In February, North Korean hackers broke headlines with what is now regarded as the largest single hack in crypto history.
The Lazarus Group stole at least $1.4 billion from Bybit and later funneled those funds to crypto mixers.
"Someone had pulled off the biggest hack in [crypto] history, and we had a front-row seat," Samczsun, Research Partner at Paradigm, recalled in a blog post.
The researcher said they witnessed the theft in real-time and collaborated with Bybit to confirm the unauthorized access.
Ethereum Falls as Crypto Exchange Bybit Confirms $1.4 Billion Hack
Coin prices are falling Friday following confirmation that major centralized crypto exchange Bybit was hacked after $1.4 billion worth of tokens were stolen in a hack. More than $1.4 billion worth of Ethereum (ETH) and stETH were withdrawn from Bybit's hot wallet on Friday, and a large chunk of the funds were being sold via decentralized exchanges. Bybit co-founder CEO Ben Zhou confirmed the attack in a post on X (formerly Twitter), saying that a planned transfer was manipulated in some way and...
Samczsun was working with SEAL 911, an emergency response unit affiliated with the Security Alliance, a nonprofit organization dedicated to securing decentralized systems.
But these attacks aren't all just about the Lazarus Group. There's more to North Korea's cyber offensives than previously thought.
There's a misconception about how to "classify and name” the group's operations.
While the term "Lazarus Group" is "colloquially acceptable," discussing how the DPRK (Democratic People's Republic of Korea) runs its cyber operations on the offensive needs more rigor, Samczsun claimed.
Lazarus Group has become the preferred term by the media when describing DPRK cyberactivity. Cybersecurity researchers "created more precise designations" to show which ones are working on specific activities, they added.
Lazarus Infects New Batch of JavaScript Packages With Crypto Stealing Malware: Researchers
In a new attack, North Korea's Lazarus group has been linked to six fresh malicious npm packages. Discovered by The Socket Research Team, the latest attack tries to deploy backdoors to steal credentials. Lazarus is the infamous North Korean hacker group that's been linked to the recent $1.4 billion Bybit hack, $41 million hack of crypto casino Stake, and a $27 million hack of crypto exchange CoinEx, and countless others in the crypto industry. The group was also initially linked to the $235 mil...
A hacking bureau
The DPRK's hacking ecosystem operates under the Reconnaissance General Bureau (RGB), which houses several distinct groups: AppleJeus, APT38, DangerousPassword, and TraderTraito
These groups operate with specific targeting methodologies and technical capabilities.
TraderTraitor, identified as the most sophisticated DPRK actor targeting the crypto industry, focuses on exchanges with large reserves and employs advanced techniques, successfully compromising Axie Infinity through fake job offers and manipulating WazirX.
Bybit Wages 'War' on North Korean Hackers After $1.4 Billion Ethereum Theft
Dubai-based centralized exchange Bybit is wasting no time in attempting to hamper hackers who nabbed $1.4 billion worth of Ethereum and related tokens last week, offering up to $140 million in bounties over the weekend to those helping to trace or freeze the funds. On Tuesday, the exchange went a step further, launching a bounty dashboard and website allowing users to submit leads about the stolen funds—and keep track of what it deemed as “good” and “bad” industry actors in the process. “In to...
AppleJeus specializes in complex supply chain attacks, including the 2023 3CX hack that potentially affected 12 million users.
Dangerous Password, meanwhile, conducts lower-end social engineering through phishing emails and malicious messaging on platforms like Telegram.
Another subgroup, APT38, spun out of Lazarus in 2016 and focused on financial crimes. It first targeted traditional banks before shifting attention to crypto platforms.
In 2018, the OFAC first mentioned "North Korean IT workers," which in 2023 were identified by researchers as "Contagious Interview" and "Wagemole," operating through schemes where the threat actors either pose as recruiters or attempt to get hired by target companies.
There's still hope
While the DPRK has shown its ability to deploy zero-day attacks, there have been "no recorded or known incidents" of it deploying directly against the crypto industry, Samczsun said.
The researcher urged crypto companies to implement basic security practices such as least privilege access, two-factor authentication, and device segregation. If preventive measures fail, connecting with security groups like SEAL 911 and the FBI's DPRK unit would also be helpful.
"DPRK hackers are an ever-growing threat against our industry, and we can't defeat an enemy that we don't know or understand," Samczsun wrote.
Edited by Sebastian Sinclair
