65% of hacked crypto ends up in N.Korea

After successful attacks on Sony and several international banks, North Korean hacking outfit Lazarus has turned its attention to cryptocurrency.

The cyber-criminal gang, which media reports claim is state-sponsored, have reaped half a billion dollars in cryptocurrency from hacking in less than 20 months, according to a report from Group-IB.

Subject to increasingly severe international sanctions, North Korea is one of several countries — like Russia, and Venezuela — that are using cryptocurrency as a way to counter economic pressure from the U.S.

Bolstering state income

FireEye — a cybersecurity company — have monitored Lazarus for several years on behalf of the FBI. They claim the group was initially conceived to perform cyber espionage on rival South Korea, but have since been stealing funds rather than state secrets — conducting large scale cyber attacks on prestigious organizations around the world.

Over the last year, this focus has shifted from banks, governments and multinational companies, to crypto exchanges, whose security loopholes make them lucrative targets. In total, the report finds 14 different attacks have been made on cryptocurrency exchanges since January 2017, of which the Lazarus group have been linked to five.

Most of these are in neighbouring South Korea — conveniently a crypto hub — and Japan, another trading hotspot. These attacks are thought to have netted the group $571 million in funds (just under 5 percent of North Korea’s gross domestic product), which amounts to almost 65 percent of the $882 million in cryptocurrency stolen from online exchanges since 2017.

$7 million of this is from Bithumb, a South Korean exchange attacked in February 2017, and $5.6 million from YouBit, which suffered two hacks just a few months apart and was forced to file for bankruptcy.. As the biggest exchange in what is the world’s third-largest market for trading bitcoin, the breach of Bithumb alone sent ripples through the crypto ecosystem.

The hackers toolbox

According to the report, the hackers have taken the same tactics used to breach big banks and businesses, and transferred them to the world of cryptocurrency; using a variety of methods to extract funds from exchanges.

This toolset will be familiar to many, as the attacks bear technical similarities to methods employed in previous attacks, like that on WannaCry which demanded Bitcoin as ransom, and that on Sony Pictures, which stole and published secret executive correspondence after the company satirised the country in comedy film The Interview.

Though its earliest attacks are thought to have begun in 2009, it was its 2014 attack on Sony Pictures that put the Lazarus Group on the world stage.

Spear phishing, fraudulent websites, and malware, are the top 3 tools used by Lazarus to extract funds from unwitting organizations.

Spear phishing, or fraudulent emails, were sent by Lazarus to users of South Korean crypto exchanges like Coinlink, asking for the download of a package which would covertly retrieve their usernames and passwords: "Spear phishing remains the major vector of attack on corporate networks. For instance, fraudsters deliver malware under the cover of CV spam [with an attachment] that has a malware embedded in the document," the report summary explains_._

Fake websites and other phishing techniques have helped the hackers make off with 10 percent of the funds raised by ICO platforms since early 2017, according to the report. These carefully crafted ICO website replicas, like those that plagued the highly anticipated Telegram ICO in March, deceive investors into thinking they are funding a real project.

Malware for illicit mining, otherwise known cryptojacking, is one activity not mentioned in the report summary, but is an activity that has long been linked to North Korea. AlienVault, a U.S. cybersecurity firm, claimed earlier this year to have found mining applications hiding on computers that sent funds to Kim Il Sung University in Pyongyang, an institution which is reported to have invited cryptocurrency experts to give lectures.

Moving targets

In the ever-changing world of cryptocurrency, new developments continue to provide fruitful opportunities for hackers. According to the report, we are likely to see more complex phishing methods, and more 51 percent attacks — an activity that the report suggests is made easier for cybercriminals by the ready availability of rentable hashpower: "In 2017, no successful 51-percent attacks were detected, but they are now [happening] more often. In the first half of 2018, five successful attacks were registered with direct financial losses ranging from $0.55 million to $18 million," Warns Group-IB. "Fraudulent phishing-schemes involving crypto-brands will only get more complex as well as cybercriminals’ level of preparation for phishing attacks,"