North Korean hackers Lazarus Group have moved $1 million worth of their ill-gotten gains from a coin mixer to their holding wallet, sparking speculation over their next move.
North Korean Hackers Lazarus Group Stolen $3B in Cryptocurrency
The North Korean hacker group stole the funds over the last six years, which was likely used to fund the country’s projects, the report said.
FBI Says North Korean Hackers May Try to Sell $40M of Bitcoin
North Korean hackers look set to try to sell more than $40 million of stolen bitcoin (BTC), the Federal Bureau of Investigation (FBI) said.
Lazarus Group Transfers $64M ETH From Harmony Bridge Hack
During the weekend, the notorious North Korean hacking gang Lazarus Group started transferring stolen money in the Harmony Bridge attack. Notably, the organization transferred over $63.5 million, or approximately 41,000 ETH.
On January 16, blockchain detective ZachXBT published information about the transfer of a significant amount of Ethereum. The cryptocurrency assets which originated from Tornado Cash were transferred via Railgun. Railgun is a private smart contract platform that uses zero-knowledge proofs to hide financial transactions.
According to the analyst who followed the trail of more than 350 addresses, some 41,000 ETH worth about $63.5 million were sent through Railgun and deposited on three different exchanges.
1/2 North Korea’s Lazarus Group had a very busy weekend moving $63.5m (~41000 ETH) from the Harmony bridge hack through Railgun before consolidating funds and depositing on three different exchanges. pic.twitter.com/huDumaJeSh
— ZachXBT (@zachxbt) January 15, 2023
Funds Frozen By Binance And Huobi
Binance’s CEO, CZ, tweeted that the exchange had previously uncovered suspicious money transfers from the Harmony One hackers when they attempted to launder money through Binance. As a result, the accounts were frozen by the exchange.
We detected Harmony One hacker fund movement. They previously tried to launder through Binance and we froze his accounts. This time he used Huobi. We assisted Huobi team to freeze his accounts. Together, 124 BTC have been recovered. CeFi helping to keep DeFi #SAFU!
— CZ
Binance (@cz_binance) January 16, 2023
The Group had been keeping its money in Tornado Cash, a service that helps keep people’s identities secret and is used by criminals to launder money in the crypto industry.
The experts followed the funds through more than three hundred addresses. They concluded that Railgun had spread around 41,000 ETH among multiple receivers before the cryptocurrencies were deposited at various exchanges. He did not name the exchanges, but he did say that the Lazarus Group routinely makes rapid withdrawals from such platforms.
Connections Between Lazarus And Harmony’s Attack
Lazarus is now quite skilled at hiding their movements from law enforcement agencies while transferring illegal cryptocurrencies. For example, they were suspected of being behind the attack on Harmony Bridge in June 2022. In-depth information about the attack was published by Elliptic, a blockchain analytics service, at the time it occurred.
Multiple large crypto heists, totaling over $2 billion, have been linked to the Lazarus Group. DeFi and cross-chain bridges became a new target in 2022, and the group was also suspected of being behind the $600 million Ronin Bridge attack.
According to a recent report by cybersecurity firm Kaspersky, another North Korean hacker group BlueNoroff has expanded its illegal activities by posing as venture capitalists looking to invest in cryptocurrency startups.
Kaspersky’s report shows the global attacks by BlueNoroff against cryptocurrency businesses were uncovered in January 2022 but slowed down until the fall.
Theft of cryptocurrency has become a profitable business for North Korean hackers. According to information about their operations, South Korean spying services estimate that over $1.2 billion in cryptocurrency has been stolen from the global community since 2017. In 2022, numerous companies, including FTX, were victims of cyberattacks.
At the time of writing, Bitcoin is trading around $20,800, up 21% in the last week. It is currently trading above its 50-day Simple Moving Average (SMA), which indicates that the price will remain bullish in the short term.
Featured image from Euronews, Chart from Tradingview.com.
Are A Fake Job Offer And A .Pdf Responsible For The Axie Infinity/ Ronin Hack?
The latest report on the Axie Infinity/ Ronin bridge hack is too good to be true. Especially considering the FBI claims a North Korea-sponsored hacking group is responsible for it. “A senior engineer at Axie Infinity was duped into applying for a job at a company that, in reality, did not exist,” The Block reports. That’s not all, apparently, the hackers’ spyware got into the system through a simple .pdf file. Unbelievable that a $622M hack started that way.
