Over the past 2 months, the North Korean hacker group Lazarus has stolen more than $290 million worth of cryptocurrencies. So DefiLlama investigated the methods used by the thieves, to achieve their ends.
Lazarus steals over $290 million in cryptocurrencies in 2 months
So far, 2023 seems to be sparser than previous years in terms of hacks in the ecosystem, with a total currently standing at $635 million. However, we have still seen some significant attacks in recent months, with the North Korean group Lazarus alone reported to have stolen more than $290 million worth of cryptocurrencies over the past 2 months.
Given these figures, DefiLlama’s analysts have conducted an investigation into the techniques used by these thieves, focusing in particular on the recent case of CoinsPaid, the victim of a $37 million attack a few weeks ago.
Indeed, links have been confirmed with the Lazarus group, given the use of wallets involved in the Harmony and Atomic Wallet bridge hacks:
A few nights back, @zachxbt and I stumbled on a crazy direct link btwn funds stolen from Coinspaid/Alphapo Atomic Wallet Harmony.
Last night, ~$8.5m of the funds from Coinspaid/Alphapo (w/ some leftovers from Atomic Wallet) went flying across 300+ addies on 3 chains.
https://t.co/onn6v75JxW pic.twitter.com/10DNH11F6L
– Tay (@tayvano_) August 3, 2023
6 months of preparation and various attacks
Prior to the 22 July attack, Lazarus hackers spent more than 6 months preparing, using a variety of methods to compromise CoinsPaid’s security.
On 7 July, for example, a massive DDoS attack targeted the platform, involving 150,000 IP addresses.
Between June and July, reports also cite attempts at bribes, as well as fake job offers for the platform’s engineers, for salaries of between $16,000 and $24,000 a month.
In fact, it was the downloading of malicious software by an employee thinking he was conducting a job interview for Crypto.com that opened a loophole leading to the success of the hack. The malware code allowed the attackers to access CoinsPaid’s system in order to exploit a vulnerability.
The CoinsPaid teams told DefiLlama about the Lazarus group’s social engineering skills:
“
“.
While you might think that such an attempt to install malware on an employee’s computer would be obvious, the hackers spent 6 months learning every possible detail about CoinsPaid, our team members, the structure of our company, etc. High-level hacker groups have been able to exploit this vulnerability to their advantage. High-level hacker groups like Lazarus are able to create a completely believable story to take advantage of potential targets. “
While the most impressive hacks are usually due to taking advantage of problems in the source code of decentralised finance applications (DeFi), we see here that the human factor should not be underestimated. And for good reason, it is often easier for a malicious entity to exploit this leverage, rather than looking for technical vulnerabilities.
