addition, several blockchain security firms such as Chainalysis, Match Systems and Crystal assisted in CoinsPaid’s preliminary investigation over the first few days.

The firm’s CEO, Max Krupyshev is confident that the Lazarus Group will be held accountable for their actions.

“We have no doubt the hackers won’t escape justice.”

Blockchain security firm SlowMist believes the CoinsPaid hack may be linked to two recent hacks in Atomic Wallet and Alphapo, which were exploited to the tune of $100 million and $60 million respectively.

MistTrack Update

Recently, the crypto community has been stirred by a sequence of incidents involving @coinspaid, @AtomicWallet, and Alphapo.

A veneer of mystery shrouds these incidents, yet there's a possibility that Lazarus might be behind them all! pic.twitter.com/ppxRk3xtUh
— MistTrack️ (@MistTrack_io) July 26, 2023

Lazarus Group targeting crypto devs

Online coding platform GitHub believes — with “high confidence” — that Lazarus Group is conducting a social engineering scheme targeted at workers in the cryptocurrency and cybersecurity sectors.

According to a July 26 post by cybersecurity platform Socket.Dev, Lazarus Group’s objective is to lure in these professionals and compromise their GitHub accounts with malware-infected NPM packages to infiltrate their computers.

The cybersecurity platform said the first point of contact is often on a social media platform like WhatsApp, where the rapport is built before the victims are led to clone malware-laden GitHub repositories.

Socket.Dev urged software developers to review repository invitations closely before collaborating and to be cautious when abruptly approached on social media to install npm packages.

Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story

Atomic Wallet hackers turn to OFAC-sanctioned Garantex: Elliptic

June 13, 2023 Coin Telegraph

Atomic Wallet

Stolen loot crypto from Atomic wallets has started passing through sanctioned Russian-based exchange Garantex, according to Elliptic.

Illicit funds gained from the $35 million Atomic Wallet hack are on the move again, with sanctioned Russian-based crypto exchange Garantex reportedly becoming the latest to come in contact with the hacked crypto.

On June 13, blockchain security and compliance firm Elliptic updated the situation regarding the stolen Atomic Wallet funds. It alleges that the North Korean hacking collective, the Lazarus Group — which is believes is behind the attack — has used sanctioned Russian-based crypto exchange Garantex to launder the loot.

In a Twitter post, the firm said there had been a significant and successful cross-community effort between Elliptic and many exchange partners to freeze the stolen crypto. However, Lazarus has now found other means to trade their assets for Bitcoin (BTC).

After a significant and successful cross-community effort between @elliptic, many of our exchange partners and friends to freeze stolen @AtomicWallet funds, Lazarus have now turned to OFAC-sanctioned Exchange, Garantex, to trade their assets for BTC... pic.twitter.com/5Lk9DeGjr8
— Elliptic Investigations (@Elliptic_Inv) June 12, 2023

The U.S. Office of Foreign Assets Control (OFAC) sanctioned Garantex and the Russian Hydra dark web marketplace in April 2022.

Garantex was founded in late 2019 and originally registered in Estonia before moving the majority of its operations to Moscow, the Treasury Department noted at the time.

“Analysis of known Garantex transactions shows that over $100 million in transactions are associated with illicit actors and darknet markets,” it added.

Earlier this month, Cointelegraph reported that the ill-gotten gains were being channeled through the Sinbad.io mixer, a service frequently used by the Lazarus Group.

Elliptic added that the funds withdrawn from Garantex by the hackers continue to be obfuscated through the Sinbad.io mixer.

The Treasury Department also sanctioned Blender.io (the former iteration of Sinbad.io) in May 2022, warning that the service was being used by North Korea to “support its malicious cyber activities and money-laundering of stolen virtual currency.”

On June 3, a number of Atomic Wallet user accounts were compromised, resulting in losses of up to $35 million in digital assets.

Five days later, Atomic stated that it had engaged blockchain security and analyst company Chainalysis as the leading incident investigator. Cointelegraph reached out to Chainalysis for an update on the investigation but a spokesperson said they couldn’t comment on the Atomic Wallet case.

The notorious North Korean hacking collective has been linked to several major crypto exploits in the past year, including the Harmony Bridge hack and the Ronin Bridge hack.

Magazine: Huawei NFTs, Toyota’s hackathon, North Korea vs. Blockchain: Asia Express

Lazarus Group

FBI has clear evidence on the Lazarus Group

Most hacks involve social engineering and exploit human error

How crypto investors can avoid hacks and exploits

North Korea turns to dubious exchanges, mixers

Estimated funds lost from hacks, scams passes $1 billion

Lazarus Group targeting crypto devs

Share this video