CYFIRMA, an external threat landscape management platform, has identified the Lazarus Group, a North Korea-backed hacker group, as responsible for the recent WazirX breach. The state-sponsored attack, linked to North Korea’s Reconnaissance General Bureau (RGB), resulted in the loss of nearly $235 million in crypto assets.
Breach Details
According to CYFIRMA’s researchers, the breach led to the theft of over 200 different assets, including approximately $96.7 million in Shiba Inu, $52.6 million in Ether, $11 million in Matic, and $7.6 million in Pepe. The hackers have already swapped some of these tokens for Ether using various decentralized services, marking the initial phase of the typical laundering process.
Attack Subgroups
The attack was executed by two subgroups of the Lazarus Group: APT38 and BlueNoroff. These groups primarily target crypto exchanges and financial institutions worldwide.
APT38 focuses on financial crimes, orchestrating large-scale heists on banks and cryptocurrency exchanges using sophisticated techniques like custom malware, spear-phishing, and exploiting software vulnerabilities.
BlueNoroff targets financial institutions and cryptocurrency exchanges through phishing, malware deployment, and social engineering. This group has been implicated in various attacks on Asian crypto exchanges and often sets up fake companies and personas to infiltrate systems.
Motivations and Implications
Kumar Ritesh, CEO & Founder of CYFIRMA, stated, “Heists have been ongoing for several years, with notable attacks occurring since at least 2017. Significant heists have occurred in various countries, including South Korea, Japan, the United States, and others. The frequency of these attacks can vary, but they often occur in waves. The primary motivation is to generate revenue for the North Korean regime. The stolen cryptocurrency is used to fund the country’s weapons programs and to evade international sanctions.”
Notable Incidents
- Bithumb (South Korea): In 2017 and 2018, Bithumb suffered multiple hacks attributed to the Lazarus Group, resulting in millions of dollars in stolen cryptocurrency.
- Coincheck (Japan): In January 2018, Coincheck was hacked, resulting in the theft of over $530 million worth of NEM tokens. The methods used were consistent with those of the Lazarus Group.
- Youbit (South Korea): In December 2017, Youbit declared bankruptcy after a hack attributed to the Lazarus Group resulted in the loss of 17% of its assets.
The attackers used various methods to breach WazirX
- Phishing Attacks: Spear-phishing campaigns targeted employees with malicious attachments or links that installed malware on their computers.
- Social Engineering: Tactics were used to gain employees’ trust and trick them into revealing sensitive information or compromising the exchange’s security.
- Exploiting Software Vulnerabilities: Known and zero-day vulnerabilities in web applications, servers, or workstations were exploited.
- Malware Deployment: Malware such as remote access Trojans (RATs) and keyloggers were deployed to gain persistent access and monitor activities.
- Lateral Movement: The attackers moved laterally within the network to gain higher access levels, aiming to reach cryptocurrency wallet servers.
- Funds Transfer: Stolen cryptocurrency was transferred to wallets controlled by the attackers and laundered through mixing services and multiple transactions across different cryptocurrencies and exchanges to obscure their origin.
This significant breach by the Lazarus Group highlights the persistent threat posed by state-sponsored hackers targeting the cryptocurrency industry. The collaboration between CYFIRMA and security agencies aims to mitigate such threats and enhance the security of financial institutions and crypto exchanges globally.
Also read – Social Panga Wins Digital Creative & Communication Mandate for Balaji Wafers
Join our WhatsApp News Channel for quick updates – FYI9 News WhatsApp Channel
