Lazarus Group to Cash Out $40 Million Stolen from Atomic Wallet, Alphapo and CoinsPaid

The FBI detected transactions of nearly 1,580 Bitcoin stolen in several high-profile cryptocurrency heists.

A hacker with a large amount of cash
FBI believes North Korean hackers, known as APT38 and Lazarus Group, are responsible for over $200 million attacks on Atomic Wallet, CoinsPaid, and Alphapo

On August 22, the FBI reported recent on-chain activity related to cryptocurrency stolen from Atomic Wallet, Alphapo, and CoinsPaid by Lazarus Group, a North Korean hacker group. The FBI specifically mentioned the involvement of APT38, also known as BlueNorOff, BeagleBoyz, NICKEL GLADSTONE, and Stardust Chollima, which is believed to be one of the two Lazarus Group’s units.

According to the FBI, the actors responsible for the attacks on Sky Mavis’ Ronin Bridge and Harmony’s Horizon Bridge "may attempt to cash out the Bitcoin worth more than $40 million."

The FBI discovered the movement of almost 1,600 Bitcoin acquired through massive cryptocurrency thefts. The June 3 exploit of Atomic Wallet netted the attackers more than $100 million, while payment provider Alphapo's losses totaled nearly $60 million and crypto payment ecosystem CoinsPaid's loot was $37 million.

Read also: CertiK Report: $100 million Atomic Wallet hack is the largest in Q2 2023

The connection between these hacks and the infamous Lazarus Group hackers was uncovered earlier this summer by prominent on-chain analysis firms and detectives like SlowMist and ZachXBT.

ZachXBT mentioned the possible link between the Atomic Wallet exploit and the North Korean attackers in early June. The blockchain sleuth highlighted the fact that this hack had "lots of similarities in the laundering patterns to Ronin and Harmony."

On July 26, SlowMist shared with the X community (formerly Twitter) its analysis of the connection between the addresses used to transfer the funds stolen from Alphapo, CoinsPaid, and Atomic Wallet.

Read also: Atomic Wallet bans victims of the June 3 hack on social media

Less than a week later, SlowMist discovered "an unusual transaction that sent funds to an address associated with the Harmony exploiter." The SlowMist’s analysts suspected, based on their research, that "these funds could be traced back to the Alphapo hack." The team also stressed the similarities between the money laundering methods used in these transactions and those used by the Lazarus Group in the past.