A notorious hacking collective known as Lazarus Group linked to the North Korean government and believed to be behind a slew of the brazen hacks, including the 2014 hack of Sony Pictures and 2017 WannaCry ransomware attacks, as well as a number of cryptocurrency exchange attacks, has advanced its hacking tactics and money laundering strategies, according to blockchain analysis company Chainalysis.
Typically, Lazarus Group relies on social engineering to attack exchanges, tricking employees into downloading malware that allows the hackers the access to users’ funds, but in one of the exchange hacks last year the group took more advanced approach executing one of the most elaborate phishing schemes seen to date.
In March of 2019, the hackers stole approximately $7 million in various cryptocurrencies (including Bitcoin, Ripple, and Litecoin) from Singapore-based DragonEx exchange. While in terms of financial gain the DragonEx hack was relatively small, it was notable for the lengths the hackers went to obtain the funds.
The attack involved a sophisticated phishing attack in which the hackers established a fake company with realistic website and social media presence. The company claimed to be selling an automated cryptocurrency trading bot called Worldbit-bot. That supposed bot was then offered to DragonEx employees for a free trial. Though the software allegedly resembled an actual trading bot, it contained malware that could hijack the computer it infected. Eventually, the malicious software landed on the DragonEx computer containing the private keys for the exchange’s wallets thus allowing the hackers to steal the funds.
“Whereas most phishing attempts rely on little more than an email or small-scale website, Lazarus Group’s fabricated Worldbit-bot company is on another level of sophistication. It reveals the time and resources Lazarus has at its disposal, as well as the deep knowledge of the cryptocurrency ecosystem necessary to successfully impersonate legitimate participants,” Chainalysis noted in the report.