Uncovering the North Korean hacker group Lazarus Group: The mastermind behind multiple industry incidents such as Ronin and KuCoin, skilled in social engineering attacks

Author: Biscuit, Chain Catcher

Hacker attacks have now become a normalized event in the crypto ecosystem. According to Chainalysis's Q1 2022 report, hackers stole $3.2 billion worth of crypto assets in 2021, but in the first three months of 2022, hackers stole approximately $1.3 billion in crypto assets from exchanges, DeFi protocols, and ordinary users, with 97% coming from DeFi protocols.

Among various hacker organizations, the North Korean hacker group Lazarus Group has recently garnered the most attention. According to a report from the U.S. Treasury Department, this organization is behind the theft of up to $620 million from the Ronin cross-chain bridge, and its Ethereum address has been added to the U.S. sanctions list. Previously, the organization was believed to be the mastermind behind thefts from many cryptocurrency exchanges, including Bithumb and KuCoin, often employing phishing attacks.

Today, Lazarus Group is seemingly becoming one of the most destructive hacker organizations in the crypto ecosystem. So how did this organization come to be? How do they typically carry out their attacks?

Overview of Lazarus Group

According to Wikipedia, Lazarus Group was established in 2007 and is affiliated with the 110th Research Center under the Reconnaissance General Bureau of the General Staff Department of the Korean People's Army, specializing in cyber warfare. The organization selects the smartest students from within the country to receive six years of specialized education, training them to deploy various types of malware onto computers and servers. Relevant education is provided by Kim Il Sung University, Kim Chaek University of Technology, and Moranbong University in North Korea.

The organization is divided into two departments: one is BlueNorOff (also known as APT38), with about 1,700 members, responsible for illegal transfers through forged SWIFT orders, focusing on exploiting network vulnerabilities for economic gain or controlling systems to commit financial cybercrime, targeting financial institutions and cryptocurrency exchanges. The other is AndAriel, with about 1,600 members, targeting South Korea.

The earliest known attack activity of Lazarus Group dates back to 2009 when they used DDoS technology to attack the South Korean government's "Operation Troy." The most famous incident was the 2014 attack on Sony Pictures, which was motivated by Sony's release of a comedy about the assassination of North Korean leader Kim Jong-un.

A notable attack by the organization’s BlueNorOff was the 2016 Bangladesh Bank heist, where they attempted to illegally transfer nearly $1 billion from the New York Federal Reserve Bank account belonging to the Bangladesh Central Bank via the SWIFT network. After completing several transactions (with $20 million traced to Sri Lanka and $81 million traced to the Philippines), the New York Federal Reserve Bank halted the remaining transactions due to suspicions raised by spelling errors.

Since 2017, the organization has begun attacking the crypto industry, profiting at least $1 billion.

Lazarus Group Crypto Attack Incidents

• In February 2017, stole $7 million in digital assets from the South Korean exchange Bithumb.
• In April 2017, stole approximately 4,000 bitcoins from the South Korean exchange Youbit, and in December, stole another 17% of its digital assets, leading to Youbit's bankruptcy.
• In December 2017, stole over 4,500 bitcoins from the cryptocurrency cloud mining market Nicehash.
• In September 2020, stole approximately $300 million in digital assets from KuCoin exchange.
• In March 2022, attacked the Ronin cross-chain bridge, stealing 173,600 ETH and $25.5 million USDC, totaling approximately $620 million.

Additionally, many heads of crypto projects or KOLs also become targets of Lazarus Group. On March 22, 2022, Arthur, the founder of Defiance Capital, tweeted that his hot wallet had been hacked, resulting in the theft of 60 NFTs, including 17 Azuki and 5 CloneX, with losses amounting to about $1.7 million. Arthur claimed there was evidence indicating that the perpetrator was the North Korean-supported BlueNorOff hacker organization, which is severely harming the crypto industry.

In response to external accusations, North Korea issued a statement claiming that Lazarus Group was not responsible, but has since not responded to media inquiries.

Attack Characteristics

According to analysis from Huobi Research, Lazarus Group steals crypto assets stored in digital wallets through phishing, malicious code, and malware, with the following characteristics:

• Attack cycles are generally long, often involving prolonged infiltration and using different methods to lure targets into being compromised.
• The bait files delivered are highly deceptive and enticing, making it difficult for targets to discern.
• The attack process may utilize system destruction or ransomware applications to interfere with event analysis.
• Exploiting SMB protocol vulnerabilities or related worm tools to achieve lateral movement and payload delivery.
• The source code of the toolset used in each attack is modified, and cybersecurity companies are promptly informed to modify the source code after disclosure.

Lazarus Group excels at abusing trust, leveraging the target's trust in business communications, internal chats with colleagues, or interactions with outsiders to send malicious files and monitor their daily operations for opportunities to steal. Once the attackers realize they have found a target with significant crypto holdings, they carefully observe the user's activity for weeks or months before devising a theft plan.

