North Korean Hackers Behind Attempted DeBridge Finance Attack: Co-Founder

Editor's note: The headline and copy of this story have been updated to clarify that the attack wasn't successful.

Alex Smirnov, co-founder and project lead at deBridge Finance, took to Twitter on Friday to report that his company was the target of an attempted cyberattack by the infamous North Korean Lazarus Group.

DeBridge provides a cross-chain interoperability and liquidity protocol for transferring data and assets between blockchains.

The attack came via a spoofed email received by several deBridge team members that contained a PDF file named "New Salary Adjustments," which appeared to come from Smirnov.

Email spoofing is a form of attack where a malicious email is manipulated to seem as if it originated from a trusted source, in this case, from the firm’s co-founder.

"We have strict internal security policies and continuously work on improving them as well as educating the team about possible attack vectors," Smirnov wrote.

Even so, Smirnov explained, one employee downloaded and opened the file, which prompted an investigation of its origin and how the hackers intended for the attack to work—and any potential consequences.

"We made sure that the downloaded file made no impact on our colleague's machine, and then warned the Web3 community so that everyone can be informed and prepared for similar situations," Smirnov told Decrypt.

He compared what deBridge saw with another Twitter post by another user that showed similar characteristics and pointed to the North Korean hacker group.

"Fast analysis showed that received code collects A LOT of information about the PC and exports it to [the attacker's command center]: username, OS info, CPU info, network adapters, and running processes," Smirnov said.

Smirnov warned his followers to never open email attachments without verifying the sender's full email address and to have an internal protocol for how their team shares attachments.

The Lazarus Group has allegedly been behind several high-profile crypto hacks, including the $622 million Axie Infinity Ronin Ethereum sidechain hack in March and the Harmony Horizon Bridge hack in June.

¨These types of attacks are fairly common," notes David Schwed, chief operating officer of blockchain security firm Halborn. "They rely on the inquisitive nature of people by naming the files something that would pique their interest, such as salary information.

"We are seeing more and more of these types of attacks specifically targeting blockchain companies given the heightened stakes due to the immutability of blockchain transactions," Schwed added.