Report Interpretation Analysis of North Korean Hackers, Phishing Groups and Money Laundering Tools
Written by: Slow MistSafetyteam
In the previous article, we mainly interpreted2023 Blockchain Security Situation, this article mainly focuses on the dynamics of North Korean hacker Lazarus Group, major phishing groups and some money laundering tools in 2023.
Lazarus Group
Updates 2023
According to public information in 2023, as of June, there are still no majorcryptocurrencystealstealThe case was attributed to North Korean hackers Lazarus Group. Judging from on-chain activities, North Korean hackers Lazarus Group are mainly cleaning up 2022stealplagiarizedcryptocurrencyfunds, including approximately US$100 million in funds lost due to the attack on the Harmony cross-chain bridge on June 23, 2022.
Subsequent facts showed that the North Korean hacker Lazarus Group was not only cleaning the stolen data in 2022cryptocurrencyApart from funds, they have no time to spare. This hacker group is dormant in the dark and secretly carries out APT-related attacks. These activities directly led to the cryptocurrency industry’s “Dark 101” that began on June 3.
During the "101 Days of Darkness", a total of 5 platforms were stolen, with the amount stolen exceeding US$300 million. Most of the stolen objects were centralized service platforms.
Around September 12, SlowMist and its partners discovered that the hacker group Lazarus Group conducted large-scale APT attacks targeting the cryptocurrency industry. The attack method is as follows: first, disguise the identity, deceive the auditor through real-person authentication and become a real customer, and then make a real deposit. Under the cover of this customer identity, Mac or Windows customized Trojans are accurately targeted at official personnel at multiple communication time points between official personnel and customers (attackers). After obtaining permission, they move laterally within the intranet and lurk for a long time to achieve the goal. Purpose of stealing funds.
The U.S. FBI is also paying attention to major thefts in the cryptocurrency ecosystem, and publicly stated in a press release that it was controlled by the North Korean hacker Lazarus Group. The following is the relevant press release issued by the FBI in 2023 about the North Korean hacker Lazarus Group:
-
On January 23, the FBI confirmed (https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft) North Korean hackers Lazarus Group should be responsible for the Harmony Hack incident.
-
On August 22, the FBI issued a notice (https://www.fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk) said that the North Korean hacker group involved hacking attacks on Atomic Wallet, Alphapo and CoinsPaid, stealing a total of $197 million in cryptocurrency.
-
On September 6, the FBI issued a press release (https://www.fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk), confirmed that North Korean hackers Lazarus Group were responsible for the theft of $41 million from the Stake.com cryptocurrency gambling platform.
Analysis of money laundering methods
According to our analysis, the money laundering methods of the North Korean hacker Lazarus Group have also continued to evolve over time. New money laundering methods will appear every once in a while. The timetable for changes in money laundering methods is as follows:
Gang profiling analysis
Based on the strong intelligence-related support of InMist intelligence network partners, the SlowMist AML team followed up and analyzed the data related to these stolen incidents and the hacker group Lazarus Group, and then obtained a partial portrait of the hacker group Lazarus Group:
-
Often using European or Turkish identity as a disguise.
-
Dozens of IP information, dozens of email information and some desensitized identity information have been obtained:
-
111.*.*.49
-
103.*.*.162
-
103.*.*.205
-
210.*.*.9
-
103.*.*.29
-
103.*.*.163
-
154.*.*.10
-
185.*.*.217
Wallet Drainers
Note: This section was written by Scam Sniffer, for which I would like to express my gratitude.
Overview
Wallet Drainers, a type of cryptocurrency-related malware, has achieved significant success over the past year. These software are deployed on phishing websites to trick users into signing malicious transactions and then steal their cryptocurrency.walletassets in. These phishing campaigns continue to attack ordinary users in many forms, resulting in many people suffering significant property losses after unknowingly signing malicious transactions.
stolen statistics
In the past year, Scam Sniffer has monitored Wallet Drainers stealing nearly $295 million from approximately 320,000 victims.
stolen trends
It is worth mentioning that nearly $7 million was stolen on March 11. Mostly due to the fluctuation of the USDC exchange rate, I encountered a phishing website pretending to be Circle. There has also been a large number of hacks approaching Arbitrum’s Discord on March 24 and subsequent airdrops.
Each peak is accompanied by associated mass events. It might be an airdrop, or it might be a hacking incident.
Notable Wallet Drainers
Following ZachXBT's revelations about Monkey Drainer, they announced their exit after being active for 6 months, and then Venom took over most of their clients. Then MS, Inferno, Angel, and Pink also appeared around March. As Venom ceased service around April, most of the phishing gangs turned to other services. According to 20%'s Drainer fee, they made at least $47 million in profit from selling services.
Wallet Drainers Trends
By analyzing trends, we can see that phishing activity has been growing relatively continuously. And after every Drainer withdraws, a new Drainer will replace them. For example, after Inferno recently announced its withdrawal, Angel seems to have become the new replacement.
How did they initiate the fishing campaign?
