North Korean hacking group Lazarus targets centralized institutions with 5 attacks planned over 3 months.

2023-09-19 21:00

Read this article in 10 Minutes

AI summary

View the summary

Original title: "Lazarus, a North Korean hacker group, targets centralized organizations and earns 300 million US dollars in 100 days"

Author: Elliptic

Translated by: Foresight News

The North Korean hacker group Lazarus seems to have increased its activity recently. Since June 3, it has confirmed four attacks on cryptocurrency companies, and the recent attack on the cryptocurrency exchange CoinEx is likely to be the work of Lazarus. In response, CoinEx has released multiple tweets, stating that suspicious wallet addresses are still being identified, so the total value of stolen funds is not yet clear, but may have reached $54 million.

Over the past 100+ days, Lazarus has been confirmed to have stolen nearly $240 million worth of cryptocurrency assets from Atomic Wallet ($100 million), CoinsPaid ($37.3 million), Alphapo ($60 million), and Stake.com ($41 million).

As shown in the above figure, part of the funds stolen from CoinEx were sent to an address used by the Lazarus group to store funds stolen from Stake.com, despite being on different blockchains. Subsequently, the funds were cross-chained to Ethereum via the cross-chain bridge previously used by Lazarus, and then sent back to an address known to be controlled by the CoinEx hacker. Elliptic has observed this mixing of funds from different hackers in the Lazarus incident, most recently with a mix of funds stolen from Stake.com and Atomic Wallet. The merging of funds from different hackers is represented in the following figure in orange.

100 days saw five attacks

In 2022, several high-profile hacking attacks were attributed to Lazarus, including the attack on Harmony's Horizon Bridge and the attack on Axie Infinity's Ronin Bridge, both of which occurred in the first half of last year. From then until June of this year, no major cryptocurrency thefts were publicly attributed to Lazarus. Therefore, the various hacking attacks in the past 100 days indicate that the North Korean hacking group has become active again.

On June 3, 2023, users of the non-custodial decentralized cryptocurrency wallet Atomic Wallet suffered losses exceeding $100 million. Elliptic officially attributed the hack to Lazarus on June 6, 2023, after determining that multiple factors indicated the North Korean hacking group was responsible. The attribution was later confirmed by the Federal Bureau of Investigation (FBI) here.

On July 22, 2023, Lazarus gained access to the hot wallet belonging to the cryptocurrency payment platform CoinsPaid through a social engineering attack. This access allowed the attacker to create authorization requests and extract approximately $37.3 million worth of cryptocurrency assets from the platform's hot wallet. On July 26, CoinsPaid released a report stating that Lazarus was responsible for the attack, which was confirmed by the FBI's investigation.

On the same day, July 22nd, Lazarus conducted another attack, this time targeting the centralized cryptocurrency payment provider Alphapo, stealing $60 million worth of cryptocurrency assets. The attacker may have gained access through previously leaked private keys. The FBI later confirmed that Lazarus was the attacker in this incident.

On September 4th, 2023, the online cryptocurrency gambling platform Stake.com was attacked and approximately $41 million worth of cryptocurrency was stolen, possibly due to the theft of private keys. On September 6th, the FBI released a notice confirming that the Lazarus Group was behind the attack.

Finally, on September 12, 2023, the centralized cryptocurrency exchange CoinEx became a victim of a hacker attack, with $54 million stolen. As mentioned above, multiple pieces of evidence indicate that Lazarus is responsible for this attack.

Lazarus changed "tactics"?

An analysis of the latest activities of Lazarus indicates that since last year, they have shifted their focus from decentralized services to centralized services. Four out of the five recent hacking attacks discussed earlier were targeted at centralized cryptocurrency asset service providers. Prior to 2020, when the DeFi ecosystem rapidly emerged, centralized exchanges were the main targets of Lazarus.

There are multiple possible explanations for Lazarus' renewed focus on centralized services.

More attention to security: Elliptic's research on DeFi hacks in 2022 found that an attack occurred on average every four days, with an average theft of $32.6 million. Cross-chain bridges became one of the most commonly attacked DeFi protocol types in 2022. These trends may promote improvements in smart contract auditing and development standards, thereby narrowing the scope for hackers to identify and exploit vulnerabilities.

Sensitivity to social engineering: In multiple hacking attacks, the Lazarus Group chose social engineering as their attack method. For example, the $540 million hack of Ronin Bridge was discovered through a fake job opportunity on LinkedIn. However, decentralized services often have few employees and are, as the name suggests, decentralized to varying degrees. Therefore, gaining malicious access to developers may not necessarily equate to gaining management access to smart contracts.

At the same time, centralized exchanges may employ relatively more labor to expand their potential target range. They may also use centralized internal information technology systems to operate, thereby giving Lazarus malware a greater chance to penetrate their business.