The Federal Bureau of Investigation shared details about the activity of six cryptocurrency wallets operated by North Korea-linked threat actors.
The wallets hold roughly 1,580 Bitcoin (roughly $41 million at the current rate) that the feds believe are linked to the recent theft of hundreds of millions of dollars in cryptocurrency.
The FBI believes that the North Korea-linked hackers may attempt to cash out the stolen funds.
“The FBI is warning cryptocurrency companies of recent blockchain activity connected to the theft of hundreds of millions of dollars in cryptocurrency. Over the last 24 hours, the FBI tracked cryptocurrency stolen by the Democratic People’s Republic of Korea (DPRK) TraderTraitor-affiliated actors (also known as Lazarus Group and APT38).” reads the FBI’s alert. “The FBI believes the DPRK may attempt to cash out the bitcoin worth more than $40 million dollars.”
The investigation conducted by the FBI revealed that the TraderTraitor-affiliated actors moved approximately 1,580 bitcoin from several cryptocurrency heists to the following wallets:
TraderTraitor-affiliated hackers stole $100 million from Atomic Wallet in June, $60 million from Alphapo, and $37 million from CoinsPaid in July.
North Korea-linked APT groups have focused their previous operations on the theft of crypto assets. Researchers attributed the hack of Harmony’s Horizon bridge and Sky Mavis’ Ronin Bridge to North Korea-linked threat actors.
“Private sector entities should examine the blockchain data associated with these addresses and be vigilant in guarding against transactions directly with, or derived from, the addresses. The FBI will continue to expose and combat the DPRK’s use of illicit activities—including cybercrime and virtual currency theft—to generate revenue for the regime.” FBI concludes.
In 2018, the Lazarus APT group targeted several cryptocurrency exchanges, including the campaign tracked as Operation AppleJeus discovered in August 2018. At the time, North Korea-linked Lazarus APT group leveraged for the first time on a MacOS variant of the Fallchill malware.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, North Korea)