Lazarus Group, a North Korean Hacker Collective, Stole $3 Billion in Cryptocurrency Over 6 Years

According to a report released by the cybersecurity firm Recorded Future, the Lazarus Group, an organization associated with North Korea, has stolen $3 billion in

cryptocurrency

over the past six years. The report states that in 2022 alone, the Lazarus Group looted $1.7 billion in cryptocurrency, likely providing funds for North Korean projects. Chainalysis, a blockchain data analysis company, indicates that $1.1 billion of this was stolen from DeFi platforms. A report released by the U.S. Department of Homeland Security in September highlighted Lazarus' exploitation of DeFi protocols as part of its Analysis Exchange Program (AEP). The Lazarus Group specializes in fund theft. In 2016, they breached the Bangladesh Central Bank, stealing $81 million. In 2018, they attacked the Japanese

cryptocurrency exchange

Coincheck, making off with $530 million, and targeted the Central Bank of Malaysia, stealing $390 million.

Process

Since 2017, North Korea has targeted the cryptocurrency industry as a key focus for cyberattacks, resulting in the theft of over $3 billion worth of cryptocurrency. Prior to this, North Korea had hijacked the SWIFT network, enabling them to siphon funds between financial institutions. Such activities have drawn close attention from international bodies, prompting financial institutions to invest in enhancing their own network security defenses.

Starting from 2017, with the rise of cryptocurrencies into the mainstream, North Korean hackers shifted their focus from traditional finance to this new realm of digital finance. Initially targeting the South Korean crypto market, they later expanded their influence globally.

In 2022 alone, North Korean hackers were accused of stealing approximately $1.7 billion worth of cryptocurrency. This amount is roughly equivalent to 5% of North Korea's domestic economy or 45% of its military budget. It is also nearly ten times the value of North Korea's exports in 2021, according to data from the OEC website, which reported North Korea's exports at $182 million that year.

The modus operandi of North Korean hackers in stealing cryptocurrency from the crypto industry typically resembles traditional cybercriminal activities involving the use of crypto mixers, cross-chain transactions, and fiat OTC. However, with the backing of a state, these theft operations can escalate in scale. Such operations are beyond the capabilities of traditional cybercriminal gangs.

According to data tracking, in 2022, approximately 44% of stolen cryptocurrencies were linked to North Korean hacker activities.

The targets of North Korean hackers are not limited to exchanges; individual users, venture capital firms, and other technologies and protocols have also fallen victim to their attacks. All institutions operating in the industry and individuals working within it are potential targets for North Korean hackers, enabling the North Korean government to continue its operations and raise funds.

Users, exchange operators, and founders of startups involved in the cryptocurrency industry should be aware of the potential for being targeted by hackers.

Traditional financial institutions should also closely monitor the activities of North Korean hacker organizations. Once cryptocurrencies are stolen and converted into fiat, North Korean hackers conduct fund transfers between different accounts to obscure the source. Stolen identities and altered photos are often used to circumvent AML/KYC verification. Any personally identifiable information (PII) of victims of intrusion associated with North Korean hacker teams may be used to register accounts to launder stolen cryptocurrencies. Therefore, companies operating outside the cryptocurrency and traditional financial industries should also be vigilant of North Korean hacker group activities and whether their data or infrastructure is being used as a springboard for further intrusions.

Since most intrusions by North Korean hacker organizations begin with social engineering and phishing activities, some organizations should train employees to monitor such activities and implement robust multi-factor authentication, such as passwordless authentication compliant with the FIDO2 standard.

On July 12, 2023, the American enterprise software company JumpCloud announced that a North Korea-backed hacker had breached its network. Subsequently, Mandiant researchers released a report identifying the group responsible for the attack as UNC4899, likely corresponding to “TraderTraitor,” a North Korean hacker organization focused on cryptocurrency. As of August 22, 2023, the Federal Bureau of Investigation (FBI) issued a bulletin stating that North Korean hacker organizations were involved in attacks on Atomic Wallet, Alphapo, and CoinsPaid, stealing a total of $197 million in cryptocurrency. The theft of these cryptocurrencies enables the North Korean government to continue its operations under strict international sanctions and fund up to 50% of its ballistic missile program costs.

