CYFIRMA classifies notorious ‘Lazarus Group’ North Korea backed hacker group behind Indian Crypto Exchange WazirX Breach

  • WazirX lost $235 million in crypto consist of over 200 different assets, including  ~ $96.7m of Shiba Inu, ~ $52.6m of Ether, ~ $11 million of Matic, and ~ $7.6 million of Pepe
  • Lazarus Group, which is linked to North Korea ‘s Reconnaissance General Bureau (RGB) a primary intelligence service, has been ascertained as mastermind of the attack
  • Two subgroup of Lazarus group, APT38 and BlueNorooff attacks cryptocurrency exchanges and financial institutions worldwide
  • In 2017 and 2018, Bithumb, one of South Korea’s largest cryptocurrency exchanges, suffered multiple hacks attributed to Lazarus Group, resulting in millions of dollars in stolen cryptocurrency
  • In 2017, Youbit, a South Korean cryptocurrency exchange, declared bankruptcy after a hack attributed to Lazarus Group resulted in the loss of 17% of its assets

Mumbai, July 29, 2024: CYFIRMA, an external threat landscape management platform has identified Lazarus group, North Korea-backed hacker group, behind the WazirX breach. The state-sponsored attack is linked to North Korea’s Reconnaissance General Bureau (RGB), a primary intelligence service.

According to CYFIRMA’s researchers’ analysis, due to the breach, close to $235 million were lost in crypto assets. This consists of over 200 different assets, including ~ $96.7m of Shiba Inu, ~ $52.6m of Ether, ~ $11 million of Matic, and ~ $7.6 million of Pepe. The threat actor has already swapped a number of these tokens for Ether using a variety of decentralised services, an expected initial step of a typical laundering process.

The attacks were carried out by two subgroups of the Lazarus group namely APT38 and Blue Noroff.  Lazarus mainly targets crypto exchanges and financial institutions worldwide.

APT38 primarily focuses on financial crimes, including attacks on banks and cryptocurrency exchanges. They are known for orchestrating large-scale heists and have been linked to several high-profile attacks on Asian financial institutions and crypto exchanges. APT38 uses sophisticated techniques such as custom malware, spear-phishing campaigns, and exploiting software vulnerabilities to infiltrate and steal funds.

BlueNoroff is focused on targeting financial institutions and cryptocurrency exchanges. This group has been implicated in various attacks on crypto exchanges in Asia, employing tactics such as phishing, malware deployment, and social engineering to compromise their targets. BlueNoroff has been known to set up fake companies and personas to establish trust and infiltrate the systems of crypto exchanges. 

Kumar Ritesh, CEO & Founder, Cyfirma, says, “Heists have been ongoing for several years, with notable attacks  occurring since at least 2017. Significant heists have occurred in various countries, including South Korea, Japan, the United States, and others. The frequency of these attacks can vary, but they often occur in waves. The primary motivation is to generate revenue for the North Korean regime. The stolen cryptocurrency is used to fund the country’s weapons programs and to evade international sanctions.”

Notable Incidents Involving Asian Crypto Exchanges:

Bithumb (South Korea): In 2017 and 2018, Bithumb, one of South Korea’s largest cryptocurrency exchanges, suffered multiple hacks attributed to Lazarus Group, resulting in millions of dollars in stolen cryptocurrency.

Coincheck (Japan): In January 2018, Coincheck, a Japanese cryptocurrency exchange, was hacked, resulting in the theft of over $530 million worth of NEM tokens. While not definitively attributed to Lazarus, the methods used were consistent with their tactics.

Youbit (South Korea): In December 2017, Youbit, a South Korean cryptocurrency exchange, declared bankruptcy after a hack attributed to Lazarus Group resulted in the loss of 17% of its assets.

Different methods used by the attackers for successful breach:

Phishing Attacks: Lazarus often starts with spear-phishing campaigns, sending targeted emails to employees of crypto exchanges. These emails contain malicious attachments or links that, once opened, install malware on the victim’s computer. Based on the latest learnings, either Liminal Custody UI was compromised, or WazirX laptops were compromised to phish signatures. This was not an insider attack, and no private keys were compromised.

Social Engineering: They use social engineering tactics to gain the trust of employees and trick them into revealing sensitive information or performing actions that compromise the exchange’s security.

Exploiting Software Vulnerabilities: They exploit known and zero-day vulnerabilities in software used by crypto exchanges. This can include vulnerabilities in web applications, servers, or employee workstations.

Malware Deployment: Lazarus deploys various types of malware, such as remote access Trojans (RATs) and keyloggers, to gain persistent access to the exchange’s network and monitor activities.

Moving Laterally: Once inside the network, they move laterally to gain higher levels of access and control, often aiming to reach the servers that manage cryptocurrency wallets.

Transferring Funds: They then transfer the stolen cryptocurrency to wallets they control. These funds are often laundered through various means, including mixing services and multiple transactions across different cryptocurrencies and exchanges to obscure the origin of the funds.

ABOUT CYFIRMA
CYFIRMA is an external threat landscape management platform company. We combine cyber intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. Our cloud-based AI and ML-powered analytics platforms provide the hacker’s view with deep insights into the external cyber landscape, helping clients prepare for impending attacks. CYFIRMA is headquartered in Singapore with offices in Japan, India, the US, and the EU. Customers include both government as well as Fortune 500 companies across manufacturing, financial services, retail, industrial products, natural resources and pharmaceutical industries.

- Advertisement -

Disclaimer: The above press release has been provided by Comm Sutra. CXO Digital Pulse holds no responsibility for its content in any manner.
Reproduction or Copying in part or whole is not permitted unless approved by author.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

error: Content is protected !!

Sign Up for CXO Digital Pulse Newsletters

Sign Up for CXO Digital Pulse Newsletters to Download the Research Report

Sign Up for CXO Digital Pulse Newsletters to Download the Coffee Table Book

Sign Up for CXO Digital Pulse Newsletters to Download the Vision 2023 Research Report

Download 8 Key Insights for Manufacturing for 2023 Report

Sign Up for CISO Handbook 2023

Download India’s Cybersecurity Outlook 2023 Report

Unlock Exclusive Insights: Access the article

Download CIO VISION 2024 Report

Share your details to download the report

Share your details to download the CISO Handbook 2024