Lazarus Hackers Shift Focus to Centralized Crypto Projects

Lazarus, the hacking group associated with North Korea, has caught the attention of cybersecurity experts at Immunefi due to their heightened interest in centralized crypto projects. In the year 2023 alone, Lazarus executed five successful attacks on cryptocurrency projects, amassing $308.6 million in ill-gotten gains. This amounted to a substantial 17.6% of the total losses incurred by the crypto industry.

What sets this recent wave of attacks apart is that all the victims targeted by Lazarus were part of the centralized financial sector (CeFi), a departure from their prior focus on decentralized protocols (DeFi). From June to September, Lazarus targeted various entities, including the wallet provider Atomic Wallet, payment system Alphapo, betting platform Stake.com, and exchanges CoinsPaid and CoinEx.

According to the experts at Immunefi, a platform dedicated to vulnerability hunting in DeFi protocols and smart contracts, Lazarus has stolen over $1.9 billion in digital assets from crypto projects between 2021 and 2023. Notably, their previous attacks primarily targeted DeFi protocols, with the cross-chain Ronin and Poly Network breaches remaining the largest in the industry, resulting in losses of $650 million and $600 million, respectively.

Immunefi notes that while the exact size of Lazarus remains elusive, the group is known to be controlled by the North Korean government. Moreover, the U.S. government has alleged that the stolen cryptocurrencies are used to finance North Korea's illicit programs, including the development of weapons of mass destruction, such as nuclear bombs and ballistic missiles.

The U.S. Treasury Department has imposed sanctions on three cryptocurrency mixers used by Lazarus to launder stolen assets, and the National Security Council has initiated collaborations with South Korea and Japan to combat these hackers.

Lazarus initiated its activities in 2009, initially targeting various corporations and financial institutions. Some of the notable incidents during that period include the hacking of Sony Pictures in 2014, the attack on Bangladesh Bank in 2016, and the launch of the WannaCry ransomware in 2017.

The WannaCry attack was particularly significant, infecting 230,000 computers in 150 countries within hours, demanding up to $600 in Bitcoin for unlocking files on the infected devices. In the same year, the group shifted its focus to the cryptocurrency sector, targeting South Korean exchanges Bithumb and Youbit (which later went bankrupt), as well as the cloud mining service Nicehash.

Mitchell Amador, the head of Immunefi, has labeled Lazarus as a serious threat to the Web 3.0 sector. He emphasizes that members of the group continue to hone their skills in exploiting infrastructure and smart contract vulnerabilities, as well as social engineering.

It is worth noting that Lazarus recruits include graduates from Kim Chaek University of Technology and Kim Il-sung University. Some of the group's future hackers undergo training in Shenyang, China.