North Korean hackers Lazarus Group stole $3 billion in cryptocurrency over 6 years

Author: Carbon Chain Value

Recently, a report released by the cybersecurity company Recorded Future revealed that the North Korean-linked hacker group Lazarus Group has stolen $3 billion in cryptocurrency over the past six years.

The report states that in 2022 alone, Lazarus Group plundered $1.7 billion in cryptocurrency, likely funding North Korean projects.

Blockchain data analysis company Chainalysis indicated that $1.1 billion of this was stolen from DeFi platforms. The U.S. Department of Homeland Security released a report in September highlighting Lazarus's exploitation of DeFi protocols as part of its Analysis Exchange Program (AEP).

Lazarus Group specializes in fund theft. In 2016, they hacked the Bangladesh Central Bank and stole $81 million. In 2018, they attacked the Japanese cryptocurrency exchange Coincheck, stealing $530 million, and targeted the Malaysian Central Bank, stealing $390 million.
The highlights of the Carbon Chain Value report are provided for reference:

Since 2017, North Korea has targeted the cryptocurrency industry for cyberattacks, stealing cryptocurrency worth over $3 billion. Prior to this, North Korea had hijacked the SWIFT network and siphoned funds from financial institutions. This activity has drawn close attention from international organizations, prompting financial institutions to invest in improving their cybersecurity defenses.

In 2017, as cryptocurrency began to gain mainstream popularity, North Korean hackers shifted their targets from traditional finance to this new form of digital finance, initially focusing on the South Korean crypto market and then expanding their influence globally.

In 2022 alone, North Korean hackers were accused of stealing approximately $1.7 billion in cryptocurrency, a figure equivalent to about 5% of North Korea's domestic economic scale or 45% of its military budget. This amount is nearly ten times North Korea's export value in 2021, with OEC website data indicating that North Korea's exports that year totaled $182 million.

The methods North Korean hackers use to steal cryptocurrency in the crypto industry are often similar to traditional cybercriminal operations that utilize crypto mixers, cross-chain transactions, and fiat OTC. However, with a nation backing them, their theft operations can scale up significantly. This operational model is something traditional cybercrime groups cannot achieve.

Data tracking indicates that in 2022, approximately 44% of stolen cryptocurrency was related to North Korean hacker activities.

North Korean hackers do not limit their targets to exchanges; individual users, venture capital firms, and other technologies and protocols have also been attacked by North Korean hackers. All institutions operating in the industry and individuals working there could potentially become targets of North Korean hackers, allowing the North Korean government to continue its operations and raise funds.

Anyone working in the cryptocurrency industry, including users, exchange operators, and startup founders, should be aware that they may become targets of hacker attacks.

Traditional financial institutions should also closely monitor the activities of North Korean hacker organizations. Once cryptocurrency is stolen and converted into fiat, North Korean hackers will transfer funds between different accounts to obscure the source. Typically, stolen identities and modified photos are used to bypass AML/KYC verification. Any personally identifiable information (PII) of individuals who become victims of intrusions related to North Korean hacker teams may be used to register accounts to complete the money laundering process for stolen cryptocurrency. Therefore, companies operating outside the cryptocurrency and traditional financial sectors should also be vigilant about the activities of North Korean hacker groups and whether their data or infrastructure is being used as a springboard for further intrusions.

Most intrusions by North Korean hacker organizations begin with social engineering and phishing activities. Some organizations should train employees to monitor such activities and implement strong multi-factor authentication, such as passwordless authentication compliant with FIDO2 standards.

North Korea clearly views the continued theft of cryptocurrency as a primary source of income to fund its military and weapons projects. While it is currently unclear how much of the stolen cryptocurrency is directly used to fund ballistic missile launches, it is evident that both the amount of cryptocurrency stolen and the number of missile launches have significantly increased in recent years. Without stricter regulations, cybersecurity requirements, and investments in the cybersecurity of cryptocurrency companies, North Korea will almost certainly continue to use the cryptocurrency industry as a source of additional state revenue.

On July 12, 2023, U.S. enterprise software company JumpCloud announced that a North Korean-backed hacker had breached its network. Mandiant researchers subsequently released a report indicating that the group responsible for the attack was UNC4899, likely corresponding to "TraderTraitor," a North Korean hacker organization focused on cryptocurrency. As of August 22, 2023, the FBI issued a notice stating that North Korean hacker organizations were involved in the hacks of Atomic Wallet, Alphapo, and CoinsPaid, collectively stealing $197 million in cryptocurrency. The theft of these cryptocurrencies has enabled the North Korean government to continue operating under strict international sanctions and fund up to 50% of its ballistic missile program costs.

