A recent report has unveiled that North Korean hackers were behind the $235 million theft from Indian investors through the WazirX cryptocurrency exchange. The breach has raised significant concerns about the security of digital assets and the growing threat posed by state-sponsored cybercriminals.
WazirX Hacked: North Korean Hackers Behind $235 Million Theft from Indian Investors
Earlier this month, WazirX experienced a major security breach, resulting in the loss of $235 million in various cryptocurrencies. As a consequence, the company had to freeze transactions and launched a bounty program to track the stolen assets. Cybersecurity firm Cyfirma has now revealed that the hack was orchestrated by a North Korean hacker group.
The stolen assets include $96.7 million in Shiba Inu, $52.6 million in Ether, $11 million in Matic, and $7.6 million in Pepe. The North Korean hacker group responsible for the breach is identified as Lazarus, which is linked to North Korea’s intelligence agency, the Reconnaissance General Bureau (RGB). Lazarus has two subgroups, APT38 and BlueNoroff, both of which specifically target financial institutions and cryptocurrency exchanges globally.
Background on Lazarus Group’s Activities
- APT38: Specializes in financial crimes, targeting banks and cryptocurrency exchanges using techniques such as custom malware, spear-phishing, and exploiting software vulnerabilities.
- BlueNoroff: Focuses on financial institutions and cryptocurrency exchanges, often using fake companies to gain trust and infiltrate systems.
Notable Previous Attacks by Lazarus Group
- Bithumb (South Korea): Experienced multiple hacks in 2017 and 2018, resulting in significant cryptocurrency losses.
- Coincheck (Japan): In January 2018, over $530 million in NEM tokens were stolen in a hack consistent with Lazarus tactics.
- Youbit (South Korea): Declared bankruptcy in December 2017 after a hack attributed to Lazarus, losing 17% of its assets.
How Lazarus Group Executes Attacks
Lazarus Group employs various methods to compromise cryptocurrency exchanges like WazirX:
- Phishing Attacks: They send targeted emails with malicious attachments or links to employees. When opened, these emails install malware on the victim’s computer.
- Social Engineering: They trick employees into disclosing sensitive information by impersonating trusted individuals or creating fake profiles and companies.
- Exploiting Software Vulnerabilities: They search for weaknesses in software used by exchanges, including web applications and servers, to gain unauthorized access.
Once inside the network, Lazarus deploys malware such as remote access Trojans (RATs) and keyloggers to maintain persistent access and capture valuable information like passwords and private keys. They then move within the network to escalate their access, targeting servers that manage cryptocurrency wallets. The stolen cryptocurrency is transferred to wallets controlled by the hackers and laundered through various methods, including mixing services and transactions across different exchanges, to obscure its origin.
Kumar Ritesh, CEO of Cyfirma, noted that these attacks have been ongoing for years and are primarily aimed at funding North Korea’s weapons programs and circumventing international sanctions. He stated, “These heists have been happening for several years, with notable attacks since at least 2017. The frequency of these attacks can vary, but they often occur in waves. The primary motivation is to generate revenue for the North Korean regime, using the stolen cryptocurrency to fund weapons programs and evade international sanctions.”
You might also be interested in – WazirX halts trading after $230 million exploit, offers bounty for fund recovery.