In 2017, North Korean hackers breached South Korean exchanges Bithumb, Youbit, and Yapizon, stealing cryptocurrencies worth approximately $82.7 million at the time. There are also reports that after personal information of Bithumb users was leaked in July 2017, cryptocurrency users became targets of attacks.

In addition to stealing cryptocurrencies, North Korean hackers have learned cryptocurrency mining. In April 2017, researchers from Kaspersky Lab discovered Monero mining software installed in APT38 intrusions.

In January 2018, researchers at the Korea Financial Security Institute announced that North Korea's Andariel organization had breached an undisclosed company's server in the summer of 2017, and used it to mine approximately 70 Monero coins, valued at about $25,000 at the time.

In 2020, security researchers continued to report new cyberattacks by North Korean hackers targeting the cryptocurrency industry. North Korean hacker organization APT38 targeted

cryptocurrency exchanges

in the United States, Europe, Japan, Russia, and Israel, using LinkedIn as the initial contact target.

2021 was the most productive year for North Korea in targeting the cryptocurrency industry. North Korean hackers breached at least seven cryptocurrency institutions and stole $400 million worth of cryptocurrencies. Additionally, North Korean hackers began targeting Altcoins, including ERC-20 tokens, and NFTs.

In January 2022, Chainalysis researchers confirmed that there were still $170 million worth of cryptocurrencies to be cashed out since 2017.

Significant attacks attributed to APT38 in 2022 include the Ronin Network cross-chain bridge (resulting in a loss of $600 million), Harmony bridge (resulting in a loss of $100 million), Qubit Finance bridge (resulting in a loss of $80 million), and Nomad bridge (resulting in a loss of $190 million). These four attacks specifically targeted the cross-chain bridges of these platforms. Cross-chain bridges connect two blockchains, allowing users to send one cryptocurrency from one blockchain to another containing different cryptocurrencies.

In October 2022, the Japanese National Police Agency announced that the Lazarus Group had attacked companies operating in the cryptocurrency industry in Japan. While no specific details were provided, the statement noted that some companies had been successfully breached, and cryptocurrencies were stolen.

From January to August 2023, APT38 allegedly stole $200 million from Atomic Wallet (with 2 attacks resulting in a total loss of $100 million), AlphaPo (2 attacks resulting in a total loss of $60 million), and CoinsPaid ($37 million loss in total). Also in January, the U.S. FBI confirmed that APT38 lost $100 million in Harmony's Horizon bridge virtual currency theft.

In the CoinsPaid attack in July 2023, APT38 operators may have posed as recruiters and specifically targeted CoinsPaid employees with recruitment emails and LinkedIn messages. CoinsPaid stated that APT38 spent six months trying to gain access to its network.

Mitigation Measures

Below are some preventive measures to protect against North Korean cyber attacks targeting cryptocurrency users and companies:

• Enable Multi-Factor Authentication (MFA): Use hardware devices like YubiKey for wallets and exchanges to enhance security.

• Enable any available MFA settings for cryptocurrency exchanges to provide maximum protection against unauthorized access or theft.

• Verify authenticated social media accounts and check if usernames contain special characters or digits replacing letters.

• Ensure that requested transactions are legitimate and verify any airdrops or other free cryptocurrency or NFT promotional activities.

• Always verify the official source when receiving airdrops or other content from platforms like Uniswap or other large platforms.

• Always check URLs and observe redirects after clicking links to ensure the website is official and not a phishing site.

Here are some tips to defend against social media scams:

• Exercise extra caution when engaging in cryptocurrency transactions. Cryptocurrency assets have no institutional safeguards against “traditional” fraud.

• Use hardware wallets. Hardware wallets may be more secure than “hot wallets” like MetaMask that are always connected to the internet. For hardware wallets connected to MetaMask, all transactions must be approved through the hardware wallet, providing an additional layer of security.

• Only use trusted dApps (decentralized applications) and verify smart contract addresses to confirm their authenticity and integrity. Genuine NFT minting interactions rely on smart contracts that may be part of a larger dApp. MetaMask, blockchain explorers (such as Etherscan), or sometimes direct verification within the dApp can be used to verify contract addresses.

• Double-check the URL of official websites to avoid imitation. Some cryptocurrency phishing pages may rely on domain name misspellings to deceive unsuspecting users.

• Be skeptical of offers that seem too good to be true. Cryptocurrency phishing pages may lure victims with favorable cryptocurrency exchange rates or low Gas fees for NFT minting interactions.