North Korea’s Lazarus Group Gets $3 Billion From Cryptocurrency Hacks

Nov 30, 2023NewsroomCryptocurrency / Cyberattacks

Cryptocurrency Hacks

Threat actors from the Democratic People’s Republic of Korea (DPRK) have increasingly focused on the cryptocurrency sector as a major revenue generation mechanism since at least 2017 to evade sanctions imposed against the country.

“Although movement in and out and within the country is strictly restricted, and its general population is isolated from the rest of the world, the regime’s ruling elite and its highly trained cadre of professionals in computer science has the privilege of accessing new technologies and information.” The cybersecurity firm Recorded Future SAYS in a report shared by The Hacker News.

“The privileged access to resources, technology, information, and sometimes international travel for a small group of select individuals with promise in mathematics and computer science equips them with the necessary skills for conducting cyber attacks against the cryptocurrency industry.”

The disclosure comes as the US Treasury Department imposed sanctions against Sinbad, a virtual currency mixer used by the North Korea-linked Lazarus Group to launder ill-gotten gains.


Threat actors from the country are estimated to have stole $3 billion value of crypto assets done THE it’s been six years, with about $1.7 billion stolen in 2022 alone. Much of the stolen property was used to directly fund the hermit’s weapons of mass destruction (WMD) and ballistic missile programs.

“$1.1 billion of that total was stolen by hacks of DeFi protocols, making North Korea one of the driving forces behind the DeFi hacking trend that is accelerating in 2022,” it said. by Chainalysis earlier this February.

A report published by the US Department of Homeland Security (DHS) as part of the Analytic Exchange Program (AEP) earlier this September also highlighted Lazarus Group’s exploitation of DeFi protocols.

Cryptocurrency Hacks

“DeFi exchange platforms allow users to transfer between cryptocurrencies without the platform holding customer funds to facilitate the transfer,” the report said. SAYS. “This allows cyber actors in the DPRK to know when to transfer stolen cryptocurrency from one type of cryptocurrency to another, making identification more difficult to detect or trace. “

The cryptocurrency sector is one of the main targets for state-sponsored North Korean cyber threat actors, as repeatedly evidenced by numerous campaigns carried out in recent months.


Hackers in the DPRK are known for cleverly pulling social engineering tricks to target employees of online cryptocurrency exchanges and then lure their victims with the promise of lucrative distribution jobs. of malware that provided remote access to the company’s network, which ultimately allowed them to drain all available assets and transfer them to various wallets controlled by the DPRK.

Other campaigns use similar phishing tactics to trick users into downloading trojanized cryptocurrency apps to steal their assets as well as watering hole attacks (aka strategic web compromises) as a initial access vector, with the participation of airdrop scams and rug pulls.

Another famous tactic adopted by the group is the use of mixing services to hide the financial channel and efforts to introduce the cloud. Such services are usually offered by cryptocurrency exchange platforms without using know your customer (KYC) policies or anti-money laundering (AML) regulations.

“Without stronger regulations, cybersecurity requirements, and cybersecurity investments for cryptocurrency companies, we assess that in the near term, North Korea will almost certainly continue to target the cryptocurrency industry because of its past success in mining it as a source of additional income to support the regime,” Recorded Future concluded.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment