Lazarus Group

Binance and Huobi freeze $1.4M in crypto linked to North Korean hackers

The North Korean-based hacker outfit Lazarus Group resorted to different privacy mixers attempting to anonymize the stolen funds, but it didn’t work.

Cryptocurrency exchanges Binance and Huobi have again frozen accounts linked to last June’s $100 million Harmony Horizon bridge hack

Around $1.4 million worth of crypto frozen by the trading platforms came from accounts linked to the notorious Lazarus Group operating out of North Korea.

The investigation was carried out by blockchain analytics firm Elliptic, according to a report shared by the firm on Feb. 14. However, the firm didn’t state what coins or tokens were frozen.

Elliptic explained it passed on the intelligence to Binance and Houbi, which then acted promptly to freeze the Lazarus Group-linked accounts:

“The stolen funds remained dormant until recently, when our investigators began to see them funneled through complex chains of transactions, to exchanges. By promptly notifying these platforms about these illicit deposits, they were able to suspend these accounts and freeze funds.”

Since the Harmony exploit, it has been well documented that Lazarus Group resorted to the now-United States OFAC-sanctioned privacy mixer Tornado Cash in an attempt to break the transaction trail back to the original theft.

While this supposedly makes it easier to cash out funds at an exchange, Elliptic investigators were able to trace the entirety of the stolen funds sent through the mixer in this case, the report stated.

Elliptic CEO Simone Maini suggested the events showed the industry was taking on the responsibility to prevent money laundering and stop crypto from becoming a “haven” for illicit activity:

“Today, money laundering was detected and stolen funds linked to North Korea were frozen, in real time. As an industry we have the power and responsibility to prevent digital assets becoming a haven for money launderers and sanctions evaders, and ensure that they are a force for good.”

The Harmony bridge attack was attributed to the Lazarus Group by the United States Federal Bureau of Investigation on Jan. 24.

This isn’t the first time Binance and Huobi have cooperated together on the matter.

On Jan. 16, the two platforms managed to freeze and recover 121 Bitcoin (BTC), worth $2.5 million at the time, linked to the Harmony attack.

Related: Illicit cross-chain transfers expected to grow to $10B: Here’s how to prevent them

The recovery was, however, only a fraction of the $63.5 million laundered over that weekend, according to crypto sleuth ZachXBT, who claims the funds were funneled through Ethereum-based privacy protocol Railgun before being sent off to three different exchanges:

Recent efforts from Elliptic last week also found that Lazarus Group has laundered about $100 million in Bitcoin through “Sinbad,” which they claim is a re-launch of the now OFAC-sanctioned privacy mixer Blender.

Lazarus Group is believed to have stolen well over $2 billion in crypto since it shifted its focus to the industry in 2017, according to estimates from Elliptic.

North Korea’s Lazarus Group masterminded $100M Harmony hack: FBI confirms

The FBI also confirmed earlier reports this month by figures such as ZachXBT that the hackers had started moving a large chunk of the funds around via privacy protocols.

The Federal Bureau of Investigation (FBI) has confirmed the Lazarus Group and APT38 as the culprits behind the $100 million Harmony Bridge Hack from June 2022.

The North Korea-linked cyber group had long been suspected of being behind the attack but their involvement hadn’t been confirmed by authorities until now.

According to a Jan. 23 statement, the FBI noted that “through our investigation, we were able to confirm that the Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $100 million of virtual currency from Harmony’s Horizon bridge.”

The Harmony Bridge hack in 2022 was the result of security holes in Harmony’s Horizon Ethereum bridge which allowed the cyber attackers to swipe a number of assets stored in the bridge via 11 transactions.

The FBI also outlined that the North Korean hackers started shifting around $60 million worth of the stolen funds earlier this month via the Ethereum-based privacy protocol RAILGUN. Blockchain sleuth ZachXBT previously highlighted such via Twitter on Jan. 16.

Notably, Binance also detected the hackers were trying to launder the funds through the Huobi crypto exchange, and then promptly assisted it in freezing and recovering the digital assets deposited by the hackers, according to CEO Changpeng Zhao.

“On Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder over $60 million worth of Ethereum (ETH) stolen during the June 2022 heist,” the FBI stated, adding that “a portion of these funds were frozen, in coordination with some of the virtual asset service providers. The remaining bitcoin subsequently moved to the following addresses.”

In its statement, the FBI said its cyber and virtual assets units, as well as the U.S. Attorney’s Office and the U.S. Justice Department’s crypto unit, have continued “to identify and disrupt North Korea’s theft and laundering of virtual currency, which is used to support North Korea’s ballistic missile and Weapons of Mass Destruction programs.”

Related: Google Ads-delivered malware drains NFT influencer’s entire crypto wallet

The Lazarus group is a well known hacking syndicate that has reportedly had a hand in a number of key exploits in the crypto industry, and has alleged to have been behind the $600 million Ronin Bridge hack from March last year.

In April 2022, the United States Treasury Department Office of Foreign Assets Control indicated as such, by updating its Specially Designated Nationals and Blocked Persons (SDN) to include the Lazarus Group following the hack.

That same month, the FBI and Cybersecurity and Infrastructure Security Agency also fired off a warning alert concerning North Korean state-sponsored cyber threats that target blockchain companies in response to the Ronin Bridge hack.

North Korea’s Lazarus Group masterminded $100M Harmony hack: FBI confirms

The FBI also confirmed earlier reports this month by figures such as ZachXBT that the hackers had started moving a large chunk of the funds around via privacy protocols.

The Federal Bureau of Investigation (FBI) has confirmed the Lazarus Group and APT38 as the culprits behind the $100 million Harmony Bridge Hack from June.

The North Korea-linked cyber group had long been suspected of being behind the attack but their involvement hadn’t been confirmed by authorities until now.

According to a Jan. 23 statement, the FBI noted that “through our investigation, we were able to confirm that the Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $100 million of virtual currency from Harmony’s Horizon bridge.”

The Harmony Bridge hack in 2022 was the result of security holes in Harmony’s Horizon Ethereum bridge that allowed the cyber attackers to swipe a number of assets stored in the bridge via 11 transactions.

The FBI also outlined that the North Korean hackers started shifting around $60 million worth of the stolen funds earlier this month via the Ethereum-based privacy protocol RAILGUN. Blockchain sleuth ZachXBT previously highlighted this via Twitter on Jan. 16.

Notably, Binance also detected the hackers were trying to launder the funds through the Huobi crypto exchange, and then promptly assisted it in freezing and recovering the digital assets deposited by the hackers, according to CEO Changpeng Zhao.

“On Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder over $60 million worth of Ethereum (ETH) stolen during the June 2022 heist,” the FBI stated, adding that “a portion of these funds were frozen, in coordination with some of the virtual asset service providers. The remaining bitcoin subsequently moved to the following addresses.”

In its statement, the FBI said its cyber and virtual assets units, as well as the U.S. Attorney’s Office and the U.S. Justice Department’s crypto unit, have continued “to identify and disrupt North Korea’s theft and laundering of virtual currency, which is used to support North Korea’s ballistic missile and Weapons of Mass Destruction programs.”

Related: Google Ads-delivered malware drains NFT influencer’s entire crypto wallet

The Lazarus group is a well-known hacking syndicate that has reportedly been involved in a number of key exploits in the crypto industry, including the $600 million Ronin Bridge hack last March.

In April, the United States Treasury Department Office of Foreign Assets Control indicated as such, updating its Specially Designated Nationals and Blocked Persons (SDN) list to include the Lazarus Group following the hack.

That same month, the FBI and Cybersecurity and Infrastructure Security Agency also fired off a warning alert in response to the Ronin Bridge hack, concerning North Korean state-sponsored cyber threats targeting blockchain companies.

North Korean hackers stealing NFTs using nearly 500 phishing domains

The hackers created decoy websites impersonating NFT marketplaces, NFT projects and even a DeFi platform.

Hackers linked to North Korea’s Lazarus Group are reportedly behind a massive phishing campaign targeting nonfungible token (NFT) investors — utilizing nearly 500 phishing domains to dupe victims.

Blockchain security firm SlowMist released a report on Dec. 24, revealing the tactics that North Korean Advanced Persistent Threat (APT) groups have used to part NFT investors from their NFTs, including decoy websites disguised as a variety of NFT-related platforms and projects.

Examples of these fake websites include a site pretending to be a project associated with the World Cup, as well as sites that impersonate well-known NFT marketplaces such as OpenSea, X2Y2 and Rarible.

SlowMist said one of the tactics used was having these decoy websites offer “malicious Mints,” which involves deceiving the victims into thinking they are minting a legitimate NFT by connecting their wallet to the website.

However, the NFT is actually fraudulent, and the victim’s wallet is left vulnerable to the hacker who now has access to it.

