North Korean Hackers Unleash A New Wave of Cryptocurrency Heists: The Sinister Plot of the Lazarus Group
The cyber realm has never been free of malevolent players. Yet, some manage to stand out even in the crowded field of cyber attackers. One such notorious entity is North Korea’s Lazarus Group.
The Disturbing Legacy of the Lazarus Group
Famed for their audacious heists, the Lazarus Group was recently pinpointed as the mastermind behind a series of grand-scale thefts. Last year, they made headlines by siphoning over $600 million in funds from the Ethereum sidechain Ronin cross-chain bridge, marking it as one of the largest DeFi thefts in history.
The New Malware Attack
A recent report from Elastic Security Labs unveiled that the Lazarus Group has been deploying a novel malicious software aimed at cryptocurrency exchanges. While the report kept the name of the targeted exchange under wraps, the methodology used was both fascinating and frightening.
Luring Victims through Discord
The attacker’s modus operandi involved utilizing Discord. By impersonating members of a blockchain engineer community on Discord, they employed social engineering tactics. Unsuspecting victims were lured into downloading and unzipping a ZIP file, thinking it was a cryptocurrency arbitrage bot. In reality, they were opening the door to a malicious software sequence that eventually unleashed the KANDYKORN virus:
Step 1: Setting the stage with the Watcher.py program.
Step 2: Deploying the virus “paratroopers” using tools like testSpeed.py and FinderTools.
Step 3: Activating the virus through the SUGARLOADER program found in files like .sld and .log.
Step 4: Propagating the virus using the HLOADER program, masked as Discord.
Step 5: Full-on attack with the KANDYKORN malware, designed to access and pilfer data from the victim’s computer.
According to Elastic’s investigation, this attack might have occurred in April of this year and cautioned that the perpetrators are continually refining their tools and tactics.
The Staggering 100-Day Heist
Chain analysis firm Elliptic released staggering data in late September. Their findings showcased the Lazarus Group’s ramped-up operations from June to September. Within these 100 days, they executed five targeted attacks against the crypto sector, including:
- Atomic Wallet (a non-custodial cryptocurrency wallet): $100 million
- CoinsPaid (a crypto payment platform): $37.3 million
- Alphapo (centralized crypto payment provider): $60 million
- Stake.com (online crypto gambling platform): $41 million
- CoinEx (centralized crypto exchange): $55 million
In total, they looted about $300 million worth of crypto assets. Their techniques often relied on social engineering, either by feigning identities to deceive exchange employees into downloading malware or through bogus recruitment drives.
In Conclusion: A Word of Caution
In the digital age, the lines between reality and deception can blur rapidly. The Lazarus Group’s tactics are a stark reminder that vigilance is paramount, especially in the realm of cryptocurrencies.
Keywords: Lazarus Group, North Korean Hackers, Cryptocurrency Heists, DeFi theft, Elastic Security Labs, Discord, KANDYKORN malware, social engineering, crypto assets
