From 2021 to 2023, we saw a loss of $1,903,600,000 across the Web3 ecosystem due to one group of individuals stemming from North Korea: The Lazarus Group. This group has caused damage at an international level, with exploits continuing into 2024. Who is the Lazarus group? What are they famously known for, and how can Web3 protocols and developers prevent future exploits?
In this article, the Hacken team dives deep into these questions and the notorious Lazarus group.
The Lazarus Group is a notorious hacker group linked to North Korean military intelligence. The group has become infamous for executing high-profile cyber attacks, and in recent years, they’ve shifted their focus to the Web3 space. The Lazarus Group made headlines for their involvement in cryptocurrency heists, a move that has put them at the center of discussions around cyber threats in the digital finance world.
The group is known by many names within the cybersecurity space, particularly APT 38 and HIDDEN COBRA. It has been uncovered that they have two goals: disrupting foreign states and organizations and raising money for the North Korean regime. While they originated with traditional hacking methods, they are now the most prominent players in the crypto space and have caused billion-dollar devastations.
Their early cyber activities set the stage for a later focus on cryptocurrency. Here is a brief outlook on their early hack history and evolution:
These early operations showed the group’s skill. They were targeting a wide range of victims, from entertainment firms to critical infrastructure related to perceived enemies of the North Korean state.
The Lazarus Group seized an opportunity to reap the rewards of relatively low-effort manipulation and exploitation for smart contracts. Several factors have driven their shift towards crypto-focused attacks:
Little to no Regulation: The initially unregulated nature of the crypto space.
High Reward Potential: Stealing large sums in a single successful attack.
Anonymity: The pseudonymous nature of cryptocurrency transactions could make it possible to obfuscate and hide traces.
It has been relatively easy to move substantial amounts of crypto without facing significant barriers, especially when compared to traditional banking systems. In contrast, stealing equivalent sums in Web2 environments is nearly impossible due to stricter regulations and oversight.
Their first major crypto hack was in July 2017, when the Lazarus group plundered Bithumb Exchange, stealing over $7 million worth of crypto assets in one day. As the cryptocurrency space has developed with new innovations, the Lazarus group has continuously exploited new vulnerabilities that have led to devastating losses.
From 2021 to 2023, the Lazarus Group’s activities in the Web3 space intensified, resulting in $1.9 billion stolen across the ecosystem. The group focused largely on Decentralized Finance (DeFi) projects, accounting for 83.8% of their attacks. Centralized finance (CeFi) platforms accounted for only 16.2%, which was appalling.
Some high-profile thefts include a $625 million Axie Infinity Ronin Network Hack in March 2022 and Poly Network in August 2021. In 2023, the concentration of this group on the CeFi targets could be noted mainly in the third quarter, when this group managed to steal $208.6 million, or 30% of all losses in the quarter, to the crypto ecosystem.
Further hacks during the period included CoinEx, Alphapo, Stake, and Coinspaid, where a total of $308.6 million was disclosed as being lost between June and September 2023.
Lazarus’s top 7 heists are behind the majority of the funds lost. Let’s go through the funds lost in descending order.
Poly Network is a cross-chain protocol, and its bridge/cross-chain contracts were exploited, highlighting the vulnerabilities of Bridges.
The Ronin Bridge was related to the popular Axie Infinity game. While the Bridge was responsible for millions of dollars, it was in control of a few private keys that led to the biggest social engineering and exploit in the Web3 space.
Following the Ronin Bridge, Nomad also had its bridge exploited, and by this point, there was no dispute that bridges were a central point of vulnerability for the blockchain ecosystem.
The Atomic Wallet hack was a breach of the wallet and some people speculated it was due to an error within thier software.
Hacken wrote extensively on the Stake.com cack, an online crypto casino exploited by the Lazarus group—another example of private key leakage.
WazirX is a more recent exploit that disrupted over $200 million. The Indian cryptocurrency exchange lost much of its funds from a multi-signature wallet breach.
Most of these hacks occurred in 2023, a year that alarmed the global cryptocurrency and cybersecurity community. Notable improvements can be seen, such as the reduced number of exploits in bridges in 2024. To improve the ecosystem, knowing the core techniques and tactics used serves as important information for preventative measures.
The Lazarus Group has demonstrated a sophisticated and evolving set of attack techniques and tactics. These attacks have resulted in significant financial losses and raised alarms about the security of the cryptocurrency industry as a whole. The ongoing investigations and attributions by the FBI and other agencies continue to shed light on the scale and impact of these cybercriminal activities linked to North Korea.
Here’s an overview of their primary methods, along with specific examples:
Social engineering remains one of the Lazarus Group’s most effective tactics:
Lately, the Lazarus Group has increasingly turned to infiltrating legitimate companies by posing as developers or IT workers. Once inside, they exploit their position to conduct attacks. Notable examples include:
The group targets vulnerabilities in the infrastructure of crypto projects:
While recently focusing more on centralized exchanges, the group has shown capability in exploiting smart contract weaknesses. The August 2021 Poly Network hack involved exploiting cross-chain contract vulnerabilities, resulting in a $600 million loss.