The report also revealed that many of the phishing websites operated under the same Internet Protocol (IP), with 372 NFT phishing websites under a single IP and another 320 NFT phishing websites associated with another IP.

An example phishing website Source: SlowMist

SlowMist said the phishing campaign has been ongoing for several months, noting that the earliest registered domain name came about seven months ago.

Other phishing tactics used included recording visitor data and saving it to external sites as well as linking images to target projects.

After the hacker was about to obtain the visitor’s data, they would then proceed to run various attack scripts on the victim, which would allow the hacker access to the victim’s access records, authorizations and use of plug-in wallets, as well as sensitive data such as the victims’ approve record and sigData.

All this information then enables the hacker access to the victim’s wallet, exposing all their digital assets.

However, SlowMist emphasized that this is just the “tip of the iceberg,” as the analysis only looked at a small portion of the materials and extracted “some” of the phishing characteristics of the North Korean hackers.

For example, SlowMist highlighted that just one phishing address alone was able to gain 1,055 NFTs and profit 300 Ether (ETH), worth $367,000, through its phishing tactics.

It added that the same North Korean APT group was also responsible for the Naver phishing campaign that was previously documented by Prevailion on March 15.

Related: Blockchain security firm warns of new MetaMask phishing campaign

North Korea has been at the center of various cryptocurrency theft crimes in 2022.

According to a news report published by South Korea’s National Intelligence Service (NIS) on Dec 22, North Korea stole $620 million worth of cryptocurrencies this year alone.

In October, Japan’s National Police Agency sent out a warning to the country’s crypto-asset businesses advising them to be cautious of the North Korean hacking group.

North Korea’s Lazarus behind years of crypto hacks in Japan: Police

According to the Japan Government, a common mode of attack for the Lazarus Group was phishing, who are believed to have focused more on crypto funds lately because they’re “managed more loosely.”

Japan’s national police have pinned North Korean hacking group, Lazarus, as the organization behind several years of crypto-related cyber attacks. 

In the public advisory statement sent out on Oct. 14,  Japan’s National Police Agency (NPA) and Financial Services Agency (FSA) sent a warning to the country’s crypto-asset businesses, asking them to stay vigilant of “phishing” attacks by the hacking groupaimed at stealing crypto assets.

The advisory statement is known as “public attribution,” and according to local reports, is the fifth time in history that the government has issued such a warning.

The statement warns that the hacking group uses social engineering to orchestrate phishing attacks — impersonating executives of a target company to try and bait employees into clicking malicious links or attachments:

“This cyber attack group sends phishing emails to employees impersonating executives of the target company […] through social networking sites with false accounts, pretending to conduct business transactions […] The cyber-attack group [then] uses the malware as a foothold to gain access to the victim’s network.”

According to the statement, phishing has been a common mode of attack used by North Korean hackers, with the NPA and FSA urging targeted companies to keep their “private keys in an offline environment” and to “not open email attachments or hyperlinks carelessly.”

The statement added that individuals and businesses should “not download files from sources other than those whose authenticity can be verified, especially for applications related to cryptographic assets.”

The NPA also suggested that digital asset holders “install security software,” strengthen identity authentication mechanisms by “implementing multi-factor authentication” and not use the same password for multiple devices or services.

The NPA confirmed that several of these attacks have been successfully carried out against Japanese-based digital asset firms, but didn’t disclose any specific details.

Related: ‘Nobody is holding them back’ — North Korean cyber-attack threat rises

Lazarus Group is allegedly affiliated with North Korea’s Reconnaissance General Bureau, a government-run foreign intelligence group.

Katsuyuki Okamoto of multinational IT firm Trend Micro told The Yomiuri Shimbun that “Lazarus initially targeted banks in various countries, but recently it has been aiming at crypto assets that are managed more loosely.”

They have been accused of being the hackers behind the $650 million Ronin Bridge exploit in March, and were identified as suspects in the $100 million attack from layer-1 blockchain Harmony.

North Korea’s Lazarus behind years of crypto hacks in Japan — Police

According to Japan, a common mode of attack for the Lazarus Group is phishing. They are believed to have focused more on crypto funds because they’re “managed more loosely.”

Japan’s national police have pinned North Korean hacking group, Lazarus, as the organization behind several years of crypto-related cyber attacks. 

In the public advisory statement sent out on Oct. 14,  Japan’s National Police Agency (NPA) and Financial Services Agency (FSA) sent a warning to the country’s crypto-asset businesses, asking them to stay vigilant of “phishing” attacks by the hacking group aimed at stealing crypto assets.

