Headline: What is the Lazarus Group in North Korea?
Body: In the stories, Lazarus had passed, and after an intervention, he did arise again. In North Korea, there is a hacker group that always seems to die, and rise again, and they are known as the Lazarus Group. I think the naming of a North Korean hacker group after a Bible story is pretty incongruous. That, and the fact that within an authoritarian system, hackers can be so creative in the destruction they cause, this made them a bit of a puzzle that I wanted to understand better.
In one exploit, the hackers obtain LinkedIn employee credentials and then went looking for “employees.” These employees would have to solve “coding challenges” and in doing so, would inadvertently install a Trojan horse within their own network, most likely at work. This gave hackers from the Lazarus Group access into many different corporate networks.
This is bad, yes, but what does it have to do with crypto?
The Lazarus Group has stolen more than $3 Billion in cryptocurrencies. Once stolen, the Group uses a variety of mixers to launder the proceeds back to North Korea. Some are fighting back, but the frozen assets pale in comparison to what has been stolen. Worse yet, many of the largest heists are not reported at all due to embarrassment or fear of being sued.
In 2023 alone, there were 5 major hacks that seemed to have Lazarus fingerprints on them. June 3rd, hackers attacked Atomic Wallet (DEX) and stole over $100 Million. A well known consultancy attributed this to Lazarus 3 days later, and the FBI confirmed. On July 22nd CoinsPaid was attacked in a Social Engineering exploit (think an e-mail with an attachment that seems to be from your uncle.) $37.3 Million was stolen here. On the same day, Alphapo was attacked for $60 Million, and the FBI confirmed that Lazarus was involved. On Sep. 4th, Stake.com was hit for $41 Million in virtual currency, when private keys were made available. Finally, on September 12th, CoinEx (centralized exchange) was hit for $54 Million. Apparently, North Korean hackers were too busy during the remainder of the academic year.
Why are they so much more dangerous than other hackers?
In a word, they are dangerous because they are so well-funded. With that much money going into the exploits, the absolute best can be hired and used. More to the point though, many of these hacks require a “long game” format of social engineering, and this well-funded attribute makes it possible for the Lazarus Group to commit to long-term cons and obtain any kind of training that they might need to pull off the next exploit.
They are especially dangerous to some, particularly, the new projects based upon cryptocurrency. In the early days of a cryptocurrency, admin users often have admin pass codes. In the good circumstance, they allow coders to fix bugs and return accounts to normalcy quickly. But, if these admin keys are obtained by groups like the Lazarus Group, they can quickly drain all of the accounts associated with the currency. Even in more established cryptocurrency sites and projects, if these hackers gain an admin key, they can begin to arbitrage with the entirety of the currency, and this will lead to large scale price drops, nearly everywhere. This is what is known as a flash loan attack.
Are they evolving?
Yes, it appears that their methods are evolving. In the past, Lazarus Group largely went after de-centralized exchanges (DEX) but they are changing to attack centralized exchanges. The logic is quite simple. First, per many bank robbers before them, “that’s where the money is.” But, these centralized exchanges tend to have many more employees representing many more possibilities for a single mistake to lead to an opportunity for an exploit.
What can be done about these hackers?
Well, first, use complex passwords that are difficult to guess or figure out. There is also an idea that AI might come to the rescue, as only AI can learn quickly enough to really react to current trends. So, in the near future, prepare to have an AI-fueled guard dog providing security against malware and attacks.
The Verdict
The Lazarus Group seems to be a fantastically well-resourced hacker group with a mission to serve as a terrorist cell online. I suppose that the logic is that if people stop trusting the computers with their money, more and more chaos can be engineered. But, I don’t think it’s working because if that were the mission, then there would be an unmistakable signature on each case (to attribute it correctly and be so incredibly scared of the North Koreans.) I think we are lucky here, as it seems that the leaders who seem to have the tactical knowledge, lack the strategic vision, and vice versa. I think this might serve as a wonderful exercise to practice working together with the financial law enforcement from many different countries.
REFERENCES
https://cointelegraph.com/news/north-korean-lazarus-linkedin-target-steal-assets
https://cointelegraph.com/magazine/north-korean-hackers-private-keys-flash-loan-attacks/
Editor’s Note: Please note that the information contained herein is meant only for general education: This should not be construed as Tax Advice. Personal attributes could make a material difference in the advice given, so, before taking action, please consult your tax advisor or CPA.