Lazarus group: OFAC sanctions crypto addresses related to North Korea cybercrime group

Last week, the Office of Foreign Asset Control (OFAC) added three crypto addresses from the Lazarus group to its Special Designated Nationals List (SDN List). Earlier in April, OFAC had already added the Ronin Bridge hack address to the list, as part of the group.

OFAC’s latest designations targeting North Korea Lazarus group

For now, OFAC gathers four crypto addresses in total that are linked to the Lazarus group and that are part of the SDN list. Therefore, compliance teams should avoid exposure to these addresses and related funds to ensure sanction compliance.

In April, OFAC updated its SDN list with several crypto entities and addresses as part of the Lazarus group. Lazarus is a cybercrime group from North Korea.

First, OFAC added the address 0x098B716B8Aaf21512996dC57EB0615e2383E2f96 related to the group on April 14. What is interesting is that this address was used to perpetrate the Ronin Bridge hack. OFAC is thus directly attributing the hack to the Lazarus group.

Ronin hack is one of the largest decentralized finance (DeFi) hacks to date with more than $600 million lost. In our analysis, we noticed that some of the hacked funds ended on famous crypto exchanges such as Huobi and crypto.com for instance.

You can read the full analysis of the hack here.

In addition to this first address, last week OFAC added three additional crypto addresses linked to the Lazarus group. The sanctioned addresses are:

• 0xa0e1c89Ef1a489c9C7dE96311eD5Ce5D32c20E4B;
• 0x3Cffd56B47B7b41c56258D9C7731ABaDc360E073; and
• 0x53b6936513e738f44FB50d2b9476730C0Ab3Bfc1.

Analysis of the OFAC-designated crypto addresses from Lazarus

Lazarus address used in Ronin Bridge hack sent funds to other OFAC-designated addresses

First, let’s have a look at the Ronin hack address 0x098B716B8Aa designated by OFAC on April 14. As of today, the address still holds more than 36,125 ETH worth around $100  million.

The ETH funds have been sent to various entities, including mixing service Tornadocash, exchanges FTX, Huobi, and crypto.com, and decentralized exchanges (DEXs) Uniswap and 1inch for instance.

Besides, 41% (51,000 ETH) of the funds received by the Ronin hack-related address have reached the other three designated addresses. As shown below, the address from the Ronin hack sent funds directly to the three addresses mentioned above. More specifically, the address 0x098B716B8Aa sent the funds in three transactions as follows:

• ~10,129 ETH to 0x3cffd56b47b;
• ~18,256 ETH to 0xa0e1c89ef1a; and
• ~21,629 ETH to 0x899ad3622b.

Latest OFAC-designated Lazarus addresses are moving funds to a mixing service

The three latest Lazarus addresses designated by OFAC are moving the funds to a mixing service. For now, only one address out of the three doesn’t have outgoing transactions and still holds 21,629 ETH.  Scorechain will keep on monitoring these addresses and the funds.

However, the 0xa0e1c89e address is sending funds to Tornadocash through two intermediate addresses. Yesterday, the address 0xa0e1c89e sent 4,500 ETH to the address 0x5967524c which then sent the funds to Tornadocash mixing service in 26 transactions. Today, there have been other movements of funds. Indeed, the 0xa0e1c89e address sent 5,200+ ETH to a second intermediate address 0xdd6458eb. For now, this second address sent 1,000 ETH in 10 transactions to the same mixing service. It still holds around 4,200 ETH.

Besides, the 0x3cffd56b address has moved some funds as well. First, a total of 10,081 ETH have reached three intermediate addresses. Then the funds have been sent from the intermediate addresses to Tornadocash as follows:

• 0x28f080ed address sent 3,100 ETH in 31 transactions;
• 0x8fa7b50f address sent 1,500 ETH in 15 transactions; and 
• 0xb3656c5e address sent 5,400 ETH in 54 transactions.

Crypto sanction compliance made easy

OFAC is regularly updating its SDN list with additional cryptocurrency addresses and entities. In the past, the authority already sanctioned crypto exchanges Chatex, Suex, and more recently Garantex for instance. Scorechain’s database is automatically updated with every addition to the OFAC sanction list.

Scorechain’s customers can thus easily spot sanctioned crypto addresses and monitor funds related to OFAC’s designations with risk indicators and risk scoring. Compliance teams can therefore make sure that they can avoid risky addresses and funds and report suspicious transactions to authorities. Would you like to discover how we can help you facilitate your compliance processes? Don’t hesitate to request a demo.

About Scorechain

Scorechain is a Risk-AML software provider for cryptocurrencies and digital assets. As a leader in crypto compliance, the Luxembourgish company has helped more than 200 customers in 45 countries since 2015, ranging from cryptocurrency businesses to financial institutions with crypto trading, custody branch, digital assets, customers onboarding, audit and law firms, and some LEAs.

Scorechain solution supports Bitcoin analytics with Lightning Network detection, Ethereum analytics with all ERC20 tokens and stablecoins, Litecoin, Bitcoin Cash, Dash, XRP Ledger, Tezos, Tron with TRC10 and TRC20 tokens, and BSC with BEP20 tokens. The software can de-anonymize the Blockchain data and connect with sanction lists to provide risk scoring on digital assets, transactions, addresses, and entities. The risk assessment methodology applied by Scorechain has been verified and can be fully customizable to fit all jurisdictions. 300+ risk-AML scenarios are provided to its customers with a wide range of risk indicators so businesses under the scope of the crypto regulation can report suspicious activity to authorities with enhanced due diligence.