North Korean threat actors are believed to have stolen more than $3 billion in cryptocurrency to date, according to a report from threat intelligence firm Recorded Future.
Collectively tracked as the Lazarus Group, the North Korean hackers specialize in cryptocurrency-related intrusions, mainly relying on spear-phishing emails to trick victims into authorizing malicious scripts and downloading malware.
In 2021, the hackers were observed targeting the cross-chain bridges of cryptocurrency platforms, compromising validator keys used to sign transactions. Starting 2022, Lazarus was seen using strategic web compromise as the initial access vector, trojanized DeFi applications, a fake cryptocurrency application for Android, and supply chain compromise.
The stolen amounts, Recorded Future notes in a new report (PDF), have increased significantly over time, with 2023 believed to be the most prolific year for Lazarus.
In 2017, the group stole at least $80 million from various South Korean cryptocurrency exchanges, but is believed to have siphoned more than $1.7 billion in 2022, when it hit Ronin Network ($600 million), Harmony ($100 million), Qubit Finance ($80 million), and Nomad ($190 million), among others.
This year, the North Korean hackers were blamed for multiple highly profitable cryptocurrency heists, including the Atomic Wallet, Alphapo, CoinEx, CoinsPaid, and Stake.com incidents.
Lazarus is believed to be responsible for a cyberattack on US-based enterprise software company JumpCloud, which provides an Active Directory replacement, likely to set up future attacks on the company’s cryptocurrency clients.
To move the stolen assets, the hackers have “developed an extensive money-laundering network” that includes cryptocurrency mixers and money mules.
The US government has sanctioned three mixers (Blender, Tornado, and Sinbad) and tens of individuals for laundering billions in assets for the North Korean regime. Roughly half of the laundered money are believed to fund the country’s ballistic missiles program.
“North Korean threat actors also use the accounts and personal information of phishing victims to register verified accounts at trusted cryptocurrency exchanges where they can send the stolen cryptocurrency and cash out,” Recorded Future added.
Related: US Sanctions North Korean Cyberespionage Group Kimsuky
Related: FBI: 1,580 Bitcoin in Crypto Wallets Linked to North Korean Hackers
Related: US Offers $10 Million for Information on North Korean Hackers
