North Korean hacker group Lazarus stole $3 billion over 6 years

Carbon chain value
2023-12-04 14:14:22
Collection
In addition to stealing cryptocurrency, North Korean hackers have also learned cryptocurrency mining.

Compilation: Carbon Chain Value


Recently, a report released by the cybersecurity company Recorded Future indicated that the North Korean-linked hacker group Lazarus Group has stolen $3 billion in cryptocurrency over the past six years.

The report states that in 2022 alone, Lazarus Group plundered $1.7 billion in cryptocurrency, likely funding North Korean projects.

Blockchain data analysis company Chainalysis noted that $1.1 billion of this was stolen from DeFi platforms. The U.S. Department of Homeland Security released a report in September that highlighted Lazarus's exploitation of DeFi protocols as part of its Analysis Exchange Program (AEP).

Lazarus Group specializes in theft of funds. In 2016, they hacked the Bangladesh Central Bank, stealing $81 million. In 2018, they attacked the Japanese cryptocurrency exchange Coincheck, stealing $530 million, and also targeted the Malaysian Central Bank, stealing $390 million.

Key excerpts from the Carbon Chain Value report for reference:

Since 2017, North Korea has targeted the cryptocurrency industry for cyberattacks, stealing cryptocurrency worth over $3 billion. Prior to this, North Korea had hijacked the SWIFT network and siphoned funds from financial institutions. This activity has drawn close attention from international organizations, prompting financial institutions to invest in improving their cybersecurity defenses.

In 2017, as cryptocurrency began to gain mainstream popularity, North Korean hackers shifted their targets from traditional finance to this new form of digital finance, initially focusing on the South Korean cryptocurrency market and later expanding their influence globally.

In 2022 alone, North Korean hackers were accused of stealing approximately $1.7 billion in cryptocurrency, a figure equivalent to about 5% of North Korea's domestic economic scale or 45% of its military budget. This amount is nearly ten times North Korea's export value in 2021, with data from the OEC website indicating that North Korea's exports that year totaled $182 million.

The methods by which North Korean hackers steal cryptocurrency in the crypto industry are often similar to traditional cybercriminal operations that utilize crypto mixers, cross-chain transactions, and fiat OTC. However, with a nation backing them, their thefts can scale up operations in ways that traditional cybercrime groups cannot.

Data tracking shows that in 2022, approximately 44% of stolen cryptocurrency was linked to North Korean hacking activities.

North Korean hackers do not limit their targets to exchanges; individual users, venture capital firms, and other technologies and protocols have also been attacked by North Korean hackers. All entities operating in the industry and individuals working there could potentially become targets of North Korean hackers, allowing the North Korean government to continue its operations and raise funds.

Anyone working in the cryptocurrency industry, including users, exchange operators, and startup founders, should be aware that they may become targets of hacking attacks.

Traditional financial institutions should also closely monitor the activities of North Korean hacker groups. Once cryptocurrency is stolen and converted into fiat, North Korean hackers will transfer funds between different accounts to obscure the source. Typically, stolen identities and modified photos are used to bypass AML/KYC verification. Any personal identifiable information (PII) of individuals who become victims of breaches related to North Korean hacker teams may be used to register accounts to complete the money laundering process for stolen cryptocurrency. Therefore, companies operating outside the cryptocurrency and traditional financial sectors should also be vigilant about North Korean hacker group activities and whether their data or infrastructure is being used as a launchpad for further intrusions.

Most intrusions by North Korean hacker organizations begin with social engineering and phishing activities. Some organizations should train employees to monitor such activities and implement strong multi-factor authentication, such as passwordless authentication that complies with FIDO2 standards.

North Korea clearly views the continued theft of cryptocurrency as a primary source of income to fund its military and weapons projects. While it is currently unclear how much of the stolen cryptocurrency is directly used to fund ballistic missile launches, it is evident that both the amount of cryptocurrency stolen in recent years and the number of missile launches have significantly increased. Without stricter regulations, cybersecurity requirements, and investments in the cybersecurity of cryptocurrency companies, North Korea is almost certain to continue using the cryptocurrency industry as a source of additional revenue for the state.

On July 12, 2023, U.S. enterprise software company JumpCloud announced that a North Korean-backed hacker had breached its network. Mandiant researchers subsequently released a report indicating that the group responsible for the attack was UNC4899, likely corresponding to "TraderTraitor," a North Korean hacker organization focused on cryptocurrency. As of August 22, 2023, the FBI issued a notice stating that North Korean hacker groups were involved in the hacks of Atomic Wallet, Alphapo, and CoinsPaid, collectively stealing $197 million in cryptocurrency. The theft of these cryptocurrencies has enabled the North Korean government to continue operating under strict international sanctions and fund up to 50% of its ballistic missile program costs.

