All You Need to Know about North Korean Crypto Hackers: The Lazarus Group

NEFTURE SECURITY I Blockchain Security
Coinmonks
10 min readApr 18, 2024

--

Famously known for being behind the biggest crypto heist in history, the North Korea state-sponsored hackers group Lazarus has heavily plagued the crypto space with more than $3 billion stolen in the past 3 years.

But their might goes well beyond the crypto space. They have actually been plaguing the whole world for the last 17 years.

The hackers of the Lazarus group belong to the Reconnaissance General Bureau, a military intelligence division of North Korea, recognized by aliases such as Advanced Persistent Threat 38 (APT 38) and Hidden Cobra. As per North Korean defector Kim Kuk-song, internally, the unit is referred to as the 414 Liaison Office.

Responsible for some of the largest cyber attacks worldwide, their activity is dated back as early as 2007 with “Operation Flame” that intended to disrupt and sabotage the South Korean government.

Through the years, their attacks appeared to serve a double aim: disrupting states and structural national companies and systems, as well as banking in much-needed funds to be funneled to North Korea’s coffers.

Classic cyberattack tactics employed vary from spear-phishing, watering hole attacks, droppers, malware, backdoors to exploiting zero-day vulnerabilities.

Their most well-known exploits were the highly-press-covered Sony Pictures hack in 2014, which took place as retaliation against the company for producing an extremely satirical movie about North Korea’s president Kim Jong-Un, ‘The Interview.’

As well as the biggest ransomware attack in history. The WannaCry ransomware attacks took place in 2017 and impacted more than three hundred thousand computers in over 150 countries in a single weekend. The attack caused considerable disruption across the world, with entities such as the Russian Foreign Ministry, Vodafone, FedEx, Deutsche Bank, Renault, Telefónica, the UK National Health Service, and Liège University Hospital being impacted.

The latest global cyberattack targeted a Windows rootkit vulnerability, enabling the Lazarus group to gain extensive control over affected systems by suspending protected process light processes found in Microsoft Defender, Crowdstrike Falcon, and HitmanPro platforms.

To understand the extent of their cyber criminal activity, when the BBC decided to cover the Lazarus Group, they needed to produce no fewer than 19 podcast episodes, and this only covers the tip of the iceberg.

The Lazarus Group is a tentacular organization whose range of cyberattacks seems infinite.

When it comes to perpetuating crypto crimes, though, the Lazarus Group has over the years developed a very distinct signature, while simultaneously exploring many crypto money laundering techniques.

The Lazarus Group started its crypto heist journey with a bang when they forced the South Korean Bitcoin exchange Youbit to declare bankruptcy following two hacks perpetrated against it in 2017. These hacks had led to the successive loss of 4,000 Bitcoin (~$70 million) and 17% of their assets.

Over the following years, the Lazarus Group mainly focused on creating, deploying, and marketing multiple malicious cryptocurrency and bogus blockchain platforms, while hacking cryptocurrency actors from time to time. For instance, in 2018, they siphoned $530 million from the Japanese cryptocurrency exchange Coincheck.

However, by 2020, the crypto landscape had changed. This year marked the entry of cryptocurrencies into a whole new dimension, bringing in a flow of new entrants and funds. More than ever before, the crypto space was bursting at the seams with money, which, in turn, made the Lazarus Group intensify their attacks in a bid to get their hacked part of the pie.

Lazarus Group’s members Jon Chang Hyok (31), Kim Il (27), and Park Jin Hyok (36) charged by the U.S. for Over $1.3 Billion Cryptocurrency Heist in 2021 — Source: The Hacker News

Over the following years, the Lazarus Group was successful in implementing a peculiar tactic that allowed them to score big: social engineering.

Social Engineering and Private Key Exploits: The Lazarus Group Signature

It was through a simple PDF and a fake job offer that the biggest heist in crypto history took place in 2022 when Ronin Bridge lost an astounding $624 million to the Lazarus Group.

