CYFIRMA Identifies North Korean 'Lazarus Group' as Culprits Behind WazirX Crypto Exchange Breach

CYFIRMA, an external threat landscape management platform has identified Lazarus group, a North Korea-backed hacker group, behind the WazirX breach. The state-sponsored attack is linked to North Korea's Reconnaissance General Bureau (RGB), a primary intelligence service.

According to CYFIRMA’s researchers’ analysis, due to the breach, close to $235 million were lost in crypto assets. This consists of over 200 different assets, including ~ $96.7m of Shiba Inu, ~ $52.6m of Ether, ~ $11 million of Matic, and ~ $7.6 million of Pepe. The threat actor has already swapped a number of these tokens for Ether using a variety of decentralised services, an expected initial step of a typical laundering process.

The attacks were carried out by two subgroups of the Lazarus group namely APT38 and Blue Noroff. Lazarus mainly targets crypto exchanges and financial institutions worldwide.

APT38 primarily focuses on financial crimes, including attacks on banks and cryptocurrency exchanges. They are known for orchestrating large-scale heists and have been linked to several high-profile attacks on Asian financial institutions and crypto exchanges. APT38 uses sophisticated techniques such as custom malware, spear-phishing campaigns, and exploiting software vulnerabilities to infiltrate and steal funds.

BlueNoroff is focused on targeting financial institutions and cryptocurrency exchanges. This group has been implicated in various attacks on crypto exchanges in Asia, employing tactics such as phishing, malware deployment, and social engineering to compromise their targets. BlueNoroff has been known to set up fake companies and personas to establish trust and infiltrate the systems of crypto exchanges.

Kumar Ritesh, CEO & Founder of Cyfirma, says, “Heists have been ongoing for several years, with notable attacks occurring since at least 2017. Significant heists have occurred in various countries, including South Korea, Japan, the United States, and others. The frequency of these attacks can vary, but they often occur in waves. The primary motivation is to generate revenue for the North Korean regime. The stolen cryptocurrency is used to fund the country's weapons programs and to evade international sanctions.”

Notable Incidents Involving Asian Crypto Exchanges:

Bithumb (South Korea): In 2017 and 2018, Bithumb, one of South Korea's largest cryptocurrency exchanges, suffered multiple hacks attributed to Lazarus Group, resulting in millions of dollars in stolen cryptocurrency.

Coincheck (Japan): In January 2018, Coincheck, a Japanese cryptocurrency exchange, was hacked, resulting in the theft of over $530 million worth of NEM tokens. While not definitively attributed to Lazarus, the methods used were consistent with their tactics.

Youbit (South Korea): In December 2017, Youbit, a South Korean cryptocurrency exchange, declared bankruptcy after a hack attributed to Lazarus Group resulted in the loss of 17% of its assets.

Different methods used by the attackers for successful breach:

Phishing Attacks: Lazarus often starts with spear-phishing campaigns, sending targeted emails to employees of crypto exchanges. These emails contain malicious attachments or links that, once opened, install malware on the victim's computer. Based on the latest learnings, either Liminal Custody UI was compromised, or WazirX laptops were compromised to phish signatures. This was not an insider attack, and no private keys were compromised.

Social Engineering: They use social engineering tactics to gain the trust of employees and trick them into revealing sensitive information or performing actions that compromise the exchange's security.

Exploiting Software Vulnerabilities: They exploit known and zero-day vulnerabilities in software used by crypto exchanges. This can include vulnerabilities in web applications, servers, or employee workstations.

Malware Deployment: Lazarus deploys various types of malware, such as remote access Trojans (RATs) and keyloggers, to gain persistent access to the exchange's network and monitor activities.

Moving Laterally: Once inside the network, they move laterally to gain higher levels of access and control, often aiming to reach the servers that manage cryptocurrency wallets.

Transferring Funds: They then transfer the stolen cryptocurrency to wallets they control. These funds are often laundered through various means, including mixing services and multiple transactions across different cryptocurrencies and exchanges to obscure the origin of the funds.

ABOUT CYFIRMA

CYFIRMA is an external threat landscape management platform company. We combine cyber intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. Our cloud-based AI and ML-powered analytics platforms provide the hacker’s view with deep insights into the external cyber landscape, helping clients prepare for impending attacks. CYFIRMA is headquartered in Singapore with offices in Japan, India, the US, and the EU. Customers include both governments as well as Fortune 500 companies across manufacturing, financial services, retail, industrial products, natural resources and pharmaceutical industries.