North Korea backed Lazarus Group linked to $305 million DMM Bitcoin hack

The $305 million exploit of Japanese crypto exchange DMM Bitcoin might be the work of the notorious Lazarus Group. On-chain investigator ZachXBT revealed that similarities in laundering the stolen funds suggest that the state-sponsored group may be responsible.

Also Read: The Philippines’ DOJ charges two Russians for alleged involvement in $7 million crypto heist

This comes after recent transfers of DMM Bitcoin-linked funds to the online marketplace Huione Guarantee. Blockchain security company Elliptic Research recently indicted the marketplace for facilitating billions in illicit crypto-related crimes.

The Lazarus Group connection to the DMM Bitcoin hack

According to ZachXBT, the hackers moved over $35 million of the stolen funds to the online marketplace Huione Guarantee in July. The transfers have attracted attention from stablecoin issuer Tether, leading it to blacklist a  Tron-based wallet containing 29.6 million USDT. The wallet is connected to Huione and received about $14 million from the DMM Bitcoin hack in just 3 days.

The laundering pattern is the major reason for drawing a connection between the Lazarus Group and whoever hacked DMM Bitcoin. The hackers have adopted a system where they deposit stolen BTC into the mixer and, after withdrawing it, bridge the funds from Bitcoin to either Avalanche or Ethereum networks using THORChain, Avalanche Bridge, and Threshold.

Once the funds have been moved to these smart contract blockchains, the hackers swap them for Tether USDT and bridge to the Tron network using SWFT. From Tron, the USDT is transferred to Huione. The pattern, which involves chain hopping and mixers, is similar to how Lazarus moves stolen funds.

“It is suspected that Lazarus Group is behind the hack due to similarities in laundering techniques and off chain indicators,” ZachXBT said.

The hackers’ decision to swap BTC for USDT appears strange, given how Tether could blacklist USDT. However, ZachXBT explained that they have no choice because they are cashing out the stolen assets through small OTCs that only accept USDT.

Huione Guarantee becomes the preferred platform for bad actors

The revelation further highlights the growing role of Huione as a place for bad actors looking to move crypto. According to a recent report by blockchain analytics firm Elliptics Research, the platform, part of the Cambodian Huioine Group, is mostly used by scam operators in Southeast Asia.

Through its investigations, Elliptic discovered that the transaction volume for crypto wallets linked to the platform has been at least $11 billion over the last three years. Merchants on the platform provide various services, including money laundering, malicious technology and software development, and other scam-enabling services.

Also Read: Crypto Exchange DMM Bitcoin Vows To Repay Users After $300M Hack

Although not all transactions on the platform are fraud-related, Elliptic analysis shows that most transactions are connected to illicit activities, and USDT is the preferred crypto among users. In 2024 alone, the transaction volume is already over $3 billion USDT, which is a modest estimate.