North Korean hacker group, Lazarus, is suspected of being behind the $305 million hack of Japanese cryptocurrency exchange DMM Bitcoin. 

The hackers laundered over $35 million of the stolen funds through a Cambodian online marketplace, Huione Guarantee, reportedly linked to Cambodia’s ruling Hun family, according to on-chain detective ZachXBT.

ZachXBT stated:

 “It is suspected that Lazarus Group is behind the hack due to similarities in laundering techniques and off-chain indicators.” 

A string of transactions involving funds from wallets associated with Lazarus provided clues. These transactions revealed a pattern of behavior typical of Lazarus, as noted by recent discoveries made by ZachXBT.

On May 31, DMM Bitcoin lost 4,502.9 BTC ($305 million) to a hack, representing one of the largest global exchange hacks in terms of fiat value. The company confirmed the attack was an “unauthorized leak of Bitcoin from our wallet.” The hackers sent the stolen funds from DMM Bitcoin to Huione Guarantee in July.

“Primarily being used by criminal organizations such as pig butchering gangs.” Blockchain analytic firm Elliptic revealed that merchants on Huione Guarantee offer “tech, data, and money laundering services.” These merchants have engaged in transactions totaling at least $11 billion, according to the report.

The Complex Laundering Process

The tracking of these funds showed a total of $29.6 million in a wallet associated with Lazarus on the Tron blockchain. Approximately $14 million was transferred to this wallet within three days of the DMM Bitcoin attack. 

ZachXBT recounted the events to help the cryptocurrency community understand the hack’s flow. He explained that the stolen funds were initially sent to a mixer. 

From the mixer, the money was sent to the THORChain, Threshold, and Avalanche bridge, where it was converted from Bitcoin to either Ethereum or Avalanche cryptocurrency. The hackers used SWFT to convert the Bitcoin to USDT on Tron.

In response to the findings, stablecoin issuer Tether has blocked a Tron-based wallet containing 29.6 million USDT, apparently connected to Huione. This wallet had received $14 million worth of hacked funds from DMM Bitcoin in three days.

Almost a week after the hack, the cryptocurrency exchange raised $320 million to compensate users.