
Uncovering the Boldest Cryptocurrency Theft Syndicate in History: A Money Laundering Analysis of the Hacker Group Lazarus Group
TechFlow Selected TechFlow Selected

Uncovering the Boldest Cryptocurrency Theft Syndicate in History: A Money Laundering Analysis of the Hacker Group Lazarus Group
This article will focus on analyzing several typical attack cases, revealing how the Lazarus Group successfully carried out these astonishing attacks through its sophisticated strategies and technical methods.
By Beosin
Earlier, a confidential United Nations report obtained by Reuters revealed that after North Korean hacker group Lazarus Group stole funds from a cryptocurrency exchange last year, it laundered $147.5 million through the virtual currency platform Tornado Cash in March this year.
In a previous filing, inspectors informed the UN Security Council Sanctions Committee that they had been investigating 97 suspected cyberattacks by North Korean hackers targeting cryptocurrency companies between 2017 and 2024, amounting to approximately $3.6 billion. This includes an attack at the end of last year in which $147.5 million was stolen from HTX cryptocurrency exchange and subsequently laundered in March this year.
The United States imposed sanctions on Tornado Cash in 2022. In 2023, two of its co-founders were charged with helping launder over $1 billion, including funds linked to the North Korea-affiliated cybercrime organization Lazarus Group.
According to an investigation by cryptocurrency investigator ZachXBT, Lazarus Group laundered $200 million worth of cryptocurrency into fiat currency between August 2020 and October 2023.
In the field of cybersecurity, Lazarus Group has long been accused of carrying out large-scale cyberattacks and financial crimes. Their targets are not limited to specific industries or regions but span globally—from banking systems to cryptocurrency exchanges, and from government institutions to private enterprises. Below, we will analyze several typical attack cases to reveal how Lazarus Group successfully executed these astonishing attacks using sophisticated strategies and technical methods.
Lazarus Group’s Use of Social Engineering and Phishing Attacks
This case comes from media reports in Europe. Previously, Lazarus targeted military and aerospace companies in Europe and the Middle East, posting fake job advertisements on platforms like LinkedIn to deceive employees—requiring applicants to download PDFs containing executable malware, thereby launching phishing attacks.
Both social engineering and phishing attacks aim to exploit psychological manipulation to trick victims into lowering their guard and performing actions such as clicking links or downloading files, thus compromising their security.
Their malware enables operatives to exploit vulnerabilities in victims’ systems and steal sensitive information.
Lazarus used similar tactics during a six-month campaign against cryptocurrency payment provider CoinsPaid, resulting in a theft of $37 million from CoinsPaid.
Throughout the operation, it sent false job offers to engineers, launched technical attacks such as distributed denial-of-service (DDoS), and attempted brute-force cracking by submitting numerous possible passwords.
Carrying Out Attacks on CoinBerry, Unibright, and Others
On August 24, 2020, Canadian cryptocurrency exchange CoinBerry’s wallet was hacked.
Hacker address:
0xA06957c9C8871ff248326A1DA552213AB26A11AE
On September 11, 2020, due to a private key leak, unauthorized transfers totaling $400,000 occurred from multiple wallets controlled by the Unibright team.
Hacker address:
0x6C6357F30FCc3517c2E7876BC609e6d7d5b0Df43
On October 6, 2020, due to a security vulnerability, crypto assets worth $750,000 were transferred without authorization from CoinMetro’s hot wallet.
Hacker address:
0x044bf69ae74fcd8d1fc11da28adbad82bbb42351

Beosin KYT: Stolen Fund Flow Diagram
In early 2021, funds from various attack incidents converged into the following address:
0x0864b5ef4d8086cd0062306f39adea5da5bd2603.
On January 11, 2021, the 0x0864b5 address deposited 3,000 ETH into Tornado Cash, followed by another deposit of over 1,800 ETH via address 0x1031ffaf5d00c6bc1ee0978eb7ec196b1d164129 into Tornado Cash.
Subsequently, between January 11 and January 15, nearly 4,500 ETH were gradually withdrawn from Tornado Cash to address 0x05492cbc8fb228103744ecca0df62473b2858810.
By 2023, after multiple transfers and conversions, the attackers ultimately consolidated funds into addresses used for cashing out proceeds from other security incidents. According to the fund tracking diagram, the attackers progressively sent the stolen funds to Noones deposit address and Paxful deposit address.
Hack on Nexus Mutual Founder (Hugh Karp)
On December 14, 2020, Hugh Karp, founder of Nexus Mutual, had 370,000 NXM tokens ($8.3 million) stolen.

