On-Chain Insights #10: Crypto Holdings of Lazarus Group
We are thrilled to release our latest Dashboard, the Crypto Holdings of Lazarus Group. This dashboard will help you track cryptocurrency addresses identified by the U.S. Federal Bureau of Investigation (FBI) and the Office of Foreign Assets Control (OFAC) belonging to the cybercrime North Korean unit Lazarus Group.
Over $900 million stolen: The Democratic People's Republic of Korea (DPRK) TraderTraitor-affiliated actors (also known as Lazarus Group and APT38) have stolen at least $900 million in assets from various crypto-related cyber attacks, with more than $200 million occurring in 2023 alone.
Recent hacks: The FBI identified Lazarus Group as responsible for stealing $41 million from betting platform Stake.com on September 4, 2023. In July, the North Korean group hacked Alphapo and Coinspaid for $37 and $60 million, respectively.
Current balance: The estimated crypto balance of the wallets linked to Lazarus Group by the FBI and OFAC is 1.60k BTC, 10.81k ETH, and 64.49k BNB, worth about $75 million as of September 14, 2023.
OFAC sanctioned list: Lazarus Group was one of the ten crypto-linked entities sanctioned by OFAC in the U.S. in 2022 for their hacking activities on behalf of the North Korean government.
As part of our forensic series, we have published dashboards tracking the BTC holdings of the U.S. government and Mt. Gox’s trustee publicly known addresses. We are now monitoring the wallets linked to the cybercrime unit Lazarus Group (also known as APT38), which has conducted multiple hacks on behalf of the North Korean government. This dashboard tracks 295 wallets identified by the U.S. Federal Bureau of Investigation (FBI) and Office of Foreign Assets Control (OFAC) as belonging to Lazarus Group in real-time. For context, these are the largest hacks conducted by Lazarus Group, as confirmed by the FBI:
March 29, 2022: ~$620 million theft from Sky Mavis’ Ronin Bridge.
We should note that this is a lower-bound estimation of Lazarus Group’s crypto holdings based on publicly available information. If you have identified or are aware of any other hacks that have been disclosed, please contact us so we can track the assets in this dashboard.
Our dashboard makes it easy to stay on top of the latest trends and developments — and possibly ahead of the curve.
Lazarus Group recorded almost $40 million in inflows on September 4, 2023 – the day of the Stake.com hack.
The FBI attributed the ~$41 million hack from Stake.com, an online casino and betting platform, to Lazarus Group, an entity comprised of DPRK cyber actors. The FBI investigation revealed that the funds were moved across various wallets in the Ethereum, Binance Smart Chain (BSC), and Polygon networks. Based on the data provided in the statement, our dashboard shows ~$39.41 million in inflows on the day of the hack, divided between BNB ($17.76 million), ETH ($15.71 million), and MATIC ($5.94 million).
Figure 1: Lazarus Group asset net flow
Source: 21co / Dune Analytics
The North Korean cyber unit has recorded ~$12.96 million in net outflows since the Stake.com hack, spread over 80 transactions.
Our data shows that Lazarus Group has recorded ~$12.96 million in net outflows since the hack as of September 14. MATIC has experienced the most significant net outflows (~$5.93 million), followed by BNB (~$4.90 million) and BTC (~$1.69 million), while the stolen ETH remains dormant. In this regard, the transaction flows suggest that Lazarus Group converted MATIC balances into BTC first, most likely in an attempt to cash out.
This is consistent with previous operations from the group, where they quickly convert stolen crypto assets into BTC and ETH. Afterward, the North Korean hackers tend to send significant sums to mixers to launder money and obfuscate the origination. In fact, OFAC infamously sanctioned the popular Ethereum mixer Tornado Cash in August 2022, adding open-source software to the Specially Designated Nationals (SDN) list for the first time. Among the reasons for the sanction, OFAC cited the mixer’s role in assisting Lazarus Group to launder over $455 million worth of cryptoassets from the Ronin and Harmony Bridge.
Figure 2: Lazarus Group transaction history
Source: 21co / Dune Analytics
The current estimated crypto balance of the Lazarus Group is at least $74 million as of September 14, 2023.
We estimate that the Lazarus Group holds almost $75 million in cryptoassets across 295 wallets identified by the FBI, some of which have also been sanctioned by OFAC. The below chart shows that the crypto holdings of the Lazarus Group were worth a little over $100 million in June last year after Harmony’s Horizon Bridge hack, in which the attacker compromised the majority of private cryptographic keys to a multisig securing the bridge.
Figure 3: Lazarus Group cumulative balance
Source: 21co / Dune Analytics
The three largest crypto holdings of Lazarus Group are BTC (~57%), ETH (~24%), and BNB (~18%), making up ~99% of the total balance.
