North Korea’s Lazarus behind years of crypto hacks in Japan: Police

October 17, 2022 Coin Telegraph

According to the Japan Government, a common mode of attack for the Lazarus Group was phishing, who are believed to have focused more on crypto funds lately because they’re “managed more loosely.”

Japan’s national police have pinned North Korean hacking group, Lazarus, as the organization behind several years of crypto-related cyber attacks.

In the public advisory statement sent out on Oct. 14, Japan’s National Police Agency (NPA) and Financial Services Agency (FSA) sent a warning to the country's crypto-asset businesses, asking them to stay vigilant of “phishing” attacks by the hacking groupaimed at stealing crypto assets.

The advisory statement is known as “public attribution,” and according to local reports, is the fifth time in history that the government has issued such a warning.

The statement warns that the hacking group uses social engineering to orchestrate phishing attacks — impersonating executives of a target company to try and bait employees into clicking malicious links or attachments:

“This cyber attack group sends phishing emails to employees impersonating executives of the target company [...] through social networking sites with false accounts, pretending to conduct business transactions [...] The cyber-attack group [then] uses the malware as a foothold to gain access to the victim's network.”

According to the statement, phishing has been a common mode of attack used by North Korean hackers, with the NPA and FSA urging targeted companies to keep their “private keys in an offline environment” and to “not open email attachments or hyperlinks carelessly.”

The statement added that individuals and businesses should “not download files from sources other than those whose authenticity can be verified, especially for applications related to cryptographic assets.”

The NPA also suggested that digital asset holders “install security software,” strengthen identity authentication mechanisms by “implementing multi-factor authentication” and not use the same password for multiple devices or services.

The NPA confirmed that several of these attacks have been successfully carried out against Japanese-based digital asset firms, but didn’t disclose any specific details.

Lazarus Group is allegedly affiliated with North Korea’s Reconnaissance General Bureau, a government-run foreign intelligence group.

Katsuyuki Okamoto of multinational IT firm Trend Micro told The Yomiuri Shimbun that “Lazarus initially targeted banks in various countries, but recently it has been aiming at crypto assets that are managed more loosely.”

They have been accused of being the hackers behind the $650 million Ronin Bridge exploit in March, and were identified as suspects in the $100 million attack from layer-1 blockchain Harmony.

OFAC Sanctions 7 New Bitcoin Addresses Allegedly Associated With Iran-Related Ransomware Activities

September 14, 2022 Bitcoin.com

US Seizes Cryptocurrency Worth $30 Million From North Korean Hackers

September 8, 2022 Bitcoin.com

Ronin hackers transferred stolen funds from ETH to BTC and used sanctioned mixers

August 22, 2022 Coin Telegraph

Coin Telegraph

The hackers continue to spread out the stolen funds using Bitcoin privacy tools as a means to remain anonymous, despite the identity of the hackers believed to be a North Korean cybercrime group.

The hackers behind the $625 million Ronin bridge attack in March have since transferred most of their funds from ETH into BTC using renBTC and Bitcoin privacy tools Blender and ChipMixer.

The hacker’s activity has been tracked by on-chain investigator ‘₿liteZero’, who works for SlowMist and contributed to the company’s 2022 Mid-Year Blockchain Security report. They outlined the transaction pathway of the stolen funds since the Mar. 23 attack.

The majority of the stolen funds were originally converted into ETH and sent to now sanctioned Ethereum crypto mixer Tornado Cash before being bridged over to the Bitcoin network and converted into BTC via the Ren protocol.

I've been tracking the stolen funds on Ronin Bridge.
I've noticed that Ronin hackers have transferred all of their funds to the bitcoin network. Most of the funds have been deposited to mixers(ChipMixer, Blender).

This thread will illustrate the tracking analysis procedures. pic.twitter.com/yrazcJ22xF
— ₿liteZero (@blitezero) August 20, 2022

According to the report, the hackers, who are believed to be North Korean cybercrime organization Lazarus Group, initially transferred just a portion of the fund (6,249 ETH) to centralized exchanges including Huobi (5,028 ETH) and FTX (1,219 ETH) on Mar. 28.

From the centralized exchanges, the 6249 ETH appeared to have been converted into BTC. The hackers then transferred 439 BTC ($20.5 million) to Bitcoin privacy tool Blender, which was also sanctioned by the U.S. Treasury on May. 6. The analyst wrote:

“I've found the answer in Blender sanction addresses. Most Blender sanction addresses are Blender's deposit addresses used by Ronin hackers. They have deposited all their withdrawal funds to Blender after withdrawing from the exchanges.”

However the overwhelming majority of stolen funds — 175,000 ETH — was transferred Tornado Cash incrementally between April 4 and May 19.

