
Analysis of North Korean Hackers, Phishing Groups, and Money Laundering Tools – Report Interpretation
TechFlow Selected TechFlow Selected

Analysis of North Korean Hackers, Phishing Groups, and Money Laundering Tools – Report Interpretation
This article introduces the activities of the North Korean hacker group Lazarus Group in 2023, summarizes and analyzes their operations and money laundering methods, constructs a profile of the团伙 (criminal group), and finally presents an overview of the money laundering tools commonly used by hackers.
Author: SlowMist Security Team
In the previous article, we analyzed the 2023 Blockchain Security Landscape. This article focuses on the activities in 2023 of North Korean hacker group Lazarus Group, major phishing gangs, and some money laundering tools.
Lazarus Group
2023 Activities
According to public information from 2023, as of June, no major cryptocurrency theft had been attributed to the North Korean hacking group Lazarus Group. From on-chain activity, Lazarus Group was primarily focused on laundering cryptocurrency funds stolen in 2022, including approximately $100 million lost in the June 23, 2022 attack on the Harmony cross-chain bridge.
Subsequent events revealed that while Lazarus Group continued laundering 2022-stolen funds, they were also actively conducting covert APT-style attacks. These operations directly led to the cryptocurrency industry's "Dark 101 Days" starting June 3.
During the "Dark 101 Days," five platforms were compromised, with losses exceeding $300 million—most of them centralized service platforms.

Around September 12, SlowMist, together with partners, identified a large-scale APT campaign by hacker group Lazarus targeting the cryptocurrency industry. The attack method involved identity spoofing—using real-person verification to pass audits and become legitimate customers, then making genuine deposits. Under this customer cover, attackers precisely delivered custom Mac or Windows malware to official personnel at multiple communication points, gaining access and moving laterally within internal networks to achieve long-term stealth and fund theft.

The U.S. FBI has also closely monitored major cryptocurrency thefts and publicly attributed several incidents to the North Korean Lazarus Group. Below are FBI press releases from 2023 regarding Lazarus:
-
On January 23, the FBI confirmed (https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft) that the Lazarus Group was responsible for the Harmony hack.
-
On August 22, the U.S. Federal Bureau of Investigation (FBI) issued a notice (https://www.fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk) stating that the North Korean hacking group was involved in attacks on Atomic Wallet, Alphapo, and CoinsPaid, stealing $197 million in cryptocurrency.
-
On September 6, the FBI released a press release (https://www.fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk), confirming that Lazarus Group was responsible for the $41 million theft from Stake.com’s cryptocurrency gambling platform.
Money Laundering Analysis
Our analysis shows that Lazarus Group’s money laundering techniques have continuously evolved over time, with new methods emerging periodically. The timeline of these changes is shown below:

Group Profiling
With strong intelligence support from InMist intelligence network partners, SlowMist’s AML team conducted follow-up analysis on data related to these thefts and Lazarus Group, resulting in partial profiling of the hacking group:
-
Frequently uses European or Turkish identities for disguise.
-
Dozens of IP addresses, several email addresses, and partially anonymized identity information have been identified:
-
111.*.*.49
-
103.*.*.162
-
103.*.*.205
-
210.*.*.9
-
103.*.*.29
-
103.*.*.163
-
154.*.*.10
-
185.*.*.217
Wallet Drainers
Note: This section is contributed by Scam Sniffer. We appreciate their effort.
Overview
Wallet Drainers, a type of cryptocurrency-related malware, achieved significant "success" over the past year. Deployed on phishing websites, they trick users into signing malicious transactions, thereby draining assets from their crypto wallets. These phishing campaigns constantly attack ordinary users in various forms, causing many to suffer substantial financial losses after unknowingly approving malicious transactions.
Theft Statistics

Over the past year, Scam Sniffer observed Wallet Drainers stealing nearly $295 million from approximately 320,000 victims.
Theft Trends

Notably, nearly $7 million was stolen on March 11, mostly due to USDC exchange rate fluctuations and fake Circle phishing sites. A large number of thefts also occurred around March 24 following the Arbitrum Discord breach and subsequent airdrop.
Each peak coincided with related mass events—such as airdrops or hacking incidents.
Notable Wallet Drainers

After ZachXBT exposed Monkey Drainer, it announced its exit after six months of operation, with Venom taking over most of its clients. Subsequently, MS, Inferno, Angel, and Pink emerged around March. When Venom ceased operations around April, most phishing groups shifted to other services. With a 20% drainer fee, they earned at least $47 million through service sales.
Wallet Drainer Trends

Trend analysis shows that phishing activities have been steadily increasing. Whenever one drainer exits, another quickly replaces it—for example, after Inferno recently announced its departure, Angel appears to have become the new successor.
How Do They Launch Phishing Campaigns?

