As cryptocurrencies have risen over the past 10 years, so too we have seen increasing headlines about hackers getting involved. One of the most notable hacking groups is the Lazarus Group based in North Korea (aka Democratic People’s Republic of Korea – DPRK).

Behind most hacking groups sits a ringleader, an ideology or moral code, or some kind of organizational structure. This is how we’ve come to think of hackers, driven typically by personal gain, and sometimes by the direction of others.

Lazarus Group is the Biggest Crypto Thief

Identified by numerous sources as a key unit attached to North Korean intelligence unit 121, the Lazarus Group has reportedly been responsible for the theft of some $571 million in digital currency assets between March 2017 and October 2018. While many countries have been targeted by Lazarus, South Korea has born the main brunt, taking 80% of all attacks. During that period, a total of $882 million dollars in assets was stolen, most by Lazarus and some by unknown groups.

Kaspersky-Lazarus-infographocs
Infographic by Kaspersky Lab

Lazarus first appeared during “Operation Troy” in 2009, where a series of attacks were committed against South Korean (aka Republic of Korea – ROK) government websites and banks. Though South Korea is a known Internet and technological powerhouse, it seemed at the time that the government had greatly downplayed the potential threat of Lazarus. In 2013, the core servers of three television networks were attacked. An investigation revealed the hack even reached into banks and companies too. Lazarus had just made itself officially South Korea’s “public enemy no.1”

After South Korea took strong steps and put up its defenses, the number of attacks showed a marked decrease, but another reason for that was Lazarus found a new enemy – Japan. In 2014, Sony Pictures was promoting the release of controversial comedy, “The Interview” which depicts the assassination of their current leader, Kim Jong Un. A $44 million investment on the part of Sony was rocked by major hacks and subsequent threats against personnel, and even terror threats against theatres that dared show the film. Lazarus promised that it would be similar to or worse than 9-11.

the-interview-notrh-korea
“The Interview” movie poster – The Time

In February 2016 the group was blamed for the infamous robbing of Bangladesh Bank’s Federal Reserve Bank account in New York. The target was $1 billion, but in the end, only $81 million was stolen. The group also hit ATMs in the US, as well as other banks in Poland, India and South Korea. Sanctions against the DPRK continued to grow fiercer, but the response of Lazarus seemed to match that ferocity. As the financial pinch became sharper, they turned their attention to cryptocurrency, by then an established and increasingly valuable resource.

Besides attacking the exchanges mentioned above, they also hit personal computers with trojans designed to extract Bitcoin and other personal information through phishing. The group perpetrated the Wannacry virus, which infested around 20,000 computers.

park-jin-hyok-bitcoin-hacker
Park Jin Hyok, a 34-year-old North Korean, confirmed by the US atrocities as a part of Lazarus Group

Far from just stealing the cryptocurrency, the group has now been accused of creating its own “Air Coins” as part of the scam. Identified projects linked to DPRK crypto scams include Marine Chain running out of Singapore, and Binary Tilt which has already been confirmed by the Ontario Provincial Government. These have been linked to four IP addresses, some of which have been known to host scams previously.

wannacry-virus-bitcoin
Wannacry virus window

The Lazarus Group – also known as “Cobra”, “Guardians of Peace” and “Zinc,” represent a new challenge for the crypto world. We can use technology to identify and locate them, but when they are based in the DPRK and protected by the North Korean state, it is impossible to physically act against them. Group-IB has done an extensive tracing of Lazarus, and found that their activities can be traced back to two locations in Pyongyang – the first is the DPRK Defence Commission, and the second is the incomplete 105-story Ryugyong Hotel, which has long since been taken over and used by the military.

The most pernicious thing about the group is that unlike most hackers they don’t just work for personal gain, but also for a nationalist cause. That makes them all the more potent, and a great enemy of the stable development of the cryptocurrency sector.