Inside Lazarus Group: Analyzing North Korea’s Most Infamous Crypto Hacks

From 2021 to 2023, we saw a loss of $1,903,600,000 across the Web3 ecosystem due to one group of individuals stemming from North Korea: The Lazarus Group. This group has caused damage at an international level, with exploits continuing into 2024. Who is the Lazarus group? What are they famously known for, and how can Web3 protocols and developers prevent future exploits? 

In this article, the Hacken team dives deep into these questions and the notorious Lazarus group. 

Who Is Lazarus Group?

The Lazarus Group is a notorious hacker group linked to North Korean military intelligence. The group has become infamous for executing high-profile cyber attacks, and in recent years, they’ve shifted their focus to the Web3 space. The Lazarus Group made headlines for their involvement in cryptocurrency heists, a move that has put them at the center of discussions around cyber threats in the digital finance world.

The group is known by many names within the cybersecurity space, particularly APT 38 and HIDDEN COBRA. It has been uncovered that they have two goals: disrupting foreign states and organizations and raising money for the North Korean regime. While they originated with traditional hacking methods, they are now the most prominent players in the crypto space and have caused billion-dollar devastations.

Early Activities

Their early cyber activities set the stage for a later focus on cryptocurrency. Here is a brief outlook on their early hack history and evolution:

1. Operation Flame (2007): One of their earliest known ops. It targeted South Korean government systems.
2. Sony Pictures Hack (2014): A publicized attack in retaliation for “The Interview,” a satirical film about North Korea’s leader.
3. WannaCry Ransomware (2017): The largest ransomware attack. It hit over 230,000 computers in 150 countries.
4. Military Espionage: Ongoing efforts to gather intelligence on military operations and technology.
5. Attacks on South Korean Businesses: A series of cyber attacks on various sectors of the South Korean economy.

These early operations showed the group’s skill. They were targeting a wide range of victims, from entertainment firms to critical infrastructure related to perceived enemies of the North Korean state.

Transition to Crypto-Focused Attacks

The Lazarus Group seized an opportunity to reap the rewards of relatively low-effort manipulation and exploitation for smart contracts. Several factors have driven their shift towards crypto-focused attacks:

Little to no Regulation: The initially unregulated nature of the crypto space.

High Reward Potential: Stealing large sums in a single successful attack.

Anonymity: The pseudonymous nature of cryptocurrency transactions could make it possible to obfuscate and hide traces.

It has been relatively easy to move substantial amounts of crypto without facing significant barriers, especially when compared to traditional banking systems. In contrast, stealing equivalent sums in Web2 environments is nearly impossible due to stricter regulations and oversight.

Their first major crypto hack was in July 2017, when the Lazarus group plundered Bithumb Exchange, stealing over $7 million worth of crypto assets in one day. As the cryptocurrency space has developed with new innovations, the Lazarus group has continuously exploited new vulnerabilities that have led to devastating losses.  

Escalation of Web3 Attacks

From 2021 to 2023, the Lazarus Group’s activities in the Web3 space intensified, resulting in $1.9 billion stolen across the ecosystem. The group focused largely on Decentralized Finance (DeFi) projects, accounting for 83.8% of their attacks. Centralized finance (CeFi) platforms accounted for only 16.2%, which was appalling.

Some high-profile thefts include a $625 million Axie Infinity Ronin Network Hack in March 2022 and Poly Network in August 2021. In 2023, the concentration of this group on the CeFi targets could be noted mainly in the third quarter, when this group managed to steal $208.6 million, or 30% of all losses in the quarter, to the crypto ecosystem.

Further hacks during the period included CoinEx, Alphapo, Stake, and Coinspaid, where a total of $308.6 million was disclosed as being lost between June and September 2023.

Biggest Crypto Heists By Lazarus Group

Lazarus’s top 7 heists are behind the majority of the funds lost. Let’s go through the funds lost in descending order. 

1. Poly Network Hack

Poly Network is a cross-chain protocol, and its bridge/cross-chain contracts were exploited, highlighting the vulnerabilities of Bridges.  