Phishing websites obtain traffic through several primary methods:
-
Hacking
-
Compromised official project Discord and Twitter accounts
-
Attacks on official project frontends or third-party libraries
-
Organic traffic
-
Airdropped NFTs or tokens
-
Expired Discord links being hijacked
-
Twitter spam alerts and comments
-
Paid traffic
-
Google search ads
-
Twitter ads
While hacking can affect a broad audience, timely responses usually limit exposure to 10–50 minutes before the community acts. In contrast, airdrops, organic traffic, paid ads, and hijacked Discord links are harder to detect. Additionally, targeted direct message phishing remains prevalent.
Common Phishing Signatures

Different asset types are targeted using different phishing signature techniques. Above are common phishing signature patterns for various asset categories. Drainers tailor their malicious signature requests based on the victim wallet’s holdings.
For instance, in cases involving exploitation of GMX’s signalTransfer function to steal Reward LP tokens, we see highly refined research into specific asset vulnerabilities.
Increased Use of Smart Contracts
1) Multicall

Starting with Inferno, drainers began investing more in contract-based technologies. For example, splitting fees requires two separate transactions, which risks the second transfer being canceled if the victim revokes approval too quickly. To improve efficiency, they now use multicall for faster, atomic asset transfers.
2) CREATE2 & CREATE

To bypass wallet security checks, they now experiment with CREATE2 or CREATE to dynamically generate temporary addresses. This renders wallet blacklist mechanisms ineffective and increases analysis difficulty—since you cannot know the destination address without signing, and temporary addresses lack analytical value. This represents a significant shift from last year.
Phishing Websites

Analyzing trends in phishing website numbers reveals a clear monthly increase in phishing activity, largely sustained by stable wallet drainer services.

Above are the main domain registrars used by these phishing sites. Server address analysis shows most use Cloudflare to hide their real server locations.
Money Laundering Tools
Sinbad
Sinbad is a Bitcoin mixer launched on October 5, 2022, designed to obscure transaction details and conceal on-chain fund flows.
The U.S. Department of the Treasury described Sinbad as a “virtual currency mixer and a primary money laundering tool for the OFAC-designated North Korean Lazarus Group.” Sinbad processed funds from the Horizon Bridge and Axie Infinity hacks, as well as funds linked to sanctions evasion, drug trafficking, purchasing child sexual abuse material, and other illegal darknet market activities.

The Alphapo hacker (Lazarus Group) used Sinbad during money laundering, as seen in this transaction:

(https://oxt.me/transaction/2929e9d0055a431e1879b996d0d6f70aa607bb123d12bfad42e1f507d1d200a5)
Tornado Cash

(https://dune.com/misttrack/mixer-2023)
Tornado Cash is a fully decentralized, non-custodial protocol that enhances transaction privacy by breaking the on-chain link between source and destination addresses. To protect privacy, Tornado Cash uses a smart contract that accepts ETH and other token deposits from one address and allows withdrawals to a different address—effectively sending ETH and tokens to any address while hiding the sender.
In 2023, users deposited a total of 342,042 ETH (approximately $614 million) into Tornado Cash and withdrew 314,740 ETH (approximately $567 million).
eXch

(https://dune.com/misttrack/mixer-2023)
In 2023, users deposited 47,235 ETH (approximately $90.14 million) into eXch and 25,508,148 ERC20 stablecoins (approximately $25.5 million) into eXch.
Railgun
Railgun uses zk-SNARKs cryptographic technology to make transactions completely invisible. By “shielding” users’ tokens within its privacy system, every transaction appears on the blockchain as originating from the Railgun contract address.
At the beginning of 2023, the U.S. Federal Bureau of Investigation stated that the North Korean Lazarus Group used Railgun to launder over $60 million stolen from Harmony’s Horizon Bridge.
Summary
This article covers the 2023 activities of the North Korean hacker group Lazarus. The SlowMist security team continues to monitor this group, summarizing and analyzing its activities and money laundering methods, and producing behavioral profiles. In 2023, phishing gangs were rampant, causing massive financial losses to the blockchain industry. These groups operate in a relay-like manner, enabling sustained, large-scale attacks that pose serious challenges to industry security. We thank the Web3 anti-scam platform Scam Sniffer for contributing insights on Wallet Drainers—this information is crucial for understanding their operational models and profit mechanisms. Finally, we reviewed key money laundering tools commonly used by hackers.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News