It is a mix of phishing through social networks and social engineering that allowed them to bank most of the 3 billion stolen over the past years.

In those cases, social engineering — the manipulation of individuals through psychological tactics to gain unauthorized access to systems or information — allowed the Lazarus Group to gain access to their private keys and then siphon away their funds.

Private Keys, the Achilles’ Heel of the Crypto Space

Web3 companies are particularly vulnerable to devastating private key exploits, as a recent report from Web3 firm De.Fi reveals. According to the report, governance framework mispractice poses a threat to 75% of top tokens.

Only 16.6% of the contracts analyzed were managed by multisig wallets, which require up to five different private keys to approve any transaction. Multisig is not even a sophisticated security tool; using it is the most basic security step of any protocol to safeguard against inside jobs, social-engineered or not, scams, and hacks.

Although this report primarily concerns tokens, it accurately represents the lax approach to security practice in the entire Web3 landscape.

A lack of security measures proves to be a key factor in most private key exploits through social engineering or otherwise, as only one compromised wallet is needed to compromise a whole protocol.

The lax security practices have become the Achilles’ heel of the crypto space, and the Lazarus Group quickly caught on to this.

Private key exploits through social engineering have become their crypto villain signature.

The Lazarus Group’s Modus Operandi for Private Key Exploits

Out of the nine hacks traced back to the Lazarus Group in 2024, seven of them happened through private keys being compromised.

The nature of one of these hacks remained undisclosed: the Atomic Wallet hack, which ultimately allowed them to steal Atomic Wallet users’ private keys.

While the compromise of private keys was acknowledged in other cases, the specific details of how it occurred were never fully disclosed, except for one case: the CoinsPaid hack.

Brute force attacks and supply chain attacks are techniques used to gain access to private keys, but the tactic used in the CoinsPaid hack is likely a more accurate representation of the techniques used by the Lazarus Group in the other seven private key compromise cases.

Similar to the Ronin case, the private key exploit was made possible through malware implemented via ingenious social engineering tactics.

On July 22nd, the Lazarus Group stole $37 million from the Estonia-based cryptocurrency payments firm CoinsPaid via LinkedIn.

According to CoinsPaid’s post-mortem report, the Lazarus Group initially attempted to breach their systems through conventional hacking methods starting in March 2023.

After months without success, they reverted to their successful tactic: the fake job offer route.

Source: CoinsPaid

They dangled extremely appealing high-salary job offers in front of CoinsPaid’s employees, with compensation ranging from 16,000–24,000 USD a month, and waited for an employee to fall into their trap.

An inattentive? unaware of the risk? employee took the bait, and had a fake job interview with them during which he was asked to download a software to complete a technical task.

Unfortunately, he did not conduct his job interview using his own personal computer but instead used one that provided access to CoinsPaid’s infrastructure.

The “software” was a malicious code that allowed the Lazarus Group “to gain remote control of a computer for the purpose of infiltrating and accessing CoinsPaid’s internal systems,” per CoinPaid.

After gaining access to CoinsPaid’s infrastructure, they were able to successfully open a backdoor that “allowed them to create authorised requests to withdraw funds from CoinsPaid hot wallets.”

Source: CoinsPaid

That’s how $37 million was lost to the Lazarus Group.

This technique, of finding weaknesses in people rather than code, has proven to be fruitful.

And not only to the Lazarus Group’s benefit.

In our latest monthly crypto crime report, we unveiled the advent of a new serial hacker (group?) who is copy-catting almost to the T the Lazarus Group technique!

Now, thieving is one thing, money laundering is another.

How Lazarus Group Cashes Out

Over the past two years, amidst a global push for stricter regulations and the enforcement of anti-money laundering measures within the crypto sphere, money laundering has become increasingly challenging.

Nonetheless, the Lazarus Group has demonstrated the full extent of its ingenuity and adaptability.