In 2017, North Korean hackers breached South Korean exchanges Bithumb, Youbit, and Yapizon, stealing cryptocurrency worth approximately $82.7 million. Reports also indicated that after the personal identification information of Bithumb users was leaked in July 2017, cryptocurrency users became targets of attacks.

In addition to stealing cryptocurrency, North Korean hackers have also learned cryptocurrency mining. In April 2017, researchers at Kaspersky Lab discovered Monero mining software installed during an APT38 intrusion.

In January 2018, researchers at the Korea Financial Security Institute announced that North Korea's Andariel organization had breached the server of an undisclosed company in the summer of 2017 and mined approximately 70 Monero coins, which were worth about $25,000 at the time.

In 2020, security researchers continued to report new cyberattacks by North Korean hackers targeting the cryptocurrency industry. The North Korean hacker group APT38 attacked cryptocurrency exchanges in the U.S., Europe, Japan, Russia, and Israel, using LinkedIn as a means to initially contact targets.

2021 was the peak year for North Korean attacks on the cryptocurrency industry, with North Korean hackers breaching at least seven cryptocurrency institutions and stealing $400 million worth of cryptocurrency. Additionally, North Korean hackers began targeting altcoins, including ERC-20 tokens and NFTs.

In January 2022, Chainalysis researchers confirmed that $170 million worth of cryptocurrency remained unclaimed since 2017.

Significant attacks attributed to APT38 in 2022 included the Ronin Network cross-chain bridge (loss of $600 million), Harmony bridge (loss of $100 million), Qubit Finance bridge (loss of $80 million), and Nomad bridge (loss of $190 million). These four attacks specifically targeted the cross-chain bridges of these platforms. Cross-chain bridges connect two blockchains, allowing users to send one cryptocurrency from one blockchain to another containing different cryptocurrencies.

In October 2022, the Japanese National Police Agency announced that Lazarus Group had attacked companies in the cryptocurrency industry operating in Japan. Although no specific details were provided, the statement indicated that some companies had suffered successful intrusions, and cryptocurrency had been stolen.

Between January and August 2023, APT38 reportedly stole $200 million from Atomic Wallet (two attacks totaling $100 million loss), AlphaPo (two attacks totaling $60 million loss), and CoinsPaid ($37 million loss). Also in January, the FBI confirmed that APT38 had lost $100 million in the theft of Harmony's Horizon bridge virtual currency.

In the July 2023 CoinsPaid attack, APT38 operators may have impersonated recruiters, specifically targeting CoinsPaid employees with recruitment emails and LinkedIn messages. CoinsPaid stated that APT38 spent six months attempting to gain access to its network.

Mitigation Measures

Here are the preventive recommendations proposed by Insikt Group to protect cryptocurrency users and companies from North Korean cyberattacks:

Enable Multi-Factor Authentication (MFA): Use hardware devices like YubiKey for wallets and transactions to enhance security.

Enable any available MFA settings for cryptocurrency exchanges to maximize protection against unauthorized logins or theft.

Verify verified social media accounts and check if usernames contain special characters or numeric replacements for letters.
Ensure that requested transactions are legitimate and verify any airdrops or other free cryptocurrency or NFT promotional activities.

When receiving airdrops or other content from platforms like Uniswap or other major platforms, always check official sources.
Always check URLs and observe redirects after clicking links to ensure the website is the official site and not a phishing site.

Here are some tips for defending against social media scams:

Be extra cautious when trading cryptocurrency. Cryptocurrency assets have no institutional guarantees to mitigate "traditional" fraud.

Use hardware wallets. Hardware wallets may be more secure than "hot wallets" like MetaMask that are always connected to the internet. For hardware wallets connected to MetaMask, all transactions must be approved through the hardware wallet, providing an additional layer of security.

Only use trusted dApps (decentralized applications) and verify smart contract addresses to confirm their authenticity and integrity. Genuine NFT minting interactions rely on smart contracts that may be part of a larger dApp. Contract addresses can be verified using MetaMask, blockchain explorers (like Etherscan), or sometimes directly within the dApp.

Double-check the URLs of official websites to avoid impersonation. Some cryptocurrency theft phishing pages may rely on misspellings of domain names to deceive unsuspecting users.

Be skeptical of offers that seem too good to be true. Cryptocurrency theft phishing pages lure victims with favorable cryptocurrency trading rates or low Gas fees for NFT minting interactions.