The Ronin Network is an Ethereum sidechain that exclusively serves Axie Infinity. Both a billion-dollar business and a fun app with a thriving internal economy and an international audience, the play-to-earn game was one of the bull market’s biggest success stories. Sky Mavis is the studio behind Axie Infinity. And one of its programmers apparently fell victim to the simplest social engineering trick in the book.
Is North Korea To Blame?
According to surveillance firm Chainalysis, North Korea-sponsored hackers stole over $400M in 2021 alone. And according to the FBI, they’re responsible for the Axie Infinity/ Ronin hack. The alphabet agency traced the funds to wallets associated with North Korean hacking group Lazarus. Does The Block’s article complete or negate this version of the story? It’s hard to see North Koreans pulling a stunt quite like this.
In any case, at the time the FBI was extremely clear in a statement quoted here:
“Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29th.”
If true, they broke their 2021 record with just one operation.
How Did The Axie Infinity/ Ronin Hack Happen?
The hack’s supposed story is hilarious, to say the least. According to The Block:
“Earlier this year, staff at Axie Infinity developer Sky Mavis were approached by people purporting to represent the fake company and encouraged to apply for jobs, according to the people familiar with the matter.”
After several rounds of interviews, one of Sky Mavis’ developers got an extremely generous offer. He opened up Pandora’s box and all hell broke loose.
“The fake “offer” was delivered in the form of a PDF document, which the engineer downloaded — allowing spyware to infiltrate Ronin’s systems. From there, hackers were able to attack and take over four out of nine validators on the Ronin network — leaving them just one validator short of total control.”
To complete the attack, they took control of another entity. Once upon a time, “the Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf.” The permissions were still valid and the hackers took advantage of them. The Ronin bridge’s operators’ post-mortem on the attack describes the fallout.
“The attacker managed to get control over five of the nine validator private keys — 4 Sky Mavis validators and 1 Axie DAO — in order to forge fake withdrawals. This resulted in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transaction”
Did Lazarus’ operators orchestrate such a Hollywoodesque attack? Or does the comedic modus operandi implicate other perpetrators?
AXS price chart on FTX | Source: AXS/USD on TradingView.com
Previous Coverage Of The Axie Infinity/ Ronin Hack
Let’s turn to archival material to complete the story and add extra detail. After the breach happened, NewsBTC reported on Axie Infinity and Sky Mavis’ first solution to the problem:
“The latest move announced is a $1 million bug bounty program that invites white hat hackers to stress test the blockchain.
Co-Founder and COO of Sky Mavis and Axie announced: “Calling all whitehats in the blockchain space. The Sky Mavis Bug Bounty program is here. Help us keep the Ronin Network secure while earning a bounty up to $1,000,000 in bounty for fatal bugs.”
And then, when operators reopened the new and improved Ronin bridge, our sister site Bitcoinist reviewed its characteristics:
“In addition to the two independent audits on its smart contracts, the Ronin Bridge’s new design has implemented a new “circuit-breaker” feature. This was directly added to prevent a bad actor from replicating the previous attack or exploiting any potential new attack vector.”
So, the Ronin bridge seems to be safe to use at the moment. It also seemed to be safe to use before the hack, though. Do your own research and be safe out there.
Featured Image by Niek Verlaan from Pixabay | Charts by TradingView
FBI and CSIA issue alert over North Korean cyberattacks on crypto targets
The cybersecurity agency believes that the threat from North Korean hackers will not go away unless crypto firms take necessary but simple steps to ensure their security.
North Korean Hackers Now Using Telegram to Steal Crypto: Kaspersky
Hacking group Lazarus is developing sophisticated new techniques to steal cryptocurrencies from victims.
North Korean Hackers Now Using Telegram to Steal Crypto: Kaspersky
Hacking group Lazarus is developing sophisticated new techniques to steal cryptocurrencies from victims.
North Korean Hacking Group May Be Behind Malware-Laden Fake Crypto Site
A new and hard-to-detect macOS malware variant has been discovered lurking on a fake cryptocurrency trading site.
North Korean Hacking Group Lazerus Stole $571 Million in Cryptos: Report
North Korea’s infamous hacking group, dubbed Lazarus, has managed to steal over half a billion dollars in cryptocurrencies, a report indicates.
