Home Community Insights FBI says North Korea’s Lazarus Group was behind $41M Theft

FBI says North Korea’s Lazarus Group was behind $41M Theft

FBI says North Korea’s Lazarus Group was behind $41M Theft

The US Federal Bureau of Investigation (FBI) has issued a warning that a notorious cybercrime group from North Korea, known as Lazarus Group, was responsible for stealing $41 million worth of cryptocurrency from a platform called KuCoin in September 2020.

North Korea’s Lazarus Group is one of the most notorious cybercrime organizations in the world. The group is believed to be behind some of the most high-profile cyberattacks in recent years, such as the Sony Pictures hack in 2014, the Bangladesh Bank heist in 2016, and the WannaCry ransomware outbreak in 2017. The group’s activities are not only motivated by financial gain, but also by political and ideological objectives. The group is closely linked to the North Korean regime and its cyber warfare capabilities.

According to the FBI, the hackers used a sophisticated malware campaign to compromise the security of KuCoin and access the private keys of its hot wallets, which store funds online for quick transactions. The hackers then transferred the stolen funds to multiple wallets and exchanges, using a technique called “chain hopping” to evade detection and tracing.

Tekedia Mini-MBA edition 16 (Feb 10 – May 3, 2025) opens registrations; register today for early bird discounts.

Tekedia AI in Business Masterclass opens registrations here.

Join Tekedia Capital Syndicate and invest in Africa’s finest startups here.

The FBI said that Lazarus Group, also known as Hidden Cobra or APT38, is a state-sponsored cyber threat actor that has been active since at least 2009. The group is known for conducting cyberattacks against financial institutions, critical infrastructure, government agencies, and private sector entities around the world. The group has been linked to some of the most notorious cyber heists in history, such as the $81 million theft from Bangladesh Bank in 2016, the $60 million theft from Taiwan’s Far Eastern International Bank in 2017, and the $10 million theft from Banco de Chile in 2018.

The FBI urged cryptocurrency platforms and users to enhance their security measures and report any suspicious activity to law enforcement. The FBI also advised users to use cold wallets, which store funds offline, for long-term storage of cryptocurrency, and to enable multi-factor authentication and encryption for their online accounts.

The FBI’s warning comes as the US government is ramping up its efforts to combat cyber threats from North Korea and other adversaries. In April 2021, the US Department of Justice announced the creation of a task force to address ransomware attacks, which have become increasingly prevalent and disruptive in recent years. In June 2021, the US Department of Treasury imposed sanctions on several individuals and entities associated with Lazarus Group, accusing them of facilitating money laundering and evading sanctions.

North Korea’s Lazarus Group is one of the most notorious cybercrime organizations in the world. The group is believed to be behind some of the most high-profile cyberattacks in recent years, such as the Sony Pictures hack in 2014, the Bangladesh Bank heist in 2016, and the WannaCry ransomware outbreak in 2017. The group’s activities are not only motivated by financial gain, but also by political and ideological objectives, such as disrupting the enemies of the North Korean regime and advancing its nuclear weapons program.

The Lazarus Group operates with a high level of sophistication and stealth, using a variety of techniques to evade detection and attribution. The group employs multiple layers of proxies, malware, and encryption to hide its tracks and communicate with its command-and-control servers. The group also leverages legitimate services and platforms, such as cloud computing, social media, and cryptocurrency exchanges, to conduct its operations and launder its illicit funds. The group has also been known to use false flags and decoys to mislead investigators and divert attention from its true identity and motives.

The Lazarus Group poses a serious threat to the global cybersecurity landscape, as it continues to target various sectors and regions with its malicious campaigns. The group has shown a willingness and capability to cause significant damage and disruption, as well as to steal large amounts of money and sensitive information. The group’s activities also pose a challenge to the international community, as they undermine the stability and security of cyberspace and the rules-based order. The Lazarus Group is not only a criminal enterprise, but also a strategic asset of the North Korean regime, which uses it as a tool of coercion, deterrence, and retaliation.

Major Hacks by the Lazarus Group

Youbit was a South Korean cryptocurrency exchange that was hacked twice by the Lazarus Group in 2017. The first attack occurred in April 2017, when the hackers stole 4,000 bitcoins (worth about $5 million at the time) from the exchange’s hot wallet. The second attack happened in December 2017, when the hackers managed to access both the hot and cold wallets of the exchange and stole 17% of its assets (worth about $35 million at the time).

The hackers used phishing emails to deliver malware to the employees of Youbit. The malware was disguised as legitimate software updates or security patches, and contained a backdoor that allowed the hackers to remotely control the infected machines. The hackers then used the compromised machines to access the exchange’s internal network and steal the private keys of the wallets. The second attack was so devastating that Youbit had to file for bankruptcy and shut down its operations.

Bithumb is another South Korean cryptocurrency exchange that was targeted by the Lazarus Group in 2017. The hackers stole personal information of over 30,000 users, including their names, email addresses, phone numbers, and cryptocurrency holdings. The hackers also managed to steal about $7 million worth of cryptocurrencies from some of the users’ accounts.

The hackers used a similar phishing technique as in the Youbit case, but this time they impersonated a security company that claimed to offer a free security check for Bithumb users. The phishing emails contained a malicious attachment that installed a keylogger and a screen capture tool on the victims’ computers. The hackers then used these tools to collect the users’ login credentials and access their accounts. Bithumb reported the incident to the authorities and compensated the affected users for their losses.

DragonEx was a Singapore-based cryptocurrency exchange that was hacked by the Lazarus Group in March 2019. The hackers stole about $7 million worth of cryptocurrencies from the exchange’s hot wallet, including bitcoin, Ethereum, Litecoin, ripple, and several other altcoins.

The hackers used a Trojan horse program called Worldbit-bot to infiltrate the exchange’s network. The program was disguised as a cryptocurrency trading bot that claimed to offer high returns for users. The program was distributed through various channels, such as social media, chat groups, and forums. Once installed, the program connected to a command-and-control server controlled by the hackers, and downloaded additional malware modules that enabled them to access the exchange’s wallet servers. DragonEx announced the breach on its official Telegram channel and asked for help from other exchanges and law enforcement agencies to recover the stolen funds.

The US government has also been working with its allies and partners to coordinate responses and share information on cyber threats. In July 2021, the US joined the UK, Australia, Canada, New Zealand, Japan, and NATO in publicly attributing the Microsoft Exchange Server hack to China’s Ministry of State Security. The hack, which occurred in March 2021, affected tens of thousands of organizations worldwide and exposed sensitive data and intellectual property.

No posts to display

Post Comment

Please enter your comment!
Please enter your name here