The advisory statement is known as “public attribution,” and according to local reports, is the fifth time in history that the government has issued such a warning.

The statement warns that the hacking group uses social engineering to orchestrate phishing attacks — impersonating executives of a target company to try and bait employees into clicking malicious links or attachments:

“This cyber attack group sends phishing emails to employees impersonating executives of the target company […] through social networking sites with false accounts, pretending to conduct business transactions […] The cyber-attack group [then] uses the malware as a foothold to gain access to the victim’s network.”

According to the statement, phishing has been a common mode of attack used by North Korean hackers, with the NPA and FSA urging targeted companies to keep their “private keys in an offline environment” and to “not open email attachments or hyperlinks carelessly.”

The statement added that individuals and businesses should “not download files from sources other than those whose authenticity can be verified, especially for applications related to cryptographic assets.”

The NPA also suggested that digital asset holders “install security software,” strengthen identity authentication mechanisms by “implementing multi-factor authentication” and not use the same password for multiple devices or services.

The NPA confirmed that several of these attacks have been successfully carried out against Japanese-based digital asset firms, but didn’t disclose any specific details.

Related: ‘Nobody is holding them back’ — North Korean cyber-attack threat rises

Lazarus Group is allegedly affiliated with North Korea’s Reconnaissance General Bureau, a government-run foreign intelligence group.

Katsuyuki Okamoto of multinational IT firm Trend Micro told The Yomiuri Shimbun that “Lazarus initially targeted banks in various countries, but recently it has been aiming at crypto assets that are managed more loosely.”

They have been accused of being the hackers behind the $650 million Ronin Bridge exploit in March and were identified as suspects in the $100 million attack from layer-1 blockchain Harmony.

Ronin hackers transferred stolen funds from ETH to BTC and used sanctioned mixers

The hackers continue to spread out the stolen funds using Bitcoin privacy tools as a means to remain anonymous, despite the identity of the hackers believed to be a North Korean cybercrime group.

The hackers behind the $625 million Ronin bridge attack in March have since transferred most of their funds from Ether (ETH) into Bitcoin (BTC) using renBTC and Bitcoin privacy tools Blender and ChipMixer. 

The hacker’s activity has been tracked by on-chain investigator ₿liteZero, who works for SlowMist and contributed to the company’s 2022 Mid-Year Blockchain Security report. They outlined the transaction pathway of the stolen funds since the March 23 attack.

The majority of the stolen funds were originally converted into ETH and sent to now sanctioned Ethereum crypto mixer Tornado Cash before being bridged over to the Bitcoin network and converted into BTC via the Ren protocol.

According to the report, the hackers, who are believed to be North Korean cybercrime organization Lazarus Group, initially transferred  just a portion of the fund, or 6,249 ETH, to centralized exchanges (CEXs) including Huobi with 5,028 ETH and FTX with 1,219 ETH on March 28.

From the CEXs, the 6249 ETH appeared to have been converted into BTC. The hackers then transferred 439 BTC, or $20.5 million at the time of writing, to the Bitcoin privacy tool Blender, which was also sanctioned by the U.S. Treasury on May 6. The analyst wrote:

“I’ve found the answer in Blender sanction addresses. Most Blender sanction addresses are Blender’s deposit addresses used by Ronin hackers. They have deposited all their withdrawal funds to Blender after withdrawing from the exchanges.”

However the overwhelming majority of stolen funds — 175,000 ETH — was transferred to Tornado Cash incrementally between April 4 and May 19.

Related: The aftermath of Axie Infinity’s $650M Ronin Bridge hack

The hackers subsequently used decentralized exchanges Uniswap and 1inch to convert around 113,000 ETH to renBTC (a wrapped version of BTC) and used Ren’s decentralized cross-chain bridge to transfer the assets from Ethereum to the Bitcoin network and unwrap the renBTC into BTC.

From there, approximately 6,631 BTC was distributed to a variety of centralized exchanges and decentralized protocols:

Platforms the hackers used to transfer BTC to. Source: SlowMist.

The report also stated that the Ronin hackers withdrew 2,871 BTC of the 3,460 BTC, or $61.6 million as of Aug. 22, via Bitcoin privacy tool ChipMixer.

BTC balance on platforms after the hackers withdrew funds. Source: SlowMist.

₿liteZero concluded the Twitter thread by stating that the Ronin hack remains a “mystery to be investigated” and that more progress is to be made.

