The Justice Department (DOJ) is looking to seize more than $2.67 million in cryptocurrency stolen by notorious North Korean hacker gang Lazarus Group in breaches of two online platforms in 2022 and last year.

In two complaints filed in federal court in Washington DC, prosecutors want to claw back $1.7 million Tether crypto of the $28 million in digital assets they said the Lazarus bad actors stole from the options exchange Deribit two years ago and another $970,000 in Bitcoin from a $41 million hack of Stake.com, a gambling platform, in September 2023.

In both cases, the DOJ wrote that investigators were able to track some of the money stolen in each breach as the cybercriminals tried to launder the stolen crypto through crypt mixers Tornado Cash, Sinbad, and Yonmix.

The attacks were only two of many North Korean threat groups aligned with the country’s government have launched against cryptocurrency programs over the past several years and aimed at helping to finance the regime’s nuclear weapons efforts. More recently, experts like blockchain analytics firm Elliptic pointed to North Korean hackers as the likely bad actors behind the breach in July that cost Indian crypto exchange WazirX more than $235 million in stolen digital assets.

North Korea’s History of Stealing Crypto

Law enforcement agencies in the United States and around the world as well as private companies have been detailing the myriad cybercrime methods used by North Korean hackers to steal information and money that are then fed back to the government for cyberespionage and to pay for its sanctioned weapons programs.

The FBI earlier last month issued an alert about North Korea’s accelerating efforts to target the crypto industry through sophisticated social engineering attacks.

“North Korean malicious cyber actors conducted research on a variety of targets connected to cryptocurrency exchange-traded funds (ETFs) over the last several months,” the agency warned. “This research included pre-operational preparations suggesting North Korean actors may attempt malicious cyber activities against companies associated with cryptocurrency ETFs or other cryptocurrency-related financial products.”

It added that North Korean social engineering scams are “complex and elaborate, often compromising victims with sophisticated technical acumen. Given the scale and persistence of this malicious activity, even those well versed in cybersecurity practices can be vulnerable to North Korea’s determination to compromise networks connected to cryptocurrency assets.”

Billions to Fund Weapons Programs

The United Nations in a report this year wrote researchers are investigating 58 attacks from between 2017 and 2023 that netted such groups as Lazarus, Andariel, BluNoroff, and Kimusky – all linked to North Korea’s Reconnaissance General Bureau (RGB) – $3 billion in stolen crypto.

“One cybercompany branded the Democratic People’s Republic of Korea the ‘world’s most prolific cyber-thief,’” the report said.

Researchers with Chainalysis, another blockchain analysis company, wrote in a report that North Korean-linked hacks rose to 20 in 2023 – more than the 15 the year before – even as the amount stolen in those attacks dropped from $1.7 billion two years ago to $1 billion last year.

“We estimate that North Korea-linked hackers stole approximately $428.8 million from DeFi platforms in 2023, and also targeted centralized services ($150.0 million stolen), exchanges ($330.9 million), and wallet providers ($127.0 million),” they wrote.

Tracking Funds Through Mixers

According to the court documents, investigators were able to track Lazarus as it moved some of the money from the Deribit hack through Tornado Cash, one of a number of crypto mixers that combine crypto from different sources – including cybercrimes – and launder it by mixing it all together. Lazarus was able to take digital assets that were in Ethereum and put it into Tornado Cash. It then ended up as Tether.

They were able to track the funds in part by looking for similarities between Ethereum wallets, such as when they transferred money or the addresses from which they received funding for transaction fees.

Regarding the Stake.com money, investigators said the threat group tried to launder money by converting Bitcoin through Avalanche’s bridge, moving the Bitcoin into the Sinbad and Yonix mixers, and converting Bitcoin into Tether.

The US Treasury sanctioned Tornado Cash in 2022 and did the same to Sinbad the next year. Roman Storm, a developer and co-founder of Tornado Cash, is due to go on trial for his role with the crypto mixer. He and fellow co-founder Roman Semenov were charged last year with conspiracy to commit money laundering, to commit sanctions violations, and to operate an unlicensed money-transmitting business.