The ways in which phishing websites obtain traffic can be roughly divided into several categories:
-
hacker attack
-
Official projects Discord and Twitter were hacked
-
The official project front end or libraries used were attacked
-
organic traffic
-
Airdrop NFT or Token
-
Discord link is invalid and occupied
-
Twitter spam alerts and comments
-
Paid traffic
-
Google search ads
-
Twitter Ads
Although hacker attacks have a large impact, the response is often timely enough, usually within 10-50 minutes.CommunityAll took action. However, airdrops, organic traffic, paid advertising, and invalid Discord links are occupied, and these methods are even more difficult to detect. In addition, there are also more targeted private message phishing of individuals.
Common phishing signatures
There are different ways to initiate malicious phishing signatures for different asset types. The above are some common phishing signature methods for different types of assets. Drainers will be based on the victimwalletThe type of assets owned determines what kind of malicious phishing signature is launched.
From the case of using GMX's signalTransfer to steal Reward LP tokens, we can find that they have conducted very detailed research on the phishing methods of specific assets.
Use more intelligencecontract
1) Multicall
Starting from Inferno, they also began to use more resourcescontractTechnically. For example, the Split fee needs to be divided into two transactions, and this may not be fast enough, causing the victim to revoke the authorization in advance during the second transfer. Therefore, in order to improve efficiency, they use multilcall for more efficient asset transfer.
2) CREATE2 & CREATE
Also in order to bypass somewalletofSafetyTo verify, they also started trying to use create2 or create to dynamically generate temporary addresses. This will render the blacklist on the wallet side ineffective and increase the difficulty of phishing research. Because you don’t know what address the assets will be transferred to without signing, and the temporary address has no analytical significance. This is a big change from last year.
Phishing website
By analyzing the number trend of phishing websites, it can be clearly seen that phishing activities are gradually increasing every month, which has a lot to do with the stable wallet drainer service.
The above are the domain name registrars mainly used by these phishing websites. By analyzing the server address, we can find that most of them use Cloudflare to hide the real server address.
money laundering tools
Sinbad
Sinbad is a Bitcoin mixer founded on October 5, 2022, which obfuscates transaction details to hide the flow of funds on the chain.
The U.S. Treasury Department describes Sinbad as a "virtual currency mixer that serves as the primary money laundering vehicle for the Lazarus Group, a North Korean hacking group designated by OFAC." Sinbad processed funds from the Horizon Bridge and Axie Infinity hacks and also moved funds related to "sanctions evasion, drug trafficking, purchase of child sexual abuse material, and other illicit sales on darknet markets."
Alphapo hackers (Lazarus Group) have used Sinbad in money laundering processes such as transactions:
(https://oxt.me/transaction/2929e9d0055a431e1879b996d0d6f70aa607bb123d12bfad42e1f507d1d200a5)
Tornado Cash
(https://dune.com/misttrack/mixer-2023)
Tornado Cash is a fully decentralized, non-custodial protocol that improves transaction privacy by breaking the on-chain link between source and destination addresses. To protect privacy, Tornado Cash uses a smart contract that accepts ETH from one address and otherTokendeposit and allow them to withdraw to a different address, i.e. ETH and others in a way that hides the sending addressTokenSend to any address.
In 2023, users deposited a total of 342,042 ETH (approximately $614 million) to Tornado Cash, and withdrew a total of 314,740 ETH (approximately $567 million) from Tornado Cash.
eXch
(https://dune.com/misttrack/mixer-2023)
In 2023, users deposited a total of 47,235 ETH (approximately $90.14 million) to eXch, and a total of 25,508,148 ERC20 stablecoins (approximately $25.5 million) to eXch.
Railgun
Railgun 利用 zk-SNARKs 密码学技术使交易完全不可见。Railgun 通过在其隐私系统内「shielding」用户的代币,使得每笔交易在BlockchainBoth are shown as being sent from the Railgun contract address.
In early 2023, the FBI said the North Korean hacker group Lazarus Group used Railgun to launder more than $60 million stolen from Harmony's Horizon Bridge.
Summarize
This article introduces the 23-year history of the North Korean hacker Lazarus Group, Slow MistSafetyThe team continues to pay attention to the hacker group andXiaobai NavigationIts dynamics and money laundering methods were summarized and analyzed, and a gang portrait was output. In 2023, fishing gangs were rampant, givingBlockchainThe industry has caused huge financial losses, and the actions of such gangs show the characteristics of "relay". Their continuous and large-scale attacks have made the industrySafetyFacing greater challenges, we would like to thank the Web3 anti-fraud platform Scam Sniffer for contributing the disclosure about the phishing group Wallet Drainers. We believe that this part of the content is of great reference significance for understanding its working methods and profitability. Finally, we also introduced the money laundering tools commonly used by hackers.
The article comes from the Internet:Report Interpretation Analysis of North Korean Hackers, Phishing Groups and Money Laundering Tools
METIS, the 100x coin, is back? Written by: Kaori Recently, the ecological popularity of Metis, a Layer 2 project born in the last cycle, continues to rise, attracting market attention. Metis is an Ethereum layer 2 scaling solution based on Optimistic Rollup, developed by Elena Sinel…
相关文章