• Date: August 2021
• Losses: $600 million
• Techniques used: Exploitation of vulnerabilities in smart contracts.
• Aftermath: The hackers returned a significant portion of the stolen funds after public outcry, but the incident highlighted vulnerabilities in DeFi protocols. Due to its sophistication and scale, the hack was attributed to the Lazarus Group.

2. Ronin Bridge Hack

The Ronin Bridge was related to the popular Axie Infinity game. While the Bridge was responsible for millions of dollars, it was in control of a few private keys that led to the biggest social engineering and exploit in the Web3 space. 

• Date: March 2022
• Losses: $625 million
• Techniques used: Exploitation of validator nodes and social engineering.
• Aftermath: This hack was one of the largest in DeFi history, leading to increased scrutiny of cross-chain bridges and security protocols. The FBI confirmed the involvement of the Lazarus Group, linking the theft to North Korea’s funding of its weapons programs.

3. Nomad Hack

Following the Ronin Bridge, Nomad also had its bridge exploited, and by this point, there was no dispute that bridges were a central point of vulnerability for the blockchain ecosystem. 

• Date: August 2022
• Losses: $190 million
• Techniques used: Exploitation of smart contract vulnerabilities.
• Aftermath: The hack led to a broader discussion about the security of cross-chain protocols. The stolen funds were partially recovered, but the incident raised alarms about the need for tighter security measures in the crypto space.

4. Atomic Wallet Hack

The Atomic Wallet hack was a breach of the wallet and some people speculated it was due to an error within thier software. 

• Date: June 2023
• Losses: $100 million
• Techniques used: Phishing and social engineering.
• Aftermath: Blockchain analysis firms attributed the attack to the Lazarus Group, which the FBI confirmed. This underscored the risks associated with non-custodial wallets and the importance of user vigilance against phishing attacks.

5. Stake.com Hack

Hacken wrote extensively on the Stake.com cack, an online crypto casino exploited by the Lazarus group—another example of private key leakage. 

• Date: September 2023
• Losses: $41 million
• Techniques used: Stolen private keys and social engineering.
• Aftermath: The hack further illustrated the vulnerabilities of online gambling platforms and the ongoing threat posed by North Korean hackers. The FBI linked the incident to the Lazarus Group, emphasizing their continued focus on high-value targets.

6. CoinEx Hack

• Date: September 2023
• Losses: $70 million (estimated)
• Techniques used: Social engineering and unauthorized access.
• Aftermath: This attack marked another instance of Lazarus’s evolving tactics, targeting centralized exchanges. The incident prompted exchanges to enhance security measures and monitor suspicious activities.

7. WazirX Hack

WazirX is a more recent exploit that disrupted over $200 million. The Indian cryptocurrency exchange lost much of its funds from a multi-signature wallet breach.  

• Date: July 2024
• Losses: $235 million
• Techniques used: Phishing and API exploitation.
• Aftermath: This incident raised significant concerns about the security of exchanges in the rapidly evolving crypto landscape. It highlighted the need for robust security protocols and user education to prevent phishing attacks.

Most of these hacks occurred in 2023, a year that alarmed the global cryptocurrency and cybersecurity community. Notable improvements can be seen, such as the reduced number of exploits in bridges in 2024. To improve the ecosystem, knowing the core techniques and tactics used serves as important information for preventative measures. 

Techniques And Tactics Used By Lazarus Group

The Lazarus Group has demonstrated a sophisticated and evolving set of attack techniques and tactics. These attacks have resulted in significant financial losses and raised alarms about the security of the cryptocurrency industry as a whole. The ongoing investigations and attributions by the FBI and other agencies continue to shed light on the scale and impact of these cybercriminal activities linked to North Korea.

Here’s an overview of their primary methods, along with specific examples: 

1. Social Engineering

Social engineering remains one of the Lazarus Group’s most effective tactics:

• Fake Job Offers: The $625 million Ronin Network hack in March 2022 was initiated through a fake LinkedIn job offer to a senior engineer at Axie Infinity.
• Phishing Campaigns: In the 2017 Bithumb hack, which resulted in a $7 million loss, the group used spear-phishing emails loaded with malware to target exchange users.