After successful attacks, the Lazarus Group employs complex laundering techniques:
Recent trends show a shift towards attacking centralized crypto services:
With the improvement in the security of DeFi protocols, the Lazarus Group has been able to adapt. In the year 2023, five major attacks were ascribed to Lazarus (Atomic Wallet, CoinsPaid, Alphapo, Stake.com, and CoinEx), all of which occurred in the confines of centralized services instead of DeFi protocols. The successful social engineering attack on CoinsPaid demonstrates their focus on human vulnerabilities in centralized systems.
The Lazarus group has employed a combination of tactics that change over time, making it hard to identify who is actually behind the attacks in the Web3 space. However, the cybersecurity community, in collaboration with the FBI, has identified the perpetrators, in most cases, as the Lazarus group, using their techniques. Their ability to exploit traditional and Web3-specific vulnerabilities makes them one of the most significant threats in cryptocurrency.
The international response to the actions of North Korean hackers has included sanctions, law enforcement measures, and cooperation among nations. The UN imposed extensive sanctions on North Korea aimed at preventing its nuclear ambitions and funding sources. We now know that North Korea has managed to steal billions, which are believed to finance its weapons programs.
The United States has enacted targeted sanctions against individuals and entities associated with North Korean cyber operations. For instance, in 2022, the U.S. Treasury Department sanctioned several North Korean hackers and their affiliates, aiming to disrupt their financial networks and deter future attacks.
As can be seen above, the FBI has been issuing arrest warrants, actively investigating North Korean hackers, and issuing alerts to inform the private sector about potential threats. They have also offered rewards for information leading to the arrest of key figures within the Lazarus Group. With increased emphasis on cooperation between government agencies and private sector companies, defense against threats improves. This includes sharing intelligence on vulnerabilities and attack methods North Korean hackers use.
The North Korean hacker group remains active in the space and understanding the preventative measures Web3 protocols and developers should take remains crucial. Hacken Team has identified the main aspects of vulnerabilities that should be addressed so to prevent exploitation.
Security Domain | Measures |
1. Private Key Management | Cold Storage: Store large amounts of cryptocurrency in hardware wallets or other offline storage methods.Multi-Signature Wallets: Implement multi-sig wallets requiring multiple private keys for transaction authorization. Key Rotation: Regularly update and rotate private keys to limit the impact of potential compromises. |
2. Authentication and Access Control | Employee KYC: You must properly KYC every single employee, especially those for a remote position.Multi-Factor Authentication (MFA): Implement robust MFA for all access points, especially for privileged accounts. Zero Trust Architecture: Adopt a “never trust, always verify” approach to network access. Principle of Least Privilege: Limit user access rights to the minimum permissions necessary for their work. |
3. Network Security | Network Segmentation: Implement strict network segmentation to limit lateral movement in case of a breach. Firewalls and IDS: Deploy and regularly update these systems to monitor and protect network traffic. Virtual Private Networks (VPNs): Use VPNs for secure remote access to sensitive systems. |
4. Endpoint Security | Endpoint Detection and Response (EDR): Deploy EDR solutions to detect and respond to threats on individual devices. Regular Patching: Keep all systems and software up-to-date with the latest security patches. Anti-malware Software: Use and regularly update anti-malware solutions on all endpoints. |
5. Employee Training and Awareness | Phishing Awareness: Conduct regular training on recognizing and reporting phishing attempts. Social Engineering Defense: Educate staff on various social engineering tactics and how to resist them. Security Policy Compliance: Ensure all employees understand and adhere to organizational security policies. |
6. Continuous Monitoring and Threat Detection | SIEM: Implement SIEM systems for real-time analysis of security alerts. Threat Intelligence: Utilize threat intelligence feeds to stay informed about emerging threats and attack patterns. Anomaly Detection: Deploy systems capable of detecting unusual patterns in network traffic or user behavior. |
7. Incident Response and Recovery | Incident Response Plan: Develop and regularly test a comprehensive incident response plan.Backup and Recovery: Implement robust backup solutions and test recovery procedures regularly.Post-Incident Analysis: Conduct thorough post-mortem analyses after any security incidents to improve defenses. |
8. Third-Party Risk Management | Vendor Security Assessments: Regularly assess the security posture of all third-party vendors and partners. API Security: Implement strong authentication and monitoring for all API integrations. Supply Chain Security: Monitor and secure the entire supply chain, including software dependencies and hardware components. |
9. Compliance and Audits | Regular Security Audits: Conduct both internal and external security audits on a regular basis. Penetration Testing: Perform regular penetration tests to identify and address vulnerabilities. Compliance Frameworks: Adhere to relevant compliance frameworks (e.g., ISO 27001, NIST) and use them as a baseline for security practices. |
10. Crypto-Specific Measures | Smart Contract Audits: For DeFi projects, conduct thorough and regular smart contract audits. Transaction Monitoring: Implement real-time transaction monitoring systems to detect suspicious activities. Decentralized Security Measures: Leverage blockchain-native security features like time-locks and multi-sig governance. |
By implementing these measures, organizations can significantly enhance their resilience against sophisticated attacks from groups like Lazarus. However, it’s crucial to remember that security is an ongoing process that requires constant vigilance, updates, and adaptations to new threats.
Follow @hackenclub on 𝕏 (Twitter)
Be the first to receive our latest company updates, Web3 security insights, and exclusive content curated for the blockchain enthusiasts.
Table of contents
Tell us about your project
14 min read
Discover
10 min read
Discover
13 min read
Discover