Beginning to target centralized crypto institutions? Lazarus’ five hacking attacks within 104 days

Lazarus targets centralized crypto institutions with five hacking attacks in 104 days.

Author: Elliptic Research; Translator: LianGuai0xjs

Recently, the elite hacker group “Lazarus” from North Korea seems to have intensified its activities and has confirmed four attacks on encrypted entities since June 3. Now, they are suspected to have carried out a fifth attack, this time targeting CoinEx, which occurred on September 12, 2023. In response, CoinEx has issued several tweets indicating that suspicious wallet addresses are still being identified, so the total value of stolen funds is not yet clear, but is currently estimated to be around $54 million.

Over the past 104 days, Lazarus has stolen nearly $240 million in encrypted assets: Atomic Wallet ($100 million), CoinsLianGuaiid ($37.3 million), Alphapo ($60 million), and Stake.com ($41 million).

• LianGuaiWeb3.0 Daily | Hong Kong police are investigating whether JPEX is involved in criminal activities
• My Perspective on Token2049 in Singapore
• Chain Game Weekly Google to Allow NFT Game Advertising Placement, Linea Launches Web3 Entertainment Festival

As shown in the above figure, Elliptic’s analysis confirms that a portion of the funds stolen from CoinEx was sent to an address used by the Lazarus organization for money laundering, despite using different blockchains. Subsequently, these funds were bridged to the Ethereum bridge previously used by Lazarus and then sent back to the known address of the CoinEx hacker. Elliptic has observed Lazarus merging funds from different hacking incidents, most recently in the Stake.com and Atomic Wallet incidents. The merging of these funds is represented in orange in the following figure.

Given this blockchain activity, and the lack of information indicating that the CoinEx hack was carried out by another threat organization, Elliptic believes that it is reasonable to suspect that the Lazarus organization stole funds from CoinEx.

Lazarus’ Five Attacks in 104 Days

In 2022, several well-known hacker attacks were attributed to Lazarus, including the Horizon bridge of Harmony and the Ronin bridge of Axie Infinity, which occurred in the first half of last year. Between that time and June of this year, no major cryptocurrency theft incidents were publicly attributed to Lazarus. Therefore, the various hacker attacks in the past 104 days represent a step up in activity for this North Korean threat group.

● On June 3, 2023, users of the non-custodial decentralized cryptocurrency wallet Atomic Wallet lost over $100 million. Elliptic confirmed this hack on June 6, 2023, when multiple signs pointed to Lazarus as the perpetrator. This attribution was later confirmed by the FBI.

● On July 22, 2023, Lazarus gained access to the hot wallet of the cryptocurrency payment platform CoinsLianGuaiid through a successful social engineering attack. This access allowed the attackers to create authorization requests and extract approximately $37.3 million in encrypted assets from the platform’s hot wallet. On July 26, 2023, CoinsLianGuaiid issued a report claiming that this attack was carried out by Lazarus. This attribution was later confirmed by the FBI.

● On the same day, July 22, 2023, Lazarus carried out another high-profile attack, this time targeting the centralized cryptocurrency payment provider Alphapo, stealing $60 million worth of encrypted assets. The attacker may have gained access through previously stolen private keys. As with the above, the FBI later attributed this attack to Lazarus.

● On September 4, 2023, the online cryptocurrency gambling platform Stake.com was attacked, stealing approximately $41 million worth of virtual currency, possibly due to stolen private keys. The FBI issued a press release on September 6, confirming that the Lazarus group was behind this attack.

● Most recently, on September 12, 2023, the centralized cryptocurrency exchange CoinEx was hacked, stealing $54 million worth of funds. As mentioned earlier, many factors indicate that Lazarus was behind this attack.

Change in Lazarus’ strategy? Targeting centralized cryptocurrency institutions

An analysis of Lazarus’ latest activities indicates that since last year, they have shifted their focus from decentralized services to centralized services. Of the five recent hacker attacks mentioned earlier, four were targeted at centralized virtual asset service providers.

There are several possible explanations for why Lazarus’ attention may once again be turning to centralized services.

● Increased security: Previous research by Elliptic found that in the 2022 DeFi hacking events, attacks occurred every four days, with an average of $32.6 million stolen each time. Cross-chain bridges, a relatively newer form of service in early 2022, became one of the most frequently targeted DeFi protocols by hackers. These trends may have prompted improvements in smart contract audits and development standards, reducing the scope for hackers to discover and exploit vulnerabilities.

● Ease of social engineering attacks: For many of their attacks, Lazarus’ methods of attack have involved social engineering. For example, the $5.4 billion hack of Ronin Bridge was attributed to a fake LinkedIn job invitation. However, decentralized services often have smaller staffs, and as the name suggests, the degree of decentralization varies. Therefore, gaining malicious access to developers does not necessarily equate to gaining administrative access to smart contracts. Centralized exchanges, on the other hand, may operate on a larger scale of staff, expanding the potential target range. They may also use centralized internal information technology systems, providing Lazarus malware with more opportunities to penetrate the expected functions of their business.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!