Lazarus launders BTC amid pending ETF decision

The highly-anticipated decision by the U.S. SEC on the approval of spot Bitcoin exchange-traded funds (ETFs) is of the biggest stories happening in the crypto world in recent weeks. Several analysts have attributed Bitcoin's price upswing over the past few months to the potential approval of spot Bitcoin ETFs.

An unexpected twist on the Bitcoin ETF saga happened on January 9, when the SEC’s account on X (formerly known as Twitter) announced the approval of spot Bitcoin ETFs for the first time. However, SEC Chair Gary Gensler said 15 minutes later on X that the regulator has actually not yet approved the ETFs, explaining that the commission's X account was compromised. X's security team then confirmed that an unidentified individual gained control of SEC's X account, adding that the account did not have two-factor authentication enabled.

Amid this security-related twist and the ensuing speculation on who was responsible for the apparently false SEC announcement, another hacker group is likely preparing for the approval of spot Bitcoin ETFs: North Korean cybercrime group Lazarus. Recently, crypto addresses associated with the hacker group shifted around a total of 27.371 $BTC in a series of peel chain transactions.

Peel Chain in Action: Lazarus-Associated BTC Transfers

Peel chain is a technique used to launder large amounts of illegally-obtained crypto assets by executing an extended series of transfers coursed through multiple crypto addresses.

Lazarus' peel chain transactions involving 27.371 $BTC of its funds involved a total of 22 addresses, including those with strong connections to Binance and mining pools F2Pool, AntPool, and Poolin.

This series of complicated transfers transpired in three stages:

Stage 1 - A series of transfers from as early as April 2023. At this stage, we can see the correlations between suspected Lazarus-controlled addresses and those with strong connections to Binance, F2Pool, AntPool, and Poolin.

- 3Hemup, an AntPool-associated wallet based on 0xScope analysis, has a record of several multiple transactions with 3MXWew, which also transacted many times with 39Xpoa.

- 3Azgii, a Poolin-associated wallet based on 0xScope analysis, transacted many times with 39Xpoa.

- F2Pool address 1KFHE7 has daily transactions with 1GX28y, which sends 0.01 $BTC to 3DKoD6 daily. According to OKLink, 1KFHE7 is an address associated with ransomware-related issues.

- On April 19, 2022, Binance wallet bc1qm3 sent 0.45 $BTC to 3DKoD6

- On June 16, 2023, 3DKoD6 sent 0.4 $BTC to Binance deposit address 1LEt7c, which is suspected to have been used by Lazarus in the past, and 0.055 $BTC to 3LDbdZ.

- On August 3, 2023, Poolin-associated 3Azgii sent 0.011 $BTC to 3DKoD6

- On August 8-28, 2023, 39Xpoa sent 0.4 $BTC to 3DKoD6.

Here, a pattern emerges where address 3DKoD6 became a convergence point for the various addresses. This wallet, alongside another Binance wallet, play pivotal roles in Lazarus' next phase of peel chain transactions.

Stage 2 - A series of transactions from November 22, 2023, to January 7, which resulted in the consolidation of 27.371 $BTC on 37rAkD.

- The vast majority of the funds were moved on November 22, 2023, when 25.908 $BTC was sent from Binance wallet bc1qm3 to 33Qt6k, which transferred the same amount of $BTC to 32H82C within the same day.

- On December 24, 2023, 31zjec received 0.45 $BTC from 3DKoD6 and 0.055 $BTC from 3LDbdZ.

Here are all the transactions that happened on January 7.

- A transfer of about 1 $BTC from BInance wallet bc1qm3 to bc1p9x, which then sent 0.65 $BTC to 32H82C.

- Another transfer from bc1qm3, this time involving 1.112 $BTC sent to bc1pkw, which then routed the funds to 3L57tC.

- A transfer of 0.506 $BTC from 31zjec to 3L57tC, which then sent 1.618 BTC to 32H82C.

- Finally, a transfer of 27.371 $BTC from 32H82C to 37rAkD, which then started another series of peel chain transfers.

Stage 3 - A series of transfers that happened on January 8, near the anticipated decision deadline for spot BTC ETFs. The 27.371 $BTC was split in the following manner:

- 37rAkD sent 0.0001 $BTC directly to 188fDn, which ended up receiving the rest of the BTC through two other transactions listed below.

- 3CquEj received 27.371 $BTC from 37rAkD. This address sent 10 $BTC to 188fDn and 17.371 $BTC to 345SJr.

- 345SJr transmitted the 17.371 $BTC it received to 188fDn.

- Finally, 188fDn sent all its Bitcoin to 1DzNJZK in two separate transactions.

Further Observations

- While Lazarus regularly conducts peel chain transactions on its various hacks against many Web3 companies over the years, the recent findings unearth the likely destinations of Lazarus' stolen funds in preparation for the anticipated SEC decision on spot BTC ETFs.

- It is likely that Lazarus has undertaken a lot more BTC transactions in recent days aside from what was investigated in this article. Law enforcement agencies and independent crypto investigators should be at least interested in looking into Lazarus' activities, especially in this pivotal moment of Web3 history.

- Aside from Binance, which has been subject to several regulatory woes around the world over money laundering allegations, mining pools are emerging as another avenue through which peel chain transactions can be attempted. These pools can choose be more vigilant in probing its transactions for potential bad actors, but it opens up some issues about censorship, given that one of the cardinal principles of Bitcoin adherents is censorship resistance. For instance, In November 2023, F2Pool acknowledged that it had filtered transactions, after a crypto observer criticized the mining pool for censoring transactions from addresses blacklisted by U.S. authorities.

‍