In 2017, North Korean hackers breached South Korean exchanges Bithumb, Youbit, and Yapizon, stealing cryptocurrency valued at approximately $82.7 million. There were also reports that after the personal identity information of Bithumb users was leaked in July 2017, cryptocurrency users became targets of attacks.

In addition to stealing cryptocurrency, North Korean hackers have also learned cryptocurrency mining. In April 2017, researchers from Kaspersky Lab discovered Monero mining software installed during an APT38 intrusion.

In January 2018, researchers from the Korea Financial Security Institute announced that North Korea's Andariel organization had breached the server of an undisclosed company in the summer of 2017 and mined approximately 70 Monero coins, which were worth about $25,000 at the time.

In 2020, security researchers continued to report new cyberattacks by North Korean hackers targeting the cryptocurrency industry. The North Korean hacker group APT38 attacked cryptocurrency exchanges in the U.S., Europe, Japan, Russia, and Israel, using LinkedIn as a means to initially contact targets.

2021 was the peak year for North Korea's attacks on the cryptocurrency industry, with North Korean hackers breaching at least seven cryptocurrency institutions and stealing $400 million in cryptocurrency. Additionally, North Korean hackers began targeting altcoins, including ERC-20 tokens and NFTs.

In January 2022, Chainalysis researchers confirmed that there was still $170 million in cryptocurrency to be cashed out since 2017.

Significant attacks attributed to APT38 in 2022 included the Ronin Network cross-chain bridge (loss of $600 million), Harmony bridge (loss of $100 million), Qubit Finance bridge (loss of $80 million), and Nomad bridge (loss of $190 million). These four attacks specifically targeted the cross-chain bridges of these platforms. Cross-chain bridges connect two blockchains, allowing users to send one cryptocurrency from one blockchain to another that contains different cryptocurrencies.

In October 2022, the Japanese National Police Agency announced that Lazarus Group had attacked companies in the cryptocurrency industry operating in Japan. Although no specific details were provided, the statement indicated that some companies had been successfully breached and cryptocurrency was stolen.

Between January and August 2023, APT38 reportedly stole $200 million from Atomic Wallet (two attacks totaling $100 million loss), AlphaPo (two attacks totaling $60 million loss), and CoinsPaid ($37 million loss). Also in January, the FBI confirmed that APT38 had lost $100 million in stealing virtual currency from Harmony's Horizon bridge.

In the July 2023 CoinsPaid attack, APT38 operators may have impersonated recruiters, specifically targeting CoinsPaid employees with recruitment emails and LinkedIn messages. CoinsPaid stated that APT38 spent six months attempting to gain access to its network.

Mitigation Measures

  • Here are the preventive recommendations proposed by Insikt Group to protect cryptocurrency users and companies from North Korean cyberattacks:
  • Enable multi-factor authentication (MFA): Use hardware devices like YubiKey for wallets and transactions to enhance security.
  • Enable any available MFA settings for cryptocurrency exchanges to maximize protection against unauthorized logins or theft.
  • Verify verified social media accounts and check if usernames contain special characters or numeric substitutions for letters.
  • Ensure that requested transactions are legitimate, verifying any airdrops or other free cryptocurrency or NFT promotional activities.
  • Always check official sources when receiving airdrops or other content from platforms like Uniswap or others.
  • Always check URLs and observe redirects after clicking links to ensure the website is the official site and not a phishing site.

Here are some tips for defending against social media scams:

  • Be especially cautious when conducting cryptocurrency transactions. Cryptocurrency assets have no institutional guarantees to mitigate "traditional" fraud.
  • Use hardware wallets. Hardware wallets may be more secure than "hot wallets" like MetaMask that are always connected to the internet. For hardware wallets connected to MetaMask, all transactions must be approved through the hardware wallet, providing an additional layer of security.
  • Only use trusted dApps (decentralized applications) and verify smart contract addresses to confirm their authenticity and integrity. Genuine NFT minting interactions rely on smart contracts that may be part of larger dApps. Contract addresses can be verified using MetaMask, blockchain explorers (like Etherscan), or sometimes directly within the dApp.
  • Double-check the URLs of official websites to avoid impersonation. Some cryptocurrency theft phishing pages may rely on misspellings of domain names to deceive unsuspecting users.
  • Be skeptical of offers that seem too good to be true. Cryptocurrency theft phishing pages may lure victims with favorable cryptocurrency trading rates or low gas fees for NFT minting interactions.
ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.
ChainCatcher Building the Web3 world with innovators