Beosin KYT: Stolen Fund Flow Diagram
The stolen funds were transferred among several addresses and converted into other assets.
0xad6a4ace6dcc21c93ca9dbc8a21c7d3a726c1fb1
0x03e89f2e1ebcea5d94c1b530f638cea3950c2e2b
0x09923e35f19687a524bbca7d42b92b6748534f25
0x0784051d5136a5ccb47ddb3a15243890f5268482
0x0adab45946372c2be1b94eead4b385210a8ebf0b
Lazarus Group performed fund obfuscation, dispersion, and consolidation operations through these addresses. For example, part of the funds was bridged cross-chain to the Bitcoin network, then transferred back to the Ethereum chain through a series of steps, followed by mixing via tumbling services before being sent to cash-out platforms.
From December 16 to December 20, 2020, one hacker address, 0x078405, sent over 2,500 ETH to Tornado Cash. A few hours later, based on pattern correlation, withdrawals began from address 0x78a9903af04c8e887df5290c91917f71ae028137.
The hackers transferred and exchanged funds, moving part of them to the same fund consolidation and withdrawal addresses involved in the previous incident.
Later, from May to July 2021, the attacker transferred 11 million USDT into Bixin deposit address.
From February to March 2023, the attacker sent 2.77 million USDT to Paxful deposit address via address 0xcbf04b011eebc684d380db5f8e661685150e3a9e.
From April to June 2023, the attacker sent 8.4 million USDT to Noones deposit address via the same address 0xcbf04b011eebc684d380db5f8e661685150e3a9e.
Steadefi and CoinShift Hacks

Beosin KYT: Stolen Fund Flow Diagram
Attack address for Steadefi incident:
0x9cf71f2ff126b9743319b60d2d873f0e508810dc
Attack address for Coinshift incident:
0x979ec2af1aa190143d294b0bfc7ec35d169d845c
In August 2023, 624 stolen ETH from the Steadefi incident were transferred to Tornado Cash. In the same month, 900 stolen ETH from the Coinshift incident were also moved to Tornado Cash.
After transferring ETH to Tornado Cash, funds were gradually withdrawn to the following addresses:
0x9f8941cd7229aa3047f05a7ee25c7ce13cbb8c41
0x4e75c46c299ddc74bac808a34a778c863bb59a4e
0xc884cf2fb3420420ed1f3578eaecbde53468f32e
On October 12, 2023, the three aforementioned addresses sent all funds withdrawn from Tornado Cash to address 0x5d65aeb2bd903bee822b7069c1c52de838f11bf8.
In November 2023, the 0x5d65ae address began transferring funds, eventually routing and converting them to Paxful deposit address and Noones deposit address via intermediary transactions.
Summary of Incidents
The above outlines recent activities of the North Korean hacking group Lazarus Group and analyzes their money laundering methods: After stealing crypto assets, Lazarus Group generally uses repeated cross-chain transfers followed by deposits into mixers like Tornado Cash to obscure fund trails. After obfuscation, the group withdraws stolen assets to target addresses and sends them to fixed clusters of addresses for cash-out. Previously stolen crypto assets have mostly been funneled into Paxful deposit address and Noones deposit address, then converted into fiat currency via OTC services.
Under the continuous and large-scale attacks by Lazarus Group, the Web3 industry faces significant security challenges. Beosin continues to monitor this hacker group, further tracking its movements and money laundering techniques to assist project teams, regulators, and law enforcement agencies in combating such crimes and recovering stolen assets.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News










