Lazarus Start Laundering Crypto Stolen Funds, FBI Issued Warning Message

The FBI has issued a stark warning to cryptocurrency companies regarding recent blockchain activity linked to the theft of hundreds of millions of dollars in cryptocurrency by North Korean state-sponsored actors, Lazarus.

The agency has identified specific Bitcoin addresses associated with the Democratic People’s Republic of Korea (DPRK) TraderTraitor-affiliated actors, also known as Lazarus Group and APT38. The group laundered the stolen crypto cash of over $40 million in stolen funds.

FBI Releases Wallet Addresses

The FBI’s investigation reveals that the TraderTraitor-affiliated actors have moved approximately 1,580 bitcoin from various cryptocurrency heists and are currently holding these funds in the following bitcoin addresses: 3LU8wRu4ZnXP4UM8Yo6kkTiGHM9BubgyiG, 39idqitN9tYNmq3wYanwg3MitFB5TZCjWu, 3AAUBbKJorvNhEUFhKnep9YTwmZECxE4Nk, 3PjNaSeP8GzLjGeu51JR19Q2Lu8W2Te9oc,  3NbdrezMzAVVfXv5MTQJn4hWqKhYCTCJoB, 34VXKa5upLWVYMXmgid6bFM4BaQXHxSUoL.

Notably, the $60 million theft of virtual currency from Alphapo, a $37 million theft of virtual currency from CoinsPaid on June 22, 2023, and the $100 million theft of virtual currency from Atomic Wallet on June 2, 2023, are some recorded exploits by the group.

Furthermore, the FBI has previously provided solid data on the TraderTraitor group’s attacks against Harmony’s Horizon Bridge and Sky Mavis’ Ronin Bridge and issued a Cybersecurity Advisory on their activities. The U.S. Department of Treasury’s Office of Foreign Assets Control also sanctioned the Lazarus Group in 2019.

FBI Issues Warning on Truebot Threats In U.S

The FBI urges private sector entities to carefully examine blockchain data associated with the identified addresses and exercise extreme caution regarding any transactions directly with, or derived from, these addresses. The agency emphasizes its commitment to exposing and combating the DPRK’s reliance on illicit activities, including cybercrime and virtual currency theft, to fund its regime.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other agencies have issued warnings regarding the Truebot malware variants used against businesses in the United States and Canada.

On May 31, 2023, the FBI observed an increase in hackers using Truebot (also known as Silence Downloader). Truebot is a botnet utilized by cyber groups like the CL0P Ransomware Gang to steal data from their targets.

These new variants facilitate hackers in gaining initial access by exploiting CVE-2022-31199, a remote code execution vulnerability in the Netwrix Auditor application, which allows for the deployment of the malware at scale within the compromised system.

However, the cybersecurity advisory does not include specific details of victims or the number of corporations affected by the TrueBot attacks.