In a bid to successfully obfuscate their traces, launch authorities all over the world on a wild goose chase, and cash out their ill-gained funds peacefully, they have tried every technique under the sun and seem to always be able to summon new ones.

What is particularly telling is one way to recognize if a hack was perpetrated by the Lazarus Group is by analyzing the escape routes.

When Chris Larsen, chairman of Ripple, had his entire wallet wiped out on January 31st, 2024, due to a private key exploit, the hypothesis that the Lazarus Group may be behind the hack was raised. However, it was quickly dismissed after blockchain forensics unveiled that the escape routes chosen by the hacker(s) were crypto exchanges MEXC, Gate, Binance, Kraken, OKX, HTX, and HitBTC.

According to the blockchain security firm SlowMist, the Lazarus group has adopted new ways to launder money and cash out in the year 2023, steering away entirely from mainstream centralized exchanges, which have taken on a very proactive role in stopping the laundering of high-profile hacks in the crypto space over the past two years.

Lazarus Group’s money laundering methods — Source: SlowMist

One of Lazarus Group favorite tool has been mixers. They obscure a transaction on the blockchain by sending the transaction through a “complex, semi-random series of dummy transactions” and by commingling one payment with others.

As a result, it becomes unclear to whom funds are being directed, and challenging to trace funds back to a source.

Mixers turn the very transparent blockchain technology into a murky black box, making them an obvious choice for crypto criminals.

Lazarus Group’s extensive use of mixers, namely Tornado Cash and then Sinbad, signed their regulatory death warrant.

On August 8, 2022, the OFAC designated Tornado Cash as a ‘sanctioned entity,’ essentially banning its use for U.S. users. The impact extends beyond U.S. borders, as many Web3 entities almost immediately banned addresses associated with Tornado Cash.

In November 2023, it was Sinbad Mixer’s turn to fall. For facilitating DPRK laundering of stolen funds, Sinbad was seized, effectively taking it offline.

This did not deter them from using mixers; they simply switched to a new one, YoMix. Over the past months, YoMix has emerged as the top mixer used by criminals, with one-third of all YoMix inflows coming from wallets associated with crypto crimes, including those of the Lazarus Group, according to Chainalysis.

Fund flow linking the Lazarus Group and YoMix — Source: Chainalysis

As demonstrated by Slowmist, another laundering tool they have adopted is cross-chain hopping.

Cross-chain bridges and mixers are attractive to crypto criminals for essentially the same reason: blockchain interconnectivity is used to move billions of dollars in crypto between assets and blockchains anonymously, blurring the transparency of blockchain technology.

If this high-intensity crypto criminality is made possible and could become the next AML battleground, it is due to three types of services that allow efficient and flawless cross-chain transactions and anonymity: cross-chain bridges, decentralized exchanges (DEXs), and coin swap services.

More on the subject here:

The Lazarus Group’s money laundering activity likely contributed to the surge in cross-chain bridge crypto criminal usage in 2023, which saw a 138% increase, as recorded by Chainalysis.

In that year, the amount of illicit funds laundered through bridges was almost greater than in the four years prior combined.

Source: Chainalysis

For the past 17 years, the Lazarus Group has run rampant, accumulating experience and sophistication, and they show no signs of stopping their disruption of the cyber and cryptosphere.

Supported and instigated by the North Korean government, this hacker group’s nature ensures its longevity.

The scourge of crypto has many abundant years awaiting it.

About us

Nefture is a Web3 real-time security and risk prevention platform that detects on-chain vulnerabilities and protects digital assets, protocols and asset managers from significant losses or threats.

Nefture core services includes Real-Time Transaction Security and a Threat Monitoring Platform that provides accurate exploits detections and fully customized alerts covering hundreds of risk types with a clear expertise in DeFi.

Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions.

Secure your crypto journey, book a demo now!

--

--

NEFTURE SECURITY I Blockchain Security
Coinmonks

Nefture secures crypto assets by detecting and mitigating malicious activities and system failures. - nefture.com