North Korea’s state-sponsored cyber criminal group Lazarus has attacked Japanese crypto firms, according to a joint statement by Japan’s National Police and Financial Services Agencies.

The attacks were carried out using phishing and social engineering techniques, according to a report by Japan News

Lazarus hackers allegedly reached out to target companies by pretending to be crypto company executives in emails and on social media. After establishing contact, the attackers then infected target companies’ internal systems with malware before making off with crypto. 

Authorities named the suspect group in an advisory statement before making any arrests—a measure that has only been taken five times in Japan’s history. 

The joint statement also gave some general security pointers, advising potential targets to store their private keys offline and to be careful when opening emails or hyperlinks. The NPA confirmed that several of the attacks had been successful but didn’t disclose details or the amounts stolen. 

Lazarus moves into crypto

Lazarus is responsible for several major hacks outside the blockchain industry, including the 2017 WannaCry ransomware attack, 2014’s Sony Pictures attack, and a series of cyber raids on pharmaceutical companies in 2020, including COVID-19 vaccine developers AstraZeneca

This year, Lazarus also started purloining nine-digit figures in crypto.

In April, the group was connected to the historic $622 million attack on Sky Mavis’s Ethereum sidechain Ronin last month. 

Then in June, Lazarus was the lead suspect in a $100 million raid on Harmony Protocol

The June hack targeted Harmony’s Horizon bridge, a cross-chain bridge connecting Harmony to Ethereum, Binance Chain, and Bitcoin. Analysis by Elliptic at the time noted that similarities between both cross-chain bridge attacks are a strong indication of Lazarus’ likely involvement. 

Lazarus has also targeted crypto exchanges this year through counterfeit job listings with links and PDFs containing malware. 

In August, internet security researchers at ESET Labs flagged up a phoney Coinbase job listing that was really a Trojan horse deployed by the group. Last month, Lazarus repeated the attack with fraudulent Crypto.com job advertisements. 

Lazarus Group’s documented use of the crypto transaction privacy tool Tornado Cash was one of the reasons the U.S. Treasury cited for banning it.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.