North Korean hacker organization Lazarus Group: Ronin, KuCoin and many other industry accidents are behind the scenes

Hacker attacks have now become a normal occurrence in the crypto ecosystem. According to the 2022 Q1 report of Chainalysis, hackers will steal $3.2 billion worth of crypto assets in 2021, but in the first three months of 2022, hackers will steal from exchanges, DeFi Protocols and ordinary users stole about $1.3 billion in crypto assets, 97% of which came from DeFi protocols.


Among the hacker groups, the North Korean hacker group Lazarus Group has received the most attention recently. According to the U.S. Treasury Department, the group was behind the $620 million theft of the Ronin cross-chain bridge, and its Ethereum address has been included in the U.S. sanctions list. Previously, the group was considered to be the leader in the theft of many cryptocurrency exchanges such as Bithumb and KuCoin, and the methods were mostly phishing attacks.

Today, the Lazarus Group is becoming one of the most destructive hacking groups in the crypto ecosystem. So how did this organization come to be? How do they usually have the advantage?

About Lazarus Group

According to Wikipedia, Lazarus Group was established in 2007 and is affiliated with Research Center No. 110 under the Third Bureau of the Reconnaissance General Bureau of the General Staff of the North Korean People’s Army, specializing in cyber warfare. The organization selects the brightest students in the country to receive six years of special education to develop their ability to deploy various types of malware to computers and servers. Kim Il Sung University, Kim Chaek University of Science and Technology and Moranbong University in North Korea provide related educate.

The organization is divided into 2 divisions, one is BlueNorOff (also known as APT38) of about 1,700 members, responsible for illegal transfers through forged SWIFT orders, focusing on exploiting network vulnerabilities for economic gain or controlling systems to carry out financial cybercrime, this The sector targets financial institutions and cryptocurrency exchanges. The other, AndAriel, with about 1,600 members, is targeting South Korea.

Lazarus Group’s earliest known attack was its “Operation Troy” in 2009, which used DDoS technology to attack the South Korean government. And the most famous was the 2014 attack on Sony Pictures for a comedy about the assassination of North Korean leader Kim Jong Un.

A well-known attack by BlueNorOff, an arm of the group, was the Bangladesh Bank attack in 2016, when they attempted to use the SWIFT network to illegally transfer nearly $1 billion from a New York Federal Reserve Bank account belonging to the Bangladesh Central Bank. After completing several transactions ($20 million traced to Sri Lanka and $81 million to the Philippines), the Federal Reserve Bank of New York blocked the rest, citing suspicions arising from spelling errors.

Since 2017, the group has started attacks on the crypto industry and has made at least $1 billion in profits.

Lazarus Group Encryption Attack

In February 2017, $7 million in digital assets was stolen from South Korean exchange Bithumb. 

In April 2017, about 4,000 bitcoins were stolen from the South Korean exchange Youbit, and 17% of its digital assets were stolen again in December, and Youbit filed for bankruptcy.

More than 4,500 bitcoins were stolen from the cryptocurrency cloud mining marketplace Nicehash in December 2017.

About $300 million worth of digital assets were stolen from the KuCoin exchange in September 2020.

In March 2022, the Ronin cross-chain bridge was attacked, and 173,600 ETH and 25.5 million USDC were stolen, with a cumulative value of about 620 million US dollars.

In addition, many crypto project leaders or KOLs will also be targeted by Lazarus Group. On March 22, 2022, Defiance Capital founder Arthur tweeted that the hot wallet was stolen, and 60 NFTs, including 17 azuki and 5 cloneX, lost about $1.7 million. Arthur said there is evidence that the North Korean-backed BlueNorOff hacking group is behind it, and they are doing a lot of harming the crypto industry.

In the face of accusations from the outside world, North Korea issued a statement saying that it was not the work of the Lazarus Group, but has never responded to media inquiries since then.

Attack Features

According to the analysis of Hofu Think Tank, Lazarus Group steals encrypted assets stored in digital wallets by means of phishing, malicious code, malware, etc. The main features are as follows:

  • The attack cycle is generally long, usually a long time of latent, and different methods are used to induce the target to be invaded.
  • The decoy documents delivered are highly deceptive and tempting, making it impossible for the target to be identified.
  • The attack process uses system sabotage or ransomware to disrupt the analysis of incidents.
  • Utilize SMB protocol vulnerabilities or related worm tools to achieve lateral movement and payload delivery.
  • The source code of the toolset used in each attack will be modified, and the source code will be modified in time after the cybersecurity company discloses it.

The Lazarus Group’s best attack vector is the abuse of trust, exploiting the target’s trust in business communications, co-workers’ internal chats, or external interactions, sending them malicious files, and monitoring their day-to-day operations for opportunistic theft. After the attacker realizes that the target is a big crypto player, he will carefully observe the user’s activity trajectory for weeks or months before formulating the theft plan.

