A recent analysis of the $7 million cyber theft from Singapore exchange DragonEx, which took place last March, appears to have found the sticky fingerprints of a North Korea based hacker network all over it. That isn’t to say the hackers’ methods are sloppy, quite the opposite in fact. The levels of care, effort, and sophistication that went into the DragonEx heist are impressive and more than a little worrying.
Spear phishing has been very much part of these hackers’ approach for some time. Still, this heist involved the setting up of an entire fake company (based around the supposed cryptocurrency trading bot they had invented, Worldbit-bot) including fake website, employees (each of whom even social media presence) and a free trial period too good to resist. The free software sample was, of course, malware, which then accessed the private keys DragonEx’s wallets. And the rest was cybercrime.
Experts have already had their eye on this particular gang of hackers, dubbed the Lazarus Group, and they have been implicated in crypto exchange cybercrimes going back to 2017. But their reputation stretches back further.
Perhaps readers may remember the 2014 takedown of Sony Pictures associated with their upcoming release of not-terribly-funny Kim Jong-un related movie The Interview? You know, unprecedented and powerfully unsettling attack on a huge movie studio purely on the basis that one of its films might make the North Korean President look silly? Yeah. That was these guys.
Also known as APT 38, Hidden Cobra (US Homeland Security’s codename for them), Whois Team, Zinc (Microsoft’s codename for them), Gods Apostles and Guardians of Peace, the same team were almost certainly behind the crippling Wannacry ransomware as well as the extraordinary Bangladesh Bank cyber heist and the Sharpshooter Malware targeting vital NATO country infrastructure, with their first attributable public appearance very much in the spirit of state-sponsored cyber espionage, unleashing crippling attacks on media and commerce in neighboring South Korea.
But now financial crime is their primary modus operandi, likely due in no small part to just how cash strapped the North Korean regime is starting to get in the face of international sanctions (they also targeted SWIFT monetary transfer system immediately after North Korea’s access to it was restricted). Cryptocurrency exchanges are now their ATM of choice.
This is partly simply because cryptocurrency is an easy target for these experiences hackers, given the sheer laxity of security arrangements throughout the industry.
For the Lazarus group’s more recent targets, similar fake companies have been used to entice cryptocurrency exchange employees to download malware, most often using Telegram, the messaging app that dominates the market in Asia.
A cryptocurrency (in spite of the supposed anonymity of the blockchain) is not as easy to launder as one might expect, and this has been the Lazarus Group’s weak point until recently.
Traditionally they have let the funds sit for a year or more for the heat to die down before cashing out their crypto coins, making sure to use only exchanges that don’t track customer ID to do so.
However, the DragonEx heist was followed by a flurry of activity using digital wallets and intermediary exchanges to eventually bring funds into a privacy technology called CoinJoin, which, by merging different transactions from different sources, makes it very difficult to follow who sent what to who. These extra steps allowed the Lazarus Group to go from heist to hard cash within about 60 days.
As sophisticated, methodical, and hardworking as the Lazarus Group may be, the real issue here may be less about North Korea’s mastery of cybercrime and more about the sheer weakness of cryptocurrency security. Fixing this may be one of the last plugs to finally seal North Korea’s wall of sanctions and, although this might be too much to hope for, the fate of the Pyongyang regime.
Sign up for our newsletter to get the best of The Sized delivered to your inbox daily.