Lazarus Cryptocurrency Hacks Estimated To Be $3 Billion

Wajahat Raja

December 12, 2023 - TuxCare expert team

Threat actors from North Korea have been increasingly targeting the cryptocurrency sector since 2017 as a source of generating revenue.

Reports have claimed that the country’s ruling elite and computer science professionals have access to new information and technology, equipping them with skills needed to conduct cryptocurrency cyber attacks. In this article, we’ll dive into the details of the Lazarus cryptocurrency hacks and learn deployed tactics.

Origins Of The Lazarus Group

Lazarus is a group of threat actors that first emerged back in 2009 and is believed to have ties with the North Korean government. The belief stems from the fact that a majority of their hacks target South Korea and are aimed at causing disruption and destruction.

However, Lazarus threat actors are known for conducting attacks for financial motives, too. Some of their most infamous attacks not related to cybercrime in the blockchain industry include:

Stealing sensitive amounts of data from Sony Pictures in 2014, causing damages estimated at $150 million.
Using the EternalBlue exploits to infect thousands of computers worldwide with ransomware in 2017, causing losses estimated at $4 billion.
Targeting the SWIFT system and stealing $81 million from the Bangladesh Central Bank.

The Lazarus Cryptocurrency Hacks

Lazarus has been a prominent player when it comes to cybercrime in the blockchain industry since 2017. News reports claim that, over the past six years, the group has stolen $3 billion worth of crypto assets, and a majority of these funds are used for the country’s weapons of mass destruction (WMDs). As of now, the Lazarus Group has been attributed to different cryptocurrency hacks. These include:

The Harmony Horizon Bridge hack in 2022 for $100 million.
Hacks pertaining to Atomic Wallet, CoinsPaid, and Alphapo in June and July 2023.
Stake.com and CoinEx hacks that occurred in September 2023.

As per a report from Chainalysis, hackers linked to North Korea, such as the Lazarus group, stole an estimated $1.7 billion worth of cryptocurrency in 2022 alone. An excerpt from the report reads, “In 2022, they shattered their own records for theft, stealing an estimated $1.7 billion worth of cryptocurrency across several hacks we’ve attributed to them.”

Lazarus Group Techniques For Crypto Heists

Decentralized Finance (DeFi) platforms allow users to exchange cryptocurrencies without having the platform take ownership of the user’s funds. A report from the U.S. Department of Homeland Security (DHS) mentions that such functionalities facilitate threat actors. It allows them to determine exactly when to deploy a transaction switching the stolen crypto from one type to another.

Leveraging such protocols makes attribution and tracking stolen cryptocurrency funds more difficult to determine. These hackers are also known for leveraging social engineering tactics to target employees and exploit cryptocurrency exchange vulnerabilities. They trap victims with lucrative job offers and then distribute malware, granting them remote access to the organization’s network.

Once the access is acquired, threat actors are able to drain all assets and move them to wallets they control. Other infamous yet notable, methods include phishing tactics prompting targets into downloading cryptocurrency applications with trojans that steal their assets. These threat actors are also known for mixing services to hide their trail and evade financial sector cybersecurity measures.

It’s worth mentioning that such services are available on platforms that do not have any anti-money laundering or know-your-customers (KYC) policies. The Lazarus group is known for the use of custom malware, and both the MagicRAT and the QuiteRAT have been linked to the group. Furthermore, these threat actors are also capable of exploiting zero-day vulnerabilities during their attacks.

Defending Against Lazarus Group Attack

Given the severity and impact of the Lazarus cryptocurrency hacks, learning how to defend and counter against threats is paramount to crypto platforms worldwide. Although the exact counter and proactive measure that should be deployed vary from one attack or technique to the other, some general best practices include:

Training For Employees As mentioned, threat actors use social engineering tactics to gain access. Training employees allows them to identify and stay clear of such attacks.
Improving Security Posture Threat actors like the Lazarus group deploy different techniques to fulfill their malicious intents. Using endpoint security measures capable of detecting and blocking custom malware, as well as leveraging user authentication and access control solutions, may help improve security posture and prevent attacks.
Adapting A Zero-Trust Approach Users and devices oftentimes have unnecessary access to resources and information. Compromised credentials or exploited vulnerabilities in such cases make unauthorized access and lateral movements seamless for threat actors and further worsen the impact of an account.

Working with a zero-trust approach, on the other hand, ensures just enough access and constant authentication, limiting the damages of an attack or eliminating the possibility of one altogether.

Conclusion

The Lazarus group has been an infamously prominent entity as far as cybercrime in the blockchain industry and crypto industry is concerned.

These threat actors are known for using custom malware, social engineering, phishing, and trojans as part of their arsenal for cryptocurrency hacks. To safeguard against such attacks, platforms must use proactive cybersecurity measures and stay updated with security best practices.

The sources for this piece include The Hacker News and Recorded Future.

Summary