Report Interpretation Analysis of North Korean Hackers, Phishing Groups and Money Laundering Tools
Written by: Slow MistSafetyteam
In the previous article, we mainly interpreted2023 Blockchain Security Situation, this article mainly focuses on the dynamics of North Korean hacker Lazarus Group, major phishing groups and some money laundering tools in 2023.
Lazarus Group
Updates 2023
According to public information in 2023, as of June, there are still no majorcryptocurrencystealsteal案被归因为朝鲜黑客 Lazarus Group。从链上活动来看,朝鲜黑客 Lazarus Group 主要在清洗 2022 年盗steal的加密货币资金,其中包括 2022 年 6 月 23 日 Harmony 跨链桥遭受攻击损失的约 1 亿美元的资金。
Subsequent facts show that in addition to cleaning the cryptocurrency funds stolen in 2022, the North Korean hacker Lazarus Group has not been idle at other times. This hacker group is dormant in the dark and secretly carries out APT-related attack activities. These activities directly led to the "Dark 101 Days" in the cryptocurrency industry starting on June 3.
During the "101 Days of Darkness", a total of 5 platforms were stolen, with the amount stolen exceeding US$300 million. Most of the stolen objects were centralized service platforms.
Around September 12, SlowMist and its partners discovered that the hacker group Lazarus Group conducted large-scale APT attacks targeting the cryptocurrency industry. The attack method is as follows: first, disguise the identity, deceive the auditor through real-person authentication and become a real customer, and then make a real deposit. Under the cover of this customer identity, Mac or Windows customized Trojans are accurately targeted at official personnel at multiple communication time points between official personnel and customers (attackers). After obtaining permission, they move laterally within the intranet and lurk for a long time to achieve the goal. Purpose of stealing funds.
The U.S. FBI is also paying attention to major thefts in the cryptocurrency ecosystem, and publicly stated in a press release that it was controlled by the North Korean hacker Lazarus Group. The following is the relevant press release issued by the FBI in 2023 about the North Korean hacker Lazarus Group:
-
On January 23, the FBI confirmed (https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft) North Korean hackers Lazarus Group should be responsible for the Harmony Hack incident.
-
On August 22, the FBI issued a notice (https://www.fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk) said that the North Korean hacker group involved hacking attacks on Atomic Wallet, Alphapo and CoinsPaid, stealing a total of $197 million in cryptocurrency.
-
On September 6, the FBI issued a press release (https://www.fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk), confirmed that North Korean hackers Lazarus Group were responsible for the theft of $41 million from the Stake.com cryptocurrency gambling platform.
Analysis of money laundering methods
According to our analysis, the money laundering methods of the North Korean hacker Lazarus Group have also continued to evolve over time. New money laundering methods will appear every once in a while. The timetable for changes in money laundering methods is as follows:
Gang profiling analysis
Based on the strong intelligence-related support of InMist intelligence network partners, the SlowMist AML team followed up and analyzed the data related to these stolen incidents and the hacker group Lazarus Group, and then obtained a partial portrait of the hacker group Lazarus Group:
-
Often using European or Turkish identity as a disguise.
-
Dozens of IP information, dozens of email information and some desensitized identity information have been obtained:
-
111.*.*.49
-
103.*.*.162
-
103.*.*.205
-
210.*.*.9
-
103.*.*.29
-
103.*.*.163
-
154.*.*.10
-
185.*.*.217
Wallet Drainers
Note: This section was written by Scam Sniffer, for which I would like to express my gratitude.
Overview
Wallet Drainers, a type of cryptocurrency-related malware, has achieved significant success over the past year. These software are deployed on phishing websites to trick users into signing malicious transactions and then steal their cryptocurrency.walletassets in. These phishing campaigns continue to attack ordinary users in many forms, resulting in many people suffering significant property losses after unknowingly signing malicious transactions.
stolen statistics
In the past year, Scam Sniffer has monitored Wallet Drainers stealing nearly $295 million from approximately 320,000 victims.
stolen trends
It is worth mentioning that nearly $7 million was stolen on March 11. Mostly due to the fluctuation of the USDC exchange rate, I encountered a phishing website pretending to be Circle. There has also been a large number of hacks approaching Arbitrum’s Discord on March 24 and subsequent airdrops.
Each peak is accompanied by associated mass events. It might be an airdrop, or it might be a hacking incident.
Notable Wallet Drainers
Following ZachXBT's revelations about Monkey Drainer, they announced their exit after being active for 6 months, and then Venom took over most of their clients. Then MS, Inferno, Angel, and Pink also appeared around March. As Venom ceased service around April, most of the phishing gangs turned to other services. According to 20%'s Drainer fee, they made at least $47 million in profit from selling services.
Wallet Drainers Trends
By analyzing trends, we can see that phishing activity has been growing relatively continuously. And after every Drainer withdraws, a new Drainer will replace them. For example, after Inferno recently announced its withdrawal, Angel seems to have become the new replacement.
How did they initiate the fishing campaign?
