Probing Lazarus’ hacking spree after CoinEx attack

On September 13, cyrptocurrency exchange CoinEx lost $54 million worth of crypto tokens as a result of a hack into the exchange’s wallets. The hackers responsible for the attack were later identified to be part of a North Korean cybercrime group called Lazarus. During the attack, CoinEx lost $19M in $ETH, $11M in $TRON, $6.4M in BNB, and $6M in BTC, among others.

The hack on CoinEx is the latest in a string of recent attacks on Web3 companies. Just a couple of weeks ago, Lazarus was also blamed for stealing $41.3M from crypto gambling site Stake.com. Over the past 104 days, the group hacked five Web3 companies, getting away with a total of $240 million worth of crypto funds.

Background on Lazarus

Lazarus has been operating cyberattacks since 2009, starting with distributed denial-of-service (DDoS) attacks against South Korean websites. The group gained widespread notoriety in 2014 when it hacked and leaked information from Sony Pictures in an attempt to scare the filmmaker into stopping the release of its movie “The Interview,” which satirized North Korean leader Kim Jong Un. Other crimes associated with the group include the Bangladesh Bank cyber heist in 2017, the global WannaCry ransomware attack in 2017, and more.

Since then, Lazarus has been identified as one of the most prominent cybercrime groups in Web3. Their reputation in crypto started in 2017 with attacks against South Korean holders of Bitcoin and Monero tokens, as well as a $7M hack against South Korean exchange Bithumb.

Last year, the North Korean hacker group and other possible affiliated entities stole $1.7B in crypto funds, with $1.1B coming from DeFi platforms. This includes $650M stolen from Axie Infinity’s Ronin bridge and another $100M from Harmony’s Horizon bridge. So far, this is the high point of Lazarus’ cyberattacks against crypto.

In total, Lazarus has stolen $3.54B in crypto funds since 2017.

Looking into recent Lazarus attacks

Since June 2023, Lazarus compromised the funds of five different Web3 companies: decentralized crypto wallet company Atomic Wallet ($100M) and crypto payment services CoinsPaid ($37.3M) and Alphapo ($60M), in addition to the recent hacks on CoinEx and Stake.com. The group has taken $340M worth of crypto funds this year, with more possible attacks to come, according to Chainalysis.

The cybercrime group utilizes several techniques in its attacks, including social engineering in the case of CoinsPaid and compromised private keys at Alphapo. Looking into the attack on Alphapo, the funds were transferred from the company’s address to at least two wallets before distributing them to multiple other addresses in a technique called “peeling” to launder the stolen funds through several small transactions. These funds were then exchanged for wETH and again for BTC. 0xScope has also noted the use of this tactic in the Stake.com hack.

This sophisticated scheme was also apparent in the attack on Atomic Wallet, based information revealed by an investigation by Web3 cybersecurity firm Elliptic. A wallet used in the Stake.com hack was linked to one of the wallets used in the Atomic Wallet hack, establishing the Lazarus connection.

Then, soon after the CoinEx hack, one of the Lazarus-owned wallets was tied to the attacks against both Stake.com and CoinEx. An address that received funds from an OP mainnet address that executed the attack against the exchange ended up being the same wallet that also received funds from a Polygon-based address used in the hacking of the crypto gambling site.

Emerging trends from the Lazarus attacks

• Shifting targets by attackers. The latest attacks by Lazarus have all targeted centralized platforms. This is a noted change from the cybercrime group’s focus on DeFi services such as bridges last year. It is possible that DeFi platforms have improved their security measures enough to deter Lazarus from targetting them like they used to last year.
• Address associations are more apparent. The links between addresses used in Lazarus’ attacks are more visible in the latest string of investigations involving the hacks. This shows the importance of using platforms like Scopescan in enhancing centralized Web3 companies’ capabilities in deeply understanding crypto exploits and taking the necessary measures to prevent the next attack.
• Anti-social engineering measures are important. When Axie Infinity was hacked, Lazarus used a fake job ad on LinkedIn to target the company’s employees and dupe them into downloading files that allowed the hackers to get into the Web3 gaming company’s systems. DeFi platforms generally have fewer employees, so these companies are able to take measures to counter this kind of attack. Doing this will be undoubtedly harder for larger Web3 companies, particularly those that operate in a more decentralized manner. This highlights the importance of strongly enforcing security measures to prevent social engineering attacks, no matter the size of the company.

‍