Never say die: The Lazarus Group renews attacks on Web3
The hack
On the morning of June 24th, hackers stole $100 million in Ether (ETH), Tether (USDT) Wrapped Bitcoin (WBTC) and BNB from the Horizon bridge. The bridge allowed users to transfer assets between the Horizon blockchain and other blockchains. The stolen cryptocurrency was immediately converted to ETH via Uniswap, a popular decentralized exchange (DEX). Passing stolen crypto through a DEX is a common money laundering strategy since they allow hackers to bypass compliance controls.
Over the next few days, automated transactions sent regular amounts of the stolen ETH to the Tornado Cash mixer. Mixers are another valuable tool for laundering crypto. These services mix funds from different users, obfuscating the origins of assets and making it harder to trace stolen crypto.
The hackers were smart about the attack and took multiple steps to obscure their identity. Still, there were a few clues that allowed researchers at blockchain analysis firm Elliptic to implicate the likely perpetrator: North Korean hackers known as the Lazarus Group.
The Lazarus Group
The Lazarus Group is an advanced threat to the cryptocurrency industry. Researchers at Elliptic estimate they have stolen over $2 billion in cryptocurrency from exchanges and DeFi services. In April, the FBI, CISA, and U.S. Treasury Department issued a joint Cybersecurity Advisory (CSA), warning that Lazarus presented an advanced persistent threat to the cryptocurrency industry. According to the CSA, North Korean hackers have targeted cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn crypto games, trading companies, and venture capital funds since 2020. Common attack vectors are spearphishing campaigns and malware. North Korean hackers often hide malicious code in the form of tempting job offers.
The joint CSA states that the Lazarus group has presented a threat to crypto since 2020, but the group may have existed as early as 2007. They are best known for the 2017 WannaCry ransomware attacks, which spread to 150 countries, and shut down 300,000 computers. The attacks only made about $350,000, which is chump change in the modern ransomware world. However, they caused an estimated $4 billion in damages. The ransomware attack was likely designed to cause panic and financial damage. The real financial gain would be found elsewhere.
North Korea’s economy is the target of comprehensive sanctions. To raise money, the Kim regime has built highly developed offensive cyber capabilities. South Korean intelligence estimates that the North Korean hacking army is 6,800 strong, with 1,700 hackers in seven units and 5,100 technical support personnel. The country’s top computer science students are handpicked from an early age and trained at university programs run by the Reconnaissance General Bureau, North Korea’s intelligence agency.
North Korea vs. Web3
The attack on Horizon bridge has several trademarks typical of Lazarus attacks. Core members had ties to the APAC region, which is commonly targeted by Lazarus. Hackers were able to steal the crypto by compromising a multi-sig wallet through social engineering, which is another common Lazarus tactic. Periods of inactivity correlated to APAC nighttime hours. The main giveaway was the similarities between the Horizon bridge hack and the $540 million Ronin bridge hack.
The Ronin bridge is an Ethereum sidechain associated with Axie Infinity, a popular play-to-earn cryptocurrency game. In late March, the Lazarus group stole an estimated $540 million in crypto – one of the largest exchange hacks of all time. Both the Horizon and Ronin attacks used social engineering techniques to access cryptographic keys. The money laundering pattern is also the same, with funds routed through Tornado Cash in both instances.
Bridge over troubled water
Crypto became a target for Lazarus when traditional banks bolstered their defenses against hackers. The Lazarus Group has been targeting crypto businesses since 2017. At first, they went after centralized exchanges in Asia. Researchers at Elliptic estimate that Lazarus started targeting DeFi in 2021. As traditional crypto outlets are getting savvier, Web3 is a tempting target thanks to its Wild West attitude. In a statement to the New York Times, one expert said that North Korean hackers “look at really interesting and very gray, new areas of cryptocurrency because actually, A, no one really understands them, and B, they can exploit weakness.”
Blockchain bridges in particular are a common target for hackers. Since most cryptocurrencies are not interoperable, “bridges” need to be constructed to move crypto assets from one blockchain to another. To support transactions, each bridge needs to have cryptocurrency reserves. Blockchain bridges dealing with more obscure blockchains often have insufficient security auditing which leads to exploitable vulnerabilities.
Crime pays
The Coincub Crypto Crime Report found that North Korea had the most associated crypto crime of any country. According to the New York Times, North Korea has conducted more missile tests this year than in any other. Faced with sanctions and a stagnant economy decimated by the pandemic, the DPRK views crypto as a risk-free way for the regime to finance its weapons program. So far, they’ve been proven right. In 2022 alone, the Lazarus Group has stolen over $1 billion in cryptocurrency, mostly from DeFi protocols. The Lazarus Group presents a threat to the crypto industry that is unlikely to die.
How do crypto mixers work?
While not inherently criminal, crypto mixers are often used by cybercriminals to obfuscate crypto transactions and get around the inherent transparency and traceability of most blockchains. In order to do this, mixers pool user funds and randomly mingle them. Users then withdraw the mixed tokens from this pool.
Chainalysis found that nearly 10% of all funds sent from illicit addresses are sent to mixers. 30% of funds moving from sanctioned entities to mixers come from the Lazarus Group. It’s important to note that mixers have multiple legitimate uses. Investors commonly ‘clean up’ cryptocurrency to gain a market advantage by concealing investing activity from competitors.
Mixers are also not a foolproof tool. Some firms like Chainalysis and Elliptic have developed methods for ‘demixing’ cryptocurrency, allowing them to trace transactions to the source.
What is phishing?
Phishing refers to an attempt by attackers to trick victims into divulging sensitive information or performing actions on their behalf. Phishing attacks are frequently targeted, and cleverly designed to get victims to perform the desired action. Attacks can result in the theft of valuable data or the installation of malware and/or ransomware. Spear phishing specifically refers to sophisticated phishing methods that target specific individuals or groups within an organization. Spear phishing attacks often involve emails with attachments that contain malicious code. The emails themselves are written to encourage the victim to open the attachment, therefore giving the attacker access to their computer.