How did North Korean hackers use LinkedIn and social engineering to steal $3.4 billion in cryptocurrency?

How did North Korean hackers steal $3.4 billion in cryptocurrency using LinkedIn and social engineering?

Author: Eric Johansson & Tyler Pearson, DL News

Translation: Felix, LianGuaiNews

North Korean hackers have stolen at least $3.4 billion in cryptocurrency, some of which was through attacks on LinkedIn.

The $3.4 billion figure represents the total amount of hacking attacks related to the North Korean Lazarus Group since 2007, which includes the 2022 attack on the Horizon cross-chain bridge between Ethereum and Harmony, resulting in a loss of approximately $100 million. It also includes the 2023 theft of the Atomic wallet worth over $35 million and the 2017 WannaCry ransomware attack.

• Exclusive Interview with Wintermute Co-founder Accumulated Trading Volume of 20 Trillion USD in 6 Years, the Secret to Success of a Well-known Market Maker
• LianGuai Daily | FTX Claims Portal Website Has Resumed Operations; JPEX Temporarily Shuts Down All Functions of the Gaming Hall
• Why are Telegram bot races so popular? How will they develop in the future?

Hugh Brooks, Chief Security Operator of blockchain company CertiK, said, “The Lazarus Group has been a major source of income for the North Korean regime.”

What may not be well known is how hackers use platforms like LinkedIn for social engineering and phishing attacks.

An example of this is the “Operation In(ter)ception” launched by cybercriminal groups in 2019.

According to cybersecurity company ESET, the Lazarus Group targeted military and aerospace companies in Europe and the Middle East by posting job advertisements on platforms like LinkedIn to deceive job seekers. They would require job seekers to download PDF files embedded with executable files, enabling them to carry out digital attacks.

Social engineering and phishing attacks both attempt to manipulate victims psychologically to lower their guard and engage in unsafe behaviors such as clicking on links or downloading files. Their malicious software allows hackers to target vulnerabilities in the victim’s system and steal sensitive information.

The Lazarus Group used similar methods in a six-month operation against cryptocurrency payment provider CoinsLianGuaiid, resulting in a theft of $37 million on July 22 this year.

CoinsLianGuaiid disclosed that in March, their engineers received a list of technical infrastructure questions from a so-called “Ukrainian encrypted processing startup.” In June and July, the engineers received false job invitations. On July 22, an employee, thinking they were interviewing for a lucrative job, downloaded malware as part of a supposed technical test.

Prior to this, the hacker group had spent six months researching CoinsLianGuaiid, including details of team members and the company’s structure. When the employee downloaded the malicious code, the hackers gained access to CoinsLianGuaiid’s system and successfully forged authorization requests to extract funds from the company’s hot wallet.

During the entire attack process, the hackers launched technical attacks such as distributed denial-of-service (DDoS) attacks, which attempt to flood websites or network resources with malicious traffic, rendering them unable to function properly. They also employed a strategy known as brute force, repeatedly submitting passwords in hopes of eventually guessing correctly.

The organization also utilizes zero-day attacks (Note: Zero-day vulnerabilities or zero-day exploits usually refer to security vulnerabilities that do not have patches yet, while zero-day attacks refer to the attacks that exploit these vulnerabilities. The individual who provides the details of the vulnerability or the exploit program is typically the discoverer of the vulnerability. The exploitation of zero-day vulnerabilities poses a significant threat to cybersecurity. Therefore, zero-day vulnerabilities are not only favored by hackers, but also serve as an important parameter for evaluating hacker skills.) and deploys malicious software to steal funds, conduct espionage activities, and engage in general destructive activities.

In 2019, the US Treasury Department sanctioned the Lazarus Group and officially linked it to the Reconnaissance General Bureau of North Korea. The US Treasury Department also believes that the organization provides funding for the nuclear weapons program of terrorist states.

Related reading: “North Korean Hackers” Interview Blockchain Engineers: “The world will witness great achievements in my hands.”

We will continue to update Blocking; if you have any questions or suggestions, please contact us!