The hackers subsequently used decentralized exchanges Uniswap and 1inch to convert around 113,000 ETH to renBTC (a wrapped version of BTC), and used Ren’s decentralized cross-chain bridge to transfer the assets from Ethereum to the Bitcoin network and unwrap the renBTC into BTC.

From there, approximately 6,631 BTC was distributed to a variety of centralized exchanges and decentralized protocols:

*Platforms the hackers used to transfer BTC to. Source: SlowMist.*

The report also stated that the Ronin hackers withdrew 2,871 BTC (of the 3,460 BTC) ($61.6 million as of Aug. 22) via Bitcoin privacy tool ChipMixer.

*BTC balance on platforms after the hackers withdrew funds. Source: SlowMist.*

₿liteZero concluded the Twitter thread by stating that the Ronin hack remains a “mystery to be investigated” and that more progress is to be made.

North Korean Hackers Have Looted $1,000,000,000 From DeFi Protocols This Year: Chainalysis

August 18, 2022 The Daily Hodl

Dutch Law Enforcement Arrests Suspected Tornado Cash Developer in Amsterdam

August 12, 2022 Bitcoin.com

Snoop Dogg, Steve Aoki, Logan Paul, and Beeple Dusted by OFAC-Banned Tornado Cash Transactions

August 9, 2022 Bitcoin.com

OFAC’s Tornado Cash Ban Causes Github Suspensions and the Blacklisting of Crypto Addresses Holding $437M

August 9, 2022 Bitcoin.com

US Government Bans Ethereum Mixer Tornado Cash, Platform Added to OFAC’s SDN List

August 8, 2022 Bitcoin.com

Cross chains, beware! deBridge flags attempted phishing attack, suspects Lazarus Group

August 8, 2022 Coin Telegraph

Coin Telegraph

deBridge Finance survives an attempted phishing attack, points a finger at the North Korean Lazarus Group, and warns the wider community to be on guard.

Cross-chain protocols and Web3 firms continue to be targeted by hacking groups as deBridge Finance unpacks a failed attack that bears the hallmarks of North Korea’s Lazarus Group hackers.

deBridge Finance employees received what looked like another ordinary email from co-founder Alex Smirnov on a Friday afternoon. An attachment labeled ‘New Salary Adjustments’ was bound to pique interest, with various cryptocurrency firms instituting staff layoffs and pay cuts during the ongoing cryptocurrency winter.

A handful of employees flagged the email and its attachment as suspicious, but one staff member took the bait and downloaded the PDF file. This would prove fortuitous, as the deBridge team worked on unpacking the attack vector sent from a spoof email address designed to mirror Smirnov’s.

The co-founddelved into the intricacies of the attempted phishing attack in a lengthy Twitter thread posted on Aug. 5, acting as a public service announcement for the wider cryptocurrency and Web3 community:

1/ @deBridgeFinance has been the subject of an attempted cyberattack, apparently by the Lazarus group.

PSA for all teams in Web3, this campaign is likely widespread. pic.twitter.com/P5bxY46O6m
— deAlex (@AlexSmirnov__) August 5, 2022

Smirnov’s team noted that the attack would not infect macOS users, as attempts to open the link on a Mac leads to zip archive with the normal PDF file Adjustments.pdf. However Windows-based systems are at risk as Smirnov explained:

“The attack vector is as follows: user opens link from email, downloads & opens archive, tries to open PDF, but PDF asks for a password. User opens password.txt.lnk and infects the whole system.”

The text file does the damage, executing a cmd.exe command which checks the system for anti-virus software. If the system is not protected, the malicious file is saved in the autostart folder and begins to communicate with the attacker to receive instructions.

The deBridge team allowed the script to receive instructions but nullified the ability to execute any commands. This revealed that the code collects a swathe of information about the system and exports it to attackers. Under normal circumstances, the hackers would be able to run code on the infected machine from this point onward.

Smirnov linked back to earlier research into phishing attacks carried out by the Lazarus Group which used the same file names:

#DangerousPassword (CryptoCore/CryptoMimic) #APT:
b52e3aaf1bd6e45d695db573abc886dc
Password.txt.lnk

www[.]googlesheet[.]info - overlapping infrastructure with @h2jazi's tweet as well as earlier campaigns.

d73e832c84c45c3faa9495b39833adb2
New Salary Adjustments.pdf https://t.co/kDyGXvnFaz
— The Banshee Queen Strahdslayer (@cyberoverdrive) July 21, 2022

2022 has seen a surge in cross-bridge hacks as highlighted by blockchain analysis firm Chainalysis. Over $2 billion worth of cryptocurrency has been fleeced in 13 different attacks this year, accounting for nearly 70% of stolen funds. Axie Infinity's Ronin bridge has been the worst hit so far - losing $612 million to hackers in March 2022.

Lazarus Group

Share this video