Choose your country:

Lazarus Group: North Korean Hackers linked to $35 Million Heist.

June 22, 2023

Analysts suggest a link between the infamous Lazarus Group and a $35 million heist. In this case, the targeted victim is the decentralized wallet platform Atomic Wallet. Experts are investigating the possibility of the Lazarus Group's involvement. Earlier last week, hackers compromised the wallets of Atomic Wallet users. A statement reveals that the hack affected less than 1% of its monthly active customers. In total, Atomic Wallet has 5 million users worldwide.

Elliptic is certain this is a Lazarus Hack

Researchers at blockchain analytics firm Elliptic attributed the incident to the Lazarus Group because of the hackers' use of similar techniques observed in previous attacks. For example, the hackers utilized mixer services to launder stolen assets. Lazarus has used the Sinbad mixer, one of these services, to launder the proceeds of past hacks. 

Elliptic suggests that many individuals may have mixed recently stolen cryptocurrency assets into their wallets. These wallets may also unknowingly contain the proceeds from past hacks. The exact details of the attack on Atomic Wallet remain unclear. Hugh Brooks, director of security at CertiK, suggests a bug likely caused the incident. This bug exposed users' private keys, leading to a security breach. 

According to Brooks, what makes this incident notable is the size of the theft. According to Elliptic's report, it signifies the first major heist since the hack on Horizon Bridge in April 2022. Back then, hackers exposed information while laundering the money stolen from Horizon.

A persistent pattern of large scale hacks is forming

North Korean hacking groups have a long history of attacks. Known for launching motivated attacks and intrusion campaigns. Their targets include cryptocurrency exchanges, commercial banks, and e-commerce systems. Recorded Future's Insikt Group’s research shows that these campaigns serve a purpose. They aim to bolster North Korea's continued efforts to generate funds for their regime. This is particularly crucial as the regime remains under significant international sanctions. 

According to Elliptic, Lazarus could be responsible for stealing over $2 billion. They have actively stolen digital assets from compromised crypto exchanges and decentralized finance services. Lazarus has gained notoriety for its involvement in such high-value thefts. For example, they are allegedly also responsible for the $540 million hack of Ronin Bridge.

According to researchers, North Korean hackers are behind the hack on Atomic Wallet. This security breach has resulted in estimated losses amounting to millions of dollars. Atomic Wallet, based in Estonia, is a non-custodial decentralized wallet. This means that users are responsible for managing their own assets. The company supports over 500 coins and tokens, including Bitcoin and Ethereum. It claims to have more than five million users of its software worldwide. 

Atomic confirmed reports of compromised wallets and started investigating on June 3. An update posted on June 5 said only a fraction of the users affected— around 50,000 individuals—felt the effect of the hack. According to @ZachXBT, a self-styled on-chain sleuth, hackers stole $35 million. One victim alone accounted for almost 10% of the total stolen amount. 

Elliptic stated with a "high level of confidence" the involvement of Lazarus in the hacks. The North Korea-backed hackers are responsible, according to Elliptic. In its analysis of the hack, the FBI found that laundering the stolen crypto assets followed a series of steps. They match the techniques employed by Lazarus in laundering the proceeds of earlier hacks—the similarity in the laundering methods raised suspicions of the Lazarus Group's involvement. 

The Sinbad Mixer is used once again to launder stolen assets

Elliptic discovered the hackers were using Sinbad Mixer to launder assets. This mixer enables owners to obscure the source of their crypto funds. Sinbad, a rebrand of the sanctioned mixer, has drawn attention. Authorities are investigating its involvement in laundering activities linked to the Lazarus Group. The use of Sinbad in this cryptocurrency heist further strengthens the link to Lazarus.

The Atomic Wallet hack brings attention to the evolving tactics of the Lazarus Group. This group targets the cryptocurrency ecosystem in pursuit of financial and political gain. The group's activities align with North Korea's broader strategy. This strategy involves bypassing international sanctions and acquiring funds through illicit means. The regime is using the stolen funds to support its diverse priorities. These priorities include its nuclear program and military activities. 

Law Enforcement is actively monitoring the threat

Security experts and law enforcement agencies are actively tracking the situation. Their goal is to identify the individuals behind the Lazarus Group. But attributing cyberattacks to specific hacking groups or nation-states poses a complex task. It often requires extensive analysis of digital footprints, infrastructure, and malware signatures. The Lazarus Group is famous for using sophisticated techniques. They use many layers of obfuscation, which makes tracking their activities challenging. 

In response to the incident, Atomic Wallet has taken immediate steps. They aim to enhance their security and find the problem that resulted in the breach. They urged affected users to change passwords and enable two-factor authentication to safeguard their assets. 

Continued state-sponsored hacking by North Korea.

This latest cryptocurrency heist acts as a reminder. It highlights how criminals and state-sponsored groups pose a threat to the ecosystem. It emphasizes the significance of robust security measures. These measures are crucial for safeguarding their assets and personal information. 

As the industry continues to attract significant investment, individuals must stay vigilant. They must stay informed about the latest security best practices. Updating software, strong passwords, and security like hardware wallets are effective. These measures can help mitigate the risks associated with cyberattacks. 

Law enforcement agencies and international organizations have been collaborating extensively to combat cybercrime. They also work together to disrupt the activities of hacking groups like Lazarus. Collaboration and information sharing are vital to staying ahead of these threats. Additionally, the specialized development of advanced cybersecurity plays a crucial role in maintaining defenses. 


In conclusion, the involvement of Lazarus in the Atomic Wallet heist underscores the challenges. State-sponsored hacking groups pose these challenges in the digital asset space.  The incident highlights the need for heightened security measures. These measures are necessary at both the individual and industry levels and aim to protect against cyberattacks and safeguard the integrity of the cryptocurrency ecosystem for generations to come.