The ways in which phishing websites obtain traffic can be roughly divided into several categories:
-
hacker attack
-
Official projects Discord and Twitter were hacked
-
The official project front end or libraries used were attacked
-
organic traffic
-
Airdrop NFT or Token
-
Discord link is invalid and occupied
-
Twitter spam alerts and comments
-
Paid traffic
-
Google search ads
-
Twitter Ads
Although hacker attacks have a large impact, the response is often timely enough, usually within 10-50 minutes.CommunityAll took action. However, airdrops, organic traffic, paid advertising, and invalid Discord links are occupied, and these methods are even more difficult to detect. In addition, there are also more targeted private message phishing of individuals.
Common phishing signatures
针对不同的资产类型也有着不同的方式来发起恶意钓鱼签名,以上是一些对不同类资产常见的钓鱼签名方式。Drainers 会根据受害者钱包所拥有的资产类型来决定发起什么样的恶意钓鱼签名。
From the case of using GMX's signalTransfer to steal Reward LP tokens, we can find that they have conducted very detailed research on the phishing methods of specific assets.
Use more intelligencecontract
1) Multicall
Starting from Inferno, they also began to use more resourcescontractTechnically. For example, the Split fee needs to be divided into two transactions, and this may not be fast enough, causing the victim to revoke the authorization in advance during the second transfer. Therefore, in order to improve efficiency, they use multilcall for more efficient asset transfer.
2) CREATE2 & CREATE
同样为了绕过一些钱包的SafetyTo verify, they also started trying to use create2 or create to dynamically generate temporary addresses. This will render the blacklist on the wallet side ineffective and increase the difficulty of phishing research. Because you don’t know what address the assets will be transferred to without signing, and the temporary address has no analytical significance. This is a big change from last year.
Phishing website
By analyzing the number trend of phishing websites, it can be clearly seen that phishing activities are gradually increasing every month, which has a lot to do with the stable wallet drainer service.
The above are the domain name registrars mainly used by these phishing websites. By analyzing the server address, we can find that most of them use Cloudflare to hide the real server address.
money laundering tools
Sinbad
Sinbad is a Bitcoin mixer founded on October 5, 2022, which obfuscates transaction details to hide the flow of funds on the chain.
The U.S. Treasury Department describes Sinbad as a "virtual currency mixer that serves as the primary money laundering vehicle for the Lazarus Group, a North Korean hacking group designated by OFAC." Sinbad processed funds from the Horizon Bridge and Axie Infinity hacks and also moved funds related to "sanctions evasion, drug trafficking, purchase of child sexual abuse material, and other illicit sales on darknet markets."
Alphapo hackers (Lazarus Group) have used Sinbad in money laundering processes such as transactions:
(https://oxt.me/transaction/2929e9d0055a431e1879b996d0d6f70aa607bb123d12bfad42e1f507d1d200a5)
Tornado Cash
(https://dune.com/misttrack/mixer-2023)
Tornado Cash is a fully decentralized, non-custodial protocol that improves transaction privacy by breaking the on-chain link between source and destination addresses. To protect privacy, Tornado Cash uses a smart contract that accepts ETH from one address and otherTokendeposit and allow them to withdraw to a different address, i.e. ETH and others in a way that hides the sending addressTokenSend to any address.
In 2023, users deposited a total of 342,042 ETH (approximately $614 million) to Tornado Cash, and withdrew a total of 314,740 ETH (approximately $567 million) from Tornado Cash.
eXch
(https://dune.com/misttrack/mixer-2023)
In 2023, users deposited a total of 47,235 ETH (approximately $90.14 million) to eXch, and a total of 25,508,148 ERC20 stablecoins (approximately $25.5 million) to eXch.
Railgun
Railgun 利用 zk-SNARKs 密码学技术使交易完全不可见。Railgun 通过在其隐私系统内「shielding」用户的代币,使得每笔交易在BlockchainBoth are shown as being sent from the Railgun contract address.
In early 2023, the FBI said the North Korean hacker group Lazarus Group used Railgun to launder more than $60 million stolen from Harmony's Horizon Bridge.
Summarize
本篇文章介绍了朝鲜黑客 Lazarus Group 23 年的动态,慢雾安全团队持续关注该黑客团伙,并对Xiaobai NavigationIts dynamics and money laundering methods were summarized and analyzed, and a gang portrait was output. In 2023, fishing gangs were rampant, givingBlockchain行业造成了巨额资金损失,且这类团伙的行动呈现「接力」的特征,其持续、大规模的攻击使得行业的安全面临较大的挑战,在此感谢 Web3 反诈骗平台 Scam Sniffer 贡献了关于钓鱼团伙 Wallet Drainers 的披露,我们相信这部分内容对于了解其工作方式和获利情况具有重要的参考意义。最后,我们还对黑客常用的洗钱工具进行了介绍。
The article comes from the Internet:Report Interpretation Analysis of North Korean Hackers, Phishing Groups and Money Laundering Tools
METIS, the 100x coin, is back? Written by: Kaori Recently, the ecological popularity of Metis, a Layer 2 project born in the last cycle, continues to rise, attracting market attention. Metis is an Ethereum layer 2 scaling solution based on Optimistic Rollup, developed by Elena Sinel…
相关文章
