After a quiet start to 2023 on the cryptocurrency front, North Korea’s Lazarus Group appears to be making up for lost time, stealing over $290 million from five crypto heists carried out in a little over three months.
Up until last week, researchers and the FBI had linked Lazarus — an umbrella term researchers use for various hacking groups working on behalf of the government of the Democratic People’s Republic of Korea (DPRK) — to a quartet of seven and eight-figure crypto raids so far this year.
The heists included $100 million stolen from users of Atomic Wallet on June 3, $37 million from CoinsPaid on July 22, $60 million from Alphapo, also on July 22, and $41 million from Stake.com on Sept. 4.
In a Sept. 15 blog post, researchers at Elliptic said there were “a number of factors” that last week’s $53 million theft from the CoinEx exchange was done by hackers aligned with Pyongyang.
Elliptic’s blockchain analysis showed some of the funds stolen from CoinEx were laundered through the same wallet the actor used to siphon coins it stole from Stake.com. The researchers said they had previously observed the mixing of funds stolen from various hacks in a similar way, most recently when it consolidated the proceeds of thefts from Stake.com and Atomic Wallet.
“In light of this blockchain activity, and in the absence of information suggesting the CoinEx hack was conducted by any other threat group, Elliptic agrees that Lazarus Group should be suspected for the theft of funds from CoinEx,” the researchers said.
The latest heists may signal that the threat group has shifted focus from decentralized crypto services controlled by a single organization to decentralized ones, that rely on multiple independent nodes.
Decentralized services had been popular targets for hackers over the past few years as the decentralized finance (DeFi) ecosystem had grown in popularity. But as DeFi protocols had matured, so had their security measures, meaning there were fewer vulnerabilities to exploit, Elliptic said.
At the same time, centralized crypto exchanges tended to have larger workforces and IT systems, meaning more opportunities to target both human and technological weaknesses.
In a Sept. 14 post, Chainalysis said while the total value of cryptocurrency stolen by DPRK actors this year was significantly down on 2022’s figure of $1.65 billion, there was no room for complacency.
Last year’s total was inflated by a $620 million theft of Ethereum from Ronin Network, a key platform for the mobile game Axie Infinity.
“Although it may be tempting to view the reduction in the total value of hacked funds as a marker of progress, we must remember that 2022 set a dismally high benchmark,” Chainalysis researchers said.
“In reality, we are only one large hack away from crossing the billion-dollar threshold of stolen funds for 2023. Things move quickly online — a major attack could materialize overnight.”
The researchers said they were concerned about growing alliances between DPRK hackers and illicit Russian crypto exchanges, which have a track record of not assisting law enforcement agencies in their attempts to track stolen funds.
“With the total amount of cryptocurrency stolen (since 2016) estimated at $3.54 billion, DPRK continues to be an incubator for hacking activities and remains one of the largest active threats in the cybercrime landscape,” the post said.