Cross chains, beware: deBridge flags attempted phishing attack, suspects Lazarus Group

deBridge Finance survives an attempted phishing attack, points a finger at the North Korean Lazarus Group, and warns the wider community to be on guard.

Cross-chain protocols and Web3 firms continue to be targeted by hacking groups, as deBridge Finance unpacks a failed attack that bears the hallmarks of North Korea’s Lazarus Group hackers.

deBridge Finance employees received what looked like another ordinary email from co-founder Alex Smirnov on a Friday afternoon. An attachment labeled “New Salary Adjustments” was bound to pique interest, with various cryptocurrency firms instituting staff layoffs and pay cuts during the ongoing cryptocurrency winter.

A handful of employees flagged the email and its attachment as suspicious, but one staff member took the bait and downloaded the PDF file. This would prove fortuitous, as the deBridge team worked on unpacking the attack vector sent from a spoof email address designed to mirror Smirnov’s.

The co-founder delved into the intricacies of the attempted phishing attack in a lengthy Twitter thread posted on Friday, acting as a public service announcement for the wider cryptocurrency and Web3 community:

Smirnov’s team noted that the attack would not infect macOS users, as attempts to open the link on a Mac leads to a zip archive with the normal PDF file Adjustments.pdf. However, Windows-based systems are at risk as Smirnov explained:

“The attack vector is as follows: user opens link from email, downloads & opens archive, tries to open PDF, but PDF asks for a password. User opens password.txt.lnk and infects the whole system.”

The text file does the damage, executing a cmd.exe command which checks the system for anti-virus software. If the system is not protected, the malicious file is saved in the autostart folder and begins to communicate with the attacker to receive instructions.

Related: ‘Nobody is holding them back’ — North Korean cyber-attack threat rises

The deBridge team allowed the script to receive instructions but nullified the ability to execute any commands. This revealed that the code collects a swathe of information about the system and exports it to attackers. Under normal circumstances, the hackers would be able to run code on the infected machine from this point onward.

Smirnov linked back to earlier research into phishing attacks carried out by the Lazarus Group which used the same file names:

2022 has seen a surge in cross-bridge hacks as highlighted by blockchain analysis firm Chainalysis. Over $2 billion worth of cryptocurrency has been fleeced in 13 different attacks this year, accounting for nearly 70% of stolen funds. Axie Infinity’s Ronin bridge has been the worst hit so far, losing $612 million to hackers in March 2022.

‘Nobody is holding them back’ — North Korean cyber-attack threat rises

“Even though the tradecraft is not perfect right now… it’s still a fresh market for North Korea,” says former CIA analyst Soo Kim.

North Korea-backed cyberattacks on cryptocurrency and tech firms will only become more sophisticated over time as the country battles prolonged economic sanctions and resource shortages. 

Former CIA analyst Soo Kim told CNN on Sunday that the process of generating overseas crypto income for the regime has now become a “way of life” for the North Koreans:

“In light of the challenges that the regime is facing — food shortages, fewer countries willing to engage with North Korea […] this is just going to be something that they will continue to use because nobody is holding them back, essentially.”

She also added that it is likely that their crypto attacking “tradecraft” will only improve from here on.

“Even though the tradecraft is not perfect right now, in terms of their ways of approaching foreigners and preying upon their vulnerabilities, it’s still a fresh market for North Korea,” said Kim.

The RAND Corporation policy analyst made the comments almost two months after the release of a joint advisory from the United States government about the infiltration of North Korean operatives across freelance tech jobs — posing risks of intellectual property, data and funds theft that could be used to violate sanctions.

Former FBI intelligence analyst Nick Carlsen told CNN that DPRK operatives embedded in these firms would not only earn income used to skirt sanctions, but they could also potentially identify vulnerabilities in certain client systems that their hacker comrades could take advantage of.

“Any vulnerability they might identify in a client’s systems would be at grave risk,” explained Carlsen.

Related: Crypto market crash wipes out millions from North Korea’s stolen crypto funds

In a lengthy Twitter exposé about North Korean hackers, The DeFi Edge noted that these crypto attacks typically target bridges, focus on companies based in Asia and often begin by targeting unsuspecting employees.

The country has been identified as being allegedly behind some of the largest cyberattacks in recent crypto history, including the $620 million hack of Axie Infinity and the $100 million hack of the Harmony protocol.

A report from Coinclub on June 29 estimated there are as many as 7,000 full-time hackers in North Korea working to raise funds through cyberattacks, ransomware and crypto-protocol hacks.