2. Infiltration

Lately, the Lazarus Group has increasingly turned to infiltrating legitimate companies by posing as developers or IT workers. Once inside, they exploit their position to conduct attacks. Notable examples include:

• KnowBe4 Incident: In a recent case, KnowBe4, a cybersecurity training company, hired an IT worker who turned out to be a fake North Korean developer planted by Lazarus. The employee was caught planting malware within the company’s systems, highlighting the group’s evolving tactics in infiltrating even security-focused organizations.
• Harmony Protocol: In June 2022, Lazarus allegedly infiltrated the Harmony team, leading to a $100 million breach of the Horizon Bridge. The group gained access by posing as a blockchain developer and then used insider knowledge to drain funds.
• DeFiance Capital: In 2023, Lazarus reportedly infiltrated DeFiance Capital, a leading DeFi investment firm, under the guise of a smart contract developer. The group exploited their position to compromise internal wallets, resulting in a multimillion-dollar theft.

3. Infrastructure Exploitation

The group targets vulnerabilities in the infrastructure of crypto projects:

• Private Key Compromises: The September 2023 CoinEx hack, resulting in a $54 million loss, is suspected to have involved compromised private keys.
• Malware Deployment: In the July 2023 CoinsPaid attack ($37.3 million stolen), the group used malware to gain remote access to the company’s systems.

4. Smart Contract Vulnerabilities

While recently focusing more on centralized exchanges, the group has shown capability in exploiting smart contract weaknesses. The August 2021 Poly Network hack involved exploiting cross-chain contract vulnerabilities, resulting in a $600 million loss.

5. Sophisticated Money Laundering

After successful attacks, the Lazarus Group employs complex laundering techniques:

• Crypto Mixers: Following the June 2023 Atomic Wallet hack ($100 million stolen), the group used Sinbad.io to mix the stolen funds.
• Cross-Chain Transfers: In the September 2023 CoinEx hack, funds were bridged from one blockchain to Ethereum using previously known Lazarus-associated bridges.
• Multiple Mixing Rounds: The funds stolen from Stake.com in September 2023 ($41 million) were mixed multiple times and partially combined with funds from other hacks.

6. Targeting Centralized Exchanges

Recent trends show a shift towards attacking centralized crypto services:

• Extended Surveillance: Before the CoinsPaid hack in July 2023, the group spent six months surveilling and analyzing the exchange.
• Exploitation of Larger Workforces: The July 2023 Alphapo hack ($60 million stolen) targeted a centralized crypto payment provider, likely exploiting its larger organizational structure.

7. Adapting to Security Improvements

With the improvement in the security of DeFi protocols, the Lazarus Group has been able to adapt. In the year 2023, five major attacks were ascribed to Lazarus (Atomic Wallet, CoinsPaid, Alphapo, Stake.com, and CoinEx), all of which occurred in the confines of centralized services instead of DeFi protocols. The successful social engineering attack on CoinsPaid demonstrates their focus on human vulnerabilities in centralized systems.

The Lazarus group has employed a combination of tactics that change over time, making it hard to identify who is actually behind the attacks in the Web3 space. However, the cybersecurity community, in collaboration with the FBI, has identified the perpetrators, in most cases, as the Lazarus group, using their techniques. Their ability to exploit traditional and Web3-specific vulnerabilities makes them one of the most significant threats in cryptocurrency.

Global Response To North Korean Hackers

The international response to the actions of North Korean hackers has included sanctions, law enforcement measures, and cooperation among nations. The UN imposed extensive sanctions on North Korea aimed at preventing its nuclear ambitions and funding sources. We now know that North Korea has managed to steal billions, which are believed to finance its weapons programs. 

The United States has enacted targeted sanctions against individuals and entities associated with North Korean cyber operations. For instance, in 2022, the U.S. Treasury Department sanctioned several North Korean hackers and their affiliates, aiming to disrupt their financial networks and deter future attacks.

As can be seen above, the FBI has been issuing arrest warrants, actively investigating North Korean hackers, and issuing alerts to inform the private sector about potential threats. They have also offered rewards for information leading to the arrest of key figures within the Lazarus Group. With increased emphasis on cooperation between government agencies and private sector companies, defense against threats improves. This includes sharing intelligence on vulnerabilities and attack methods North Korean hackers use.