The Lazarus Group holds 1.60k BTC, its largest constituent worth over $42 million. On August 22, 2023, the FBI warned that approximately 1,580 BTC linked to the cybercrime unit were on the move and that "the DPRK may attempt to cash out the bitcoin." The Lazarus Group also holds 10.81k ETH and 64.49k BNB worth ~$17.69 million and ~$13.72 million, respectively. Unsurprisingly, they convert most of their balances to BTC and ETH, the largest cryptoassets by market cap and the most liquid. Crucially, BTC and ETH are censorship-resistant assets and are usually sent to mixers as part of the North Korean group's money laundering process.
Figure 4: Lazarus Group balance breakdown by asset and network
Source: 21co / Dune Analytics
Despite misconceptions and the noise malicious actors like Lazarus Group generate, the share of crypto transaction volume linked to illicit activity was only 0.24% in 2022, as per Chainalysis' Crypto Crime Report. In this regard, 43% of 2022's illicit volume came from activity associated with sanctioned entities like Lazarus Group in a year when OFAC sanctioned ten entities and over 300 wallet addresses. A key takeaway from such law enforcement actions is that the transparency of the blockchain allows every transaction to be traced to a degree that isn't possible in traditional finance. We will continue providing real-time tools in 21.co's Forensic Series for the benefit of the broader crypto community.
This document is not an offer to sell or a solicitation of an offer to buy or subscribe for securities of 21Shares AG. Neither this document nor anything contained herein shall form the basis of, or be relied upon in connection with, any offer or commitment whatsoever in any jurisdiction. This document and the information contained herein are not for distribution in or into (directly or indirectly) the United States, Canada, Australia or Japan or any other jurisdiction in which the distribution or release would be unlawful.This document does not constitute an offer of securities for sale in or into the United States, Canada, Australia or Japan. The securities of 21Shares AG to which these materials relate have not been and will not be registered under the United States Securities Act of 1933, as amended (the “Securities Act”), and may not be offered or sold in the United States absent registration or an applicable exemption from, or in a transaction not subject to, the registration requirements of the Securities Act. There will not be a public offering of securities in the United States.This document is only being distributed to and is only directed at: (i) to investment professionals falling within Article 19(5) of the Financial Services and Markets Act 2000 (“FSMA”) (Financial Promotion) Order 2005 (the “Order”); or (ii) high net worth entities, and other persons to whom it may lawfully be communicated, falling within Article 49(2)(a) to (d) of the Order (all such persons together being referred to as “relevant persons”); or (iii) any other persons to whom this document can be lawfully distributed in circumstances where section 21(1) of the FSMA does not apply. The securities are only available to, and any invitation, offer or agreement to subscribe, purchase or otherwise acquire such securities will be engaged in only with, relevant persons. Any person who is not a relevant person should not act or rely on this document or any of its contents.In any EEA Member State (other than the Austria, Belgium, Croatia, Denmark, Finland, France, Germany, Great Britain, Hungary, Ireland, Italy, Liechtenstein, Luxembourg, Malta, The Netherlands, Norway, Poland, Romania, Slovakia, Spain and Sweden) that has implemented the Prospectus Regulation (EU) 2017/1129, together with any applicable implementing measures in any Member State, the “Prospectus Regulation”) this communication is only addressed to and is only directed at qualified investors in that Member State within the meaning of the Prospectus Regulation.Exclusively for potential investors in Austria, Belgium, Croatia, Denmark, Finland, France, Germany, Great Britain, Hungary, Ireland, Italy, Liechtenstein, Luxembourg, Malta, The Netherlands, Norway, Poland, Romania, Slovakia, Spain and Sweden the 2021 Base Prospectus (EU) is made available on the Issuer’s website under www.21Shares.com.The approval of the 2021 Base Prospectus (EU) should not be understood as an endorsement by the SFSA of the securities offered or admitted to trading on a regulated market. Eligible potential investors should read the 2021 Base Prospectus (EU) and the relevant Final Terms before making an investment decision in order to understand the potential risks associated with the decision to invest in the securities. You are about to purchase a product that is not simple and may be difficult to understand.This document constitutes advertisement within the meaning of the Swiss Financial Services Act (the “FinSA”) and not a prospectus. In accordance with article 109 of the Swiss Financial Services Ordinance, the Base Prospectus dated 12 November 2021, as supplemented from time to time and the final terms for any product issued have been prepared in compliance with articles 652a and 1156 of the Swiss Code of Obligations, as such articles were in effect immediately prior to the entry into effect of the FinSA, and the Listing Rules of the SIX Swiss Exchange in their version in force as of January 1, 2020. Consequently, the Prospectus has not been and will not be reviewed or approved by a Swiss review body pursuant to article 51 of the FinSA, and does not comply with the disclosure requirements applicable to a prospectus approved by such a review body under the FinSA.