FBI identifies wallets holding cryptocurrency funds stolen by North Korea

The U.S. FBI warned that North Korea-linked threat actors may attempt to cash out stolen cryptocurrency worth more than $40 million.

The Federal Bureau of Investigation shared details about the activity of six cryptocurrency wallets operated by North Korea-linked threat actors.

The wallets hold roughly 1,580 Bitcoin (roughly $41 million at the current rate) that the feds believe are linked to the recent theft of hundreds of millions of dollars in cryptocurrency.

The FBI believes that the North Korea-linked hackers may attempt to cash out the stolen funds.

“The FBI is warning cryptocurrency companies of recent blockchain activity connected to the theft of hundreds of millions of dollars in cryptocurrency. Over the last 24 hours, the FBI tracked cryptocurrency stolen by the Democratic People’s Republic of Korea (DPRK) TraderTraitor-affiliated actors (also known as Lazarus Group and APT38).” reads the FBI’s alert. “The FBI believes the DPRK may attempt to cash out the bitcoin worth more than $40 million dollars.”

The investigation conducted by the FBI revealed that the TraderTraitor-affiliated actors moved approximately 1,580 bitcoin from several cryptocurrency heists to the following wallets:

• 3LU8wRu4ZnXP4UM8Yo6kkTiGHM9BubgyiG
• 39idqitN9tYNmq3wYanwg3MitFB5TZCjWu
• 3AAUBbKJorvNhEUFhKnep9YTwmZECxE4Nk
• 3PjNaSeP8GzLjGeu51JR19Q2Lu8W2Te9oc
• 3NbdrezMzAVVfXv5MTQJn4hWqKhYCTCJoB
• 34VXKa5upLWVYMXmgid6bFM4BaQXHxSUoL

TraderTraitor-affiliated hackers stole $100 million from Atomic Wallet in June, $60 million from Alphapo, and $37 million from CoinsPaid in July.

North Korea-linked APT groups have focused their previous operations on the theft of crypto assets. Researchers attributed the hack of Harmony’s Horizon bridge and Sky Mavis’ Ronin Bridge to North Korea-linked threat actors.

“Private sector entities should examine the blockchain data associated with these addresses and be vigilant in guarding against transactions directly with, or derived from, the addresses. The FBI will continue to expose and combat the DPRK’s use of illicit activities—including cybercrime and virtual currency theft—to generate revenue for the regime.” FBI concludes.

In 2018, the Lazarus APT group targeted several cryptocurrency exchanges, including the campaign tracked as Operation AppleJeus discovered in August 2018. At the time, North Korea-linked Lazarus APT group leveraged for the first time on a MacOS variant of the Fallchill malware.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)