Security & Preventive Measures

The North Korean hacker group remains active in the space and understanding the preventative measures Web3 protocols and developers should take remains crucial. Hacken Team has identified the main aspects of vulnerabilities that should be addressed so to prevent exploitation.

Security Domain	Measures
1. Private Key Management	Cold Storage: Store large amounts of cryptocurrency in hardware wallets or other offline storage methods.Multi-Signature Wallets: Implement multi-sig wallets requiring multiple private keys for transaction authorization. Key Rotation: Regularly update and rotate private keys to limit the impact of potential compromises.
2. Authentication and Access Control	Employee KYC: You must properly KYC every single employee, especially those for a remote position.Multi-Factor Authentication (MFA): Implement robust MFA for all access points, especially for privileged accounts. Zero Trust Architecture: Adopt a “never trust, always verify” approach to network access. Principle of Least Privilege: Limit user access rights to the minimum permissions necessary for their work.
3. Network Security	Network Segmentation: Implement strict network segmentation to limit lateral movement in case of a breach. Firewalls and IDS: Deploy and regularly update these systems to monitor and protect network traffic. Virtual Private Networks (VPNs): Use VPNs for secure remote access to sensitive systems.
4. Endpoint Security	Endpoint Detection and Response (EDR): Deploy EDR solutions to detect and respond to threats on individual devices. Regular Patching: Keep all systems and software up-to-date with the latest security patches. Anti-malware Software: Use and regularly update anti-malware solutions on all endpoints.
5. Employee Training and Awareness	Phishing Awareness: Conduct regular training on recognizing and reporting phishing attempts. Social Engineering Defense: Educate staff on various social engineering tactics and how to resist them. Security Policy Compliance: Ensure all employees understand and adhere to organizational security policies.
6. Continuous Monitoring and Threat Detection	SIEM: Implement SIEM systems for real-time analysis of security alerts. Threat Intelligence: Utilize threat intelligence feeds to stay informed about emerging threats and attack patterns. Anomaly Detection: Deploy systems capable of detecting unusual patterns in network traffic or user behavior.
7. Incident Response and Recovery	Incident Response Plan: Develop and regularly test a comprehensive incident response plan.Backup and Recovery: Implement robust backup solutions and test recovery procedures regularly.Post-Incident Analysis: Conduct thorough post-mortem analyses after any security incidents to improve defenses.
8. Third-Party Risk Management	Vendor Security Assessments: Regularly assess the security posture of all third-party vendors and partners. API Security: Implement strong authentication and monitoring for all API integrations. Supply Chain Security: Monitor and secure the entire supply chain, including software dependencies and hardware components.
9. Compliance and Audits	Regular Security Audits: Conduct both internal and external security audits on a regular basis. Penetration Testing: Perform regular penetration tests to identify and address vulnerabilities. Compliance Frameworks: Adhere to relevant compliance frameworks (e.g., ISO 27001, NIST) and use them as a baseline for security practices.
10. Crypto-Specific Measures	Smart Contract Audits: For DeFi projects, conduct thorough and regular smart contract audits. Transaction Monitoring: Implement real-time transaction monitoring systems to detect suspicious activities. Decentralized Security Measures: Leverage blockchain-native security features like time-locks and multi-sig governance.

By implementing these measures, organizations can significantly enhance their resilience against sophisticated attacks from groups like Lazarus. However, it’s crucial to remember that security is an ongoing process that requires constant vigilance, updates, and adaptations to new threats.

Follow @hackenclub on 𝕏 (Twitter)

Resources:

• https://medium.com/coinmonks/all-you-need-to-know-about-north-korean-crypto-hackers-the-lazarus-group-d8375e6228f1
• https://www.nccgroup.com/us/the-lazarus-group-north-korean-scourge-for-plus10-years/
• https://attack.mitre.org/groups/G0032/
• https://downloads.ctfassets.net/t3wqy70tc3bv/EhGU8jztu6R938dcMfI9Q/b8e6bf8f6bdba576e547875abd916414/Immunefi_Lazarus_Group_Report.pdf