In January 2021, Google's security team also reported discovering that Lazarus had been lurking on social media platforms like Twitter, LinkedIn, and Telegram, using fake identities to pose as active industry vulnerability researchers to gain trust and launch 0-day attacks against other vulnerability researchers.

According to research by Kaspersky, this year, the BlueNorOff organization has been keen on tracking and studying successful cryptocurrency startups, aiming to establish good personal interactions with team management and understand topics of potential interest. They may even hire or pose as job applicants to infiltrate companies to launch high-quality social engineering attacks.

A report from the U.S. government further disclosed that intrusions often begin with a large number of spear-phishing messages sent to employees of cryptocurrency companies on various communication platforms. These employees typically engage in system administration or software development/IT operations (DevOps). These messages often mimic job offers and provide high-paying positions to entice recipients to download cryptocurrency applications containing malware.

After implanting malicious files on the target computer, if the attacker realizes that the target uses the Metamask extension to manage their crypto wallet, they will change the extension source from the Web Store to local storage and replace the core extension component (background.js) with a tampered version. The screenshot below shows the infected Metamask background.js code, with the injected code lines highlighted in yellow. In this case, the attacker sets up monitoring for transactions between specific sender and recipient addresses, triggering notifications upon detecting large transfers.

Additionally, if the attacker realizes that the target user's cryptocurrency is stored in a hardware wallet, they will intercept the transaction process and inject malicious logic. When the user transfers funds to another account, the transaction will be signed on the hardware wallet. However, since this operation is initiated by the user, it does not raise suspicion. The attacker not only modifies the recipient address but also increases the transfer amount to the maximum.

This may sound simple, but it requires a thorough analysis of the Metamask extension, which contains over 6MB of JavaScript code (approximately 170,000 lines of code), and implementing code injection to rewrite transaction details as needed when the user uses the extension. However, modifications made by the attacker to the Chrome extension will leave traces. The browser must be switched to developer mode, and the Metamask extension must be installed from a local directory rather than the online store. If the extension comes from the store, Chrome enforces digital signature verification on the code and ensures code integrity, preventing the attacker from completing the attack process.

How to Respond

As the scale of the crypto ecosystem grows rapidly, the threat posed by Lazarus Group to the industry is also sharply increasing. According to a recent joint cybersecurity advisory (CSA) issued by the FBI, CISA, and the U.S. Treasury Department, since 2020, North Korean-supported advanced persistent threats (APTs) have begun targeting various organizations in the blockchain and crypto industry, including cryptocurrency exchanges, DeFi protocols, blockchain games, crypto trading companies, crypto venture capital, and individual owners holding large amounts of tokens and NFTs. These organizations may continue to exploit vulnerabilities in cryptocurrency technology companies, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.

To address this, the report suggests mitigation measures including implementing a defense-in-depth security strategy, enforcing credential requirements and multi-factor authentication, and educating users on social engineering in social media and spear-phishing.

Today, the well-known crypto security organization SlowMist also released prevention recommendations regarding this phenomenon: it is advised that industry practitioners stay alert to security intelligence from major threat platforms at home and abroad, conduct self-checks, and remain vigilant; developers should perform necessary security checks before running executable programs; implementing a zero-trust mechanism can effectively reduce the risks posed by such threats; users running Mac/Windows machines are advised to keep real-time protection from security software enabled and update the latest virus definitions regularly.

In terms of money laundering channels, the Ethereum mixing protocol Tornado Cash recently tweeted that the project is using tools developed by the compliance company Chainalysis to block access to DApps for specific crypto wallet addresses approved by the U.S. Office of Foreign Assets Control (OFAC), which seems to be an attempt to encircle and intercept Lazarus Group.

However, Tornado Cash co-founder Roman Semenov later tweeted that the blockade only applies to user-facing decentralized applications (dApps) and not to the underlying smart contracts. In other words, this move is more symbolic and is unlikely to substantially affect seasoned hackers mixing coins through Tornado Cash.

Conclusion

The Lazarus Group is a top hacker organization supported by state backing, focusing on long-term, sustained cyber attacks against specific targets to steal funds and achieve political objectives, making it one of the greatest threats to global financial institutions.

At the same time, such organizations' attacks on the crypto ecosystem can indirectly lead to the cryptocurrency market becoming a convenient channel for the North Korean regime to supplement its funds, further stigmatizing the crypto industry and affecting its compliance and standardization processes.

To respond to attacks from hacker organizations like Lazarus Group and maintain a healthy crypto industry ecosystem, crypto projects need to establish more effective preventive mechanisms against such attacks, taking corresponding measures in code auditing, internal controls, user education, and response mechanisms to ensure user asset security as much as possible.

As crypto users, everyone also needs to learn more about security, especially in protecting personal privacy and identifying phishing links. Given that even seasoned users like Arthur, the founder of Defiance Capital, have been hacked, no one should overlook such risks.

References:
1. https://en.wikipedia.org/wiki/Lazarus_Group
2. https://blog.chainalysis.com/reports/2022-defi-hacks/
3. https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/
4. https://cryptobriefing.com/north-korea-is-targeting-entire-crypto-space-top-vc-warns/