Lazarus: North Korea’s hacking squad harassed crypto providers

For six months, a series of attacks rained down on the crypto service provider Coinspaid. At the end of July, the hackers got through. $37 million was stolen. Now it seems clear: North Korea’s notorious hacker group Lazarus is behind the attacks. A detailed report shows the perfidious approach. Systems were attacked, employees manipulated – a wake-up call for the crypto industry.

And the Lazarus collective greets you every day

Coinspaid has been inundated with hacker attacks since March. The attackers pulled out all the stops: Employees were influenced – known as social engineering – passwords were tapped via phishing, malicious software programs were smuggled in, systems were paralyzed with DDoS and brute force attacks. The attackers were apparently targeted and organized.

First, the hackers are said to be targeting sensitive information about the technical infrastructure. To do this, they pretended to be employees of a Ukrainian crypto startup. “Four major attacks” occurred in April. The attackers tried to gain access to the accounts of Coinspaid employees and customers. The spam and phishing attacks against employees were “constant and very aggressive”.

We now know that Lazarus, the suspected hacking group behind the attack, spent half a year trying to penetrate the Coinspaid systems and find vulnerabilities.

Another wave of attacks occurred between June and July. Attempts were made to “bribe company employees”. At the beginning of July, a “massive, carefully planned and prepared attack on CoinsPaid’s infrastructure and applications” is said to have finally taken place. In the process, $37 million in crypto assets were stolen.

Social Engineering: “The Most Dangerous Security Threat”

The perpetrators were particularly perfidious when it came to so-called social engineering, a manipulation tactic aimed at employees. They were contacted via fake LinkedIn profiles under the pretext of high-paying job offers. During interviews, “perpetrators tried to trick candidates into installing the JumpCloud agent or a special program to perform a technical task,” according to Coinspaid. Passwords were stolen via the malicious software. This allowed the attackers to gain access to the system and authorize transactions.

“In the modern, highly digitized world, it is much easier to trick a human than computer software,” Coinspaid said. Ultimately, the attackers managed to attack the infrastructure “by manipulating an employee”.

The funds were funneled through multiple blockchains via token swaps. Addresses were used that were already used when the Atomic wallet was hacked. They are attributed to North Korea’s hacking collective Lazarus. In addition, there was a great deal of agreement on the procedures. The same swap services and mixers are said to have been used.

race against time

Two insights can be taken away. Attackers are proceeding in an increasingly structured manner and are increasingly using employees as targets. In addition, the safety precautions do not appear to be adequately armed. “Although many crypto companies are taking KYC measures and using blockchain risk scoring systems to detect suspicious activity, the perpetrators still managed to successfully launder the funds.”

Why is that? According to Coinspaid, the addresses of the hackers were marked. This is intended to track hackers and prevent them from losing track of the money. However, it takes about an hour for the addresses to be registered. By then, the funds had long since been distributed to new addresses. “Because of this vulnerability, blockchain scoring is largely ineffective,” Coinspaid sums up.

financing of nuclear weapons

Lazarus is credited with a series of hacking attacks. An attack on the “Ronin Bridge”, an Ethereum sidechain for the NFT game Axie Infinity, had particularly serious consequences. Over $600 million was stolen in the process.

According to a UN report, Lazarus stole $1.7 billion from hacks last year. The group is subordinate to the regime of Kim Jong-un. Money from cyber attacks is said to be used to finance nuclear weapons programs.