Original author: Elliptic

Original text compiled by: Babywhale, Foresight News

The North Korean hacker group Lazarus seems to have stepped up its operations recently. It has confirmed four attacks against cryptocurrency companies since June 3, and the recent attack on the cryptocurrency exchange CoinEx is likely to have been carried out by Lazarus. In response, CoinEx issued multipletweets, indicating that the suspicious wallet addresses are still being identified, so the total value of the stolen funds is unclear, but may have reached $54 million.

Over the past 100 days, Lazarus has been confirmed to have stolen nearly $240 million worth from Atomic Wallet ($100 million), CoinsPaid ($37.3 million), Alphapo ($60 million), and Stake.com ($41 million). Cryptoassets.

As shown above, Elliptic analyzed that some of the funds stolen from CoinEx were sent to the address used by the Lazarus organization to store funds stolen from Stake.com, albeit on a different blockchain. The funds were then cross-chained to Ethereum via a cross-chain bridge previously used by Lazarus, and then sent back to an address known to be controlled by CoinEx hackers. Elliptic has observed this kind of mixing of funds from different hackers in the Lazarus incident, most recently when funds stolen from Stake.com were mixed with funds stolen from the Atomic wallet. These instances of funds from different hackers being combined are shown in orange in the image below.

Five attacks in more than 100 days

In 2022, several high-profile hacks were attributed to Lazarus, includingHarmonys Horizon Bridge was attackedandAxie Infinitys Ronin Bridge is under attack, both incidents occurred in the first half of last year. From then until June of this year, no major cryptocurrency thefts were publicly attributed to Lazarus. Therefore, various hacking attacks over the past 100 days or so indicate that North Korean hacker groups are becoming active again.

On June 3, 2023, users of the non-custodial decentralized cryptocurrency wallet Atomic Wallet lost more than $100 million. Elliptic officially designated the hack on June 6, 2023, after determining multiple factors that pointed to a North Korean hacking group being responsible.Blame it on Lazarus, and later obtained the FBI’sConfirm。

On July 22, 2023, Lazarus gained access to a hot wallet belonging to the crypto payments platform CoinsPaid through a social engineering attack. This access allowed the attacker to create authorization requests to withdraw approximately $37.3 million in crypto assets from the platform’s hot wallet. On July 26, CoinsPaid was releasedReportsaid Lazarus was responsible for the attack and received FBIConfirm。

On the same day, July 22, Lazarus conducted another attack, this time targeting centralized crypto payments provider Alphapo, stealing $60 million in crypto assets. The attacker may have gained access via a previously leaked private key. The FBI then againConfirmLazarus was the attacker in this incident.

On September 4, 2023, the online cryptocurrency gambling platform Stake.com was attacked and approximately $41 million worth of cryptocurrency was stolen, possibly due to the theft of private keys. Posted by FBI on September 6announcement, confirmed that the Lazarus organization was behind the attack.

Finally, on September 12, 2023, the centralized cryptocurrency exchange CoinEx became the victim of a hacker attack and $54 million was stolen. As mentioned above, multiple pieces of evidence point to Lazarus being responsible for this attack.

Lazarus changed his tactics?

Analysis of Lazarus’ latest activity shows that since last year they have shifted their focus from decentralized services to centralized services. Four of the five recent hacks discussed earlier targeted centralized crypto asset service providers. Before 2020, before the rapid rise of the DeFi ecosystem, centralized exchanges were the main target of Lazarus.

There are several possible explanations for why Lazarus is once again turning its attention to centralized services.

More focus on security: Elliptic’s previous response to 2022 DeFi hacksResearchIt was found that an attack occurred on average every four days in 2022, with an average of $32.6 million stolen per attack. Cross-chain bridges have become one of the most commonly hacked DeFi protocol types in 2022. These trends may have prompted improvements in smart contract auditing and development standards, narrowing the scope for hackers to identify and exploit vulnerabilities.

Susceptibility to social engineering: In numerous hacking attacks, the Lazarus Groups attack method of choice was social engineering. For example, the $540 million Ronin Bridge hack wasThe “gaps” identified through fake job opportunities on LinkedIn. However, decentralized services tend not to have many employees and are – as the name implies – decentralized to varying degrees. Therefore, gaining malicious access to a developer may not necessarily equate to gaining administrative access to a smart contract.

At the same time, centralized exchanges are likely to employ a relatively larger workforce, thereby expanding the range of possible targets. They may also operate using centralized internal information technology systems, giving Lazarus malware a greater chance of infiltrating the business.