In January 2021, the Google security team also stated that it found that Lazarus had been lurking in social media such as Twitter, LinkedIn, and Telegram for a long time, using false identities to disguise as an active industry vulnerability researcher, gaining the trust of the industry and launching zero-day attacks on other vulnerability researchers.

According to Kaspersky’s research, this year BlueNoroff likes to track and research successful cryptocurrency startups. The goal is to develop a good personal interaction with team management and learn about topics that may be of interest, and even hire or masquerade as candidates to sneak in companies in order to launch high-quality social engineering attacks.

A U.S. government report further revealed that intrusions often started with a flood of spear-phishing messages sent on various communication platforms to cryptocurrency company employees, often in systems administration or software development/IT operations (DevOps). ). These messages often imitate recruiting jobs and offer high-paying jobs to lure recipients into downloading malware-laden cryptocurrency apps.

After implanting the malicious file on the target computer, if the attacker realizes that the target uses the Metamask extension to manage the encrypted wallet, it will change the extension source from Web Store to local storage and replace the core extension component (backgorund.js) with the tampered version . The screenshot below shows the virus-infected Metamask background.js code with the injected lines in yellow. In this case, the attackers set up monitoring of transactions between specific sender and recipient addresses, which can trigger notifications when large transfers are detected.


In addition, if the attacker realizes that the target user’s cryptocurrency is stored in a hardware wallet, it can intercept the transaction process and inject malicious logic. When a user transfers funds to another account, the transaction is signed on the hardware wallet. However, given that the operation was initiated by the user, it will not arouse his own suspicion. However, the attacker not only modified the recipient address, but also pulled the transfer amount to the maximum value.


This sounds simple enough, but requires a thorough analysis of the Metamask extension, which contains over 6MB of JavaScript code (~170,000 lines of code), and implements code injection to allow users to rewrite transaction details on demand when using the extension.

However, the attacker’s modifications to the Chrome extension leave traces. The browser must be switched to developer mode and the Metamask extension is installed from a local directory instead of the online store. If the add-on comes from the store, Chrome enforces digital signature verification on the code and guarantees code integrity, making it impossible for an attacker to complete the attack.

how to respond

As the size of the crypto ecosystem grows rapidly, the threat to the industry from Lazarus Group also grows dramatically. North Korea-backed Advanced Persistent Threats (APTs) since 2020 It has already started targeting various organizations in the blockchain and crypto industry, including crypto exchanges, DeFi protocols, blockchain games, crypto trading firms, crypto VCs, and individual owners holding large amounts of tokens and NFTs. These groups may continue to exploit vulnerabilities in cryptocurrency technology companies, gaming companies, and exchanges to generate and launder money in support of the North Korean regime. 

To this end, mitigations proposed in the report include applying defense-in-depth security policies, enforcing credential requirements and multi-factor authentication, and educating users about social engineering in social media and spear phishing.

Today, SlowMist, a well-known encryption security organization, also issued preventive suggestions for this phenomenon: It is recommended that industry practitioners pay attention to the security intelligence of major threat platforms at home and abroad at any time, do a good job in self-examination, and be vigilant; before developers run executable programs, do the necessary Doing a good job of zero trust mechanism can effectively reduce the risks brought by such threats; it is recommended that users running on Mac/Windows real machines keep real-time protection of security software turned on, and update the latest virus database at any time.

In terms of money laundering channels, the Ethereum mixing protocol Tornado Cash also tweeted recently that the project is using a tool developed by the compliance company Chainalysis to prevent specific encrypted wallet addresses approved by the U.S. Office of Foreign Assets Control (OFAC) from accessing DApps, which seems to be It is the pursuit of the Lazarus Group.

However, Tornado Cash co-founder Roman Semenov has since tweeted that the blockade only applies to user-facing decentralized applications (dapps), not the underlying smart contracts. In other words, this move is more of a symbolic action, and it is difficult to substantively influence veteran hackers to mix coins through Tornado Cash.


The Lazarus Group is a state-backed top hacker gang that focuses on long-term, persistent cyberattacks against specific targets, with the aim of stealing funds and achieving political goals. It is one of the biggest threats to global financial institutions.

At the same time, the attacks of such organizations on the encryption ecology will also indirectly lead to the cryptocurrency market becoming a convenient channel for the North Korean regime to replenish funds, leading to further notoriety of the encryption industry and affecting its compliance and standardization process.

In order to deal with the attacks of a series of hacker organizations such as Lazarus Group and maintain a healthy encryption industry ecology, encryption projects need to form a more effective prevention mechanism in response to such attacks, and adopt code auditing, internal control, user education, response mechanism and other aspects. Take corresponding measures to ensure the safety of user assets as much as possible.

As an encryption user, everyone also needs to know more about security, especially in terms of protecting personal privacy, identifying phishing links, etc. Given that veteran users such as Defiance Capital founder Arthur are still stolen, no one can ignore this kind of risk.

3. bluenoroff-cryptocurrency-hunt-is-still-on/105488/

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-04-19 07:29
Next 2022-04-19 07:31

Related articles