What do the Ronin Bridge Hack and the Bybit attack have in common? Aside from being some of the most prominent cybercrime attacks of the last 5 years, these orchestrated exploits are linked to a notorious cybercrime group called Lazarus.
Only a few names have sent shivers down the spine when it comes to cybercrime, like the Lazarus group. From DDoS operations against several organizations to attacks against crypto exchanges, the infamous group has continually been a menace. As crypto and DeFi adoption matures, so as the Lazarus group’s disruptive power. What is this group? Who finances it, and what long game is it playing? Let’s find out.
Who Is the Lazarus Group?
The Lazarus Group is a state-sponsored group linked to the North Korean government. Also known as the Hidden Cobra, the group is an arm of the government’s primary intelligence agency, Reconnaissance General Bureau (RGB). Lazarus has been active since 2009 and has transitioned from cyber espionage on South Korea and the United States to cryptocurrency. Investigations and reports claim that the group is financially motivated by North Korea to bypass foreign sanctions and fund its nuclear program.
Its attacks are well-calculated, although reckless, as if afraid of nothing. It’s understandable given that the actors operate in the interest of the North Korean government. Hypotheses support the government’s involvement in the group. First, free internet doesn’t exist in North Korea, meaning the government controls access. Therefore, it’s impossible that this hacker group can do anything on its own without prior authorization from the regime. There’s a huge chance that the hackers, as young as 11, are recruited and trained by the government to carry out these nefarious activities.
The group also develops its tools and malware, making it difficult for even the most sophisticated system to detect in time. By the time the attack had been discovered, the group must have made away with the much-needed funds.
Lazarus Group Attacks on Cryptocurrency
The North Korean group gained notoriety for its attack on Sony Pictures in 2014 in retaliation for the satirical film about Kim Jong-un, the regime leader. The group penetrated Sony’s servers and released sensitive data. However, it made an even bigger impact in the crypto space. From 2020 to date, the group has targeted exchanges, bridges, and even user wallets, catering away with millions of dollars worth of cryptocurrency.
KuCoin was one of the victims of the hacker group. The exchange lost $281 million worth of digital currencies in 2020 through some hot wallets. After thorough investigations, it was discovered the heist was done by a group of North Koreans. Many believed it was the Lazarus Group. Of course, it didn’t stop there. Lazarus stole more than $620 million worth of ETH and USDC from the Ronin Bridge in 2022. This marked one of the largest crypto heists ever. The group is responsible for the recent Bybit attack, where $1.5 billion worth of cryptocurrencies were lost.
Lazarus adopts a multi-layered approach to these attacks. Sometimes, it uses social engineering and phishing, impersonating developers or Web3 managers to release malware-infected documents or links. For instance, the hackers posed as job recruiters on LinkedIn and GitHub to target Sky Mavis. Lazarus also exploits poorly audited smart contracts of bridges and DeFi protocols through flash loan attacks or bugs, like in the case of the Ronin Bridge. Lastly, the group launders crypto through mixers like Tornado Cash to divert any tracking and ensure maximum privacy.
Global Response to Lazarus’s Threat
According to analysts, the Lazarus Group has stolen over $3 billion in cryptocurrency since 2017. A significant percentage of these funds have been used to fund North Korea’s illicit nuclear programs and activities. This has put the United States FBI and other watchdogs on high alert.
Government agencies have responded to counter Lazarus’s rampage, such as sanctioning dozens of crypto wallets linked to the group and tracking stolen funds for recovery. Thanks to these efforts, part of the Ronin hack funds were recovered. Centralized exchanges have also implemented strong KYC/AML regulations to check on-chain activities, making it harder for the group to move funds.
However, these law enforcement agencies struggle to keep these operations at bay because of DeFi’s anonymity. Therefore, the first point of defense is to stay aware and vigilant. As a user, be careful of the apps and browser extensions you download and install. Also, avoid clicking suspicious links and opening attachments that could possibly have malware. Furthermore, enable 2FA and advanced email protection to safeguard your account.
Final Say
The Lazarus Group is a threat to the global crypto economy, exploiting users’ negligence and poorly audited smart contracts to steal funds. Their infiltrations are a wake-up call for the entire crypto industry. As DeFi evolves, security should be everyone’s top priority. It’s everyone’s fight, not just law enforcement.