WazirX, an Indian cryptocurrency exchange, faced a massive hack resulting in a loss of $235 million. CYFIRMA identified the North Korean Lazarus Group as the culprit behind this breach.
WazirX was hacked earlier this month leading to a loss of $235 million in various crypto assets. Consequently, the company had to freeze transactions due to breach. Following the hack, the company released a bounty program to find the trail behind the lost crypto. A cybersecurity company Cyfirma has finally identified that a North Korean hacker group was behind the theft. The stolen include $96.7 million in Shiba Inu, $52.6 million in Ether, $11 million in Matic and $7.6 million in Pepe.
The North Korean hacker group known as Lazarus has been said to be responsible for this breach. The report claims that the Lazarus Group is linked to North Korea’s intelligence agency, the Reconnaissance General Bureau (RGB). This group has two subgroups, APT38 and BlueNoroff, which specifically target financial institutions and cryptocurrency exchanges worldwide.
History of Lazarus group’s activities
APT38 focuses on financial crimes, attacking banks and cryptocurrency exchanges. They use techniques like custom malware, spear-phishing, and exploiting software vulnerabilities.
BlueNoroff targets financial institutions and cryptocurrency exchanges, often setting up fake companies to gain trust and infiltrate systems.
Read More: Money Saving Tips: Bring Your Home Loan Interest Rate Effectively Below 3%, Follow Expert Advice
Previous high-profile attacks
Bithumb (South Korea): Suffered multiple hacks in 2017 and 2018, resulting in millions of dollars in stolen cryptocurrency.
Coincheck (Japan): In January 2018, over $530 million worth of NEM tokens were stolen in a hack with methods consistent with Lazarus tactics.
Youbit (South Korea): Declared bankruptcy in December 2017 after a hack attributed to Lazarus, losing 17 per cent of its assets.
Also Read– Alert for HDFC Bank credit card holders! EMI processing fee, other charges revised – New rules from August 1
How Lazarus group executes attacks
Lazarus Group uses several methods to hack into cryptocurrency exchanges like WazirX. They often start with phishing attacks, sending targeted emails to employees that contain malicious attachments or links. When these are opened, malware is installed on the victim’s computer, compromising the system.
The group also employs social engineering tactics to trick employees into revealing sensitive information. They might impersonate trusted individuals or create fake profiles and companies to gain trust and access.
Read More: Ganesh Chaturthi 2024: Railways Announces Special Trains from Mumbai; Here’s How to Book
Another method they use is exploiting software vulnerabilities. They look for weaknesses in the software used by crypto exchanges, including web applications, servers, and employee workstations. Once they find a vulnerability, they use it to gain unauthorized access.
Once inside the network, Lazarus deploys malware like remote access Trojans (RATs) and keyloggers. This malware helps them maintain persistent access and monitor activities to capture valuable information such as passwords and private keys.
After gaining initial access, they move within the network to gain higher levels of access and control, often targeting the servers that manage cryptocurrency wallets. Finally, they transfer the stolen cryptocurrency to wallets they control. To hide the origin of the stolen funds, they launder them using various methods, including mixing services, converting to different cryptocurrencies, and making multiple transactions across different exchanges.
Kumar Ritesh, CEO of Cyfirma, mentioned that these attacks have been happening for years across various countries, primarily to fund North Korea’s weapons programs and evade international sanctions. He said, “Heists have been ongoing for several years, with notable attacks occurring since at least 2017. The frequency of these attacks can vary, but they often occur in waves. The primary motivation is to generate revenue for the North Korean regime. The stolen cryptocurrency is used to fund the country’s weapons programs and to evade international sanctions.”