Lazarus Group’s Favorite Exploit Revealed – Crypto Hacks Analysis

Lazarus Group's Favorite Exploit Revealed - Crypto Hacks Analysis


In the year More than 70% of the crypto lost in North Korea-related hacks since 2020 has been stolen through private key exploits, according to a journal analysis of data from the United Nations Security Council (UNSC) and the UN Security Council.

Combined figures show that North Korea was responsible for $2.4 billion in crypto heists since 2020, of which $1.69 billion was stolen due to hacked private keys.

These cybercrimes are often linked to the Lazarus Group – the notorious North Korean government-sponsored hacking group – and the Hermit Kingdom's alleged weapons of mass destruction.

In a 615-page report published by the UNCC last month, It details investigations into 58 crypto-heists suspected of North Korean involvement in 2017. The hacks have generated an estimated $3 billion in revenue, including $700 million in 2023 alone.

Minergate

But getting an overview of each attack is difficult. Slava Demchuk, founder of blockchain intelligence platform AMLBot, told the magazine that not all victims report losses and the actual amount of hacking can be estimated.

Blockchain forensics firm Chinalysis has a higher estimate than the UNSC, saying in January North Korea-linked hacks accounted for $1 billion of the $1.7 billion stolen last year.

In the year In 2020, North Korea denied responsibility for any “cyber threat”, putting it on the same page as other US criticisms of “human rights”, “supporting terrorism” and “money laundering”.

Few outside North Korea, however, believe that the information on the chain refers to hackers linked to North Korea.

A table from the UNSC detailing cryptocurrency hacks attributed to North Korea.A table from the UNSC detailing cryptocurrency hacks attributed to North Korea.
In the year Crypto Hackers for North Korea (UNSC) in 2023

Alazar Group uses phishing and exploits software flaws

NeurochainAI founder Julius Serenas told the magazine that hackers choose their targets wisely and only bother with high-value hacks.

“As far as I know, North Korea is the only country that conducts hacking for financial gain, so it's not surprising that they target groups with this high success rate,” he says.

“The code information is available on the chain for everyone to read, which gives hackers more information and time to execute more strategies to exploit any vulnerability,” he added.

According to the UNSC report, North Korean hackers often use phishing techniques and exploit software flaws to try to steal cryptocurrency, which is laundered through thousands of addresses.

Screenshot from ZachXBT's Twitter, claiming the Munchables hacker has ties to North Korea.Screenshot from ZachXBT's Twitter, claiming the Munchables hacker has ties to North Korea.
Online detective ZachXBT says the Munchables hacker has ties to North Korea. (Munchables, ZachXBT)

They use crypto mixers and privacy tools to hide their tracks and often withdraw money on the TRON blockchain and Tether (USDT).

Their activities are increasingly directed at services in Russia and China, the UNSC added.

The exploits are characterized by their sophistication, resources and time frames.

“[North Korean hackers] “Focus on a small number of high-value targets and combine detailed technical knowledge with social engineering and war-mongering skills to play a very long game,” Eminunefi's head of security, Goncalo Magalhães, told the magazine.

The most recent attack linked to North Korea was the theft of $62.5 million from the Minchables late last month by the team's organizer, who is suspected of having ties to North Korea.

After the refunds, it was recorded as the highest grosser of the year, representing 44.5% of the total of $140 million.

The importance of high security around private keys

Private key deals are not only the most frequent, but also typically result in the biggest losses, Magalhaes says. And that generally goes for big attacks.

Since 2020, there have been at least 41 major data breaches, including attacks by North Korea, resulting in $2.9 billion in losses, according to UNSC and DeFillama data. This is about 38% of the total value of $7.74 billion stolen in the new decade.

Read more

Main characteristics

You say I want a revolution: what blockchain can learn from one man's attempt to save the world

Main characteristics

Are you independent yet? Financial autonomy and decentralized exchange

“A bug in a smart contract could allow an attacker to steal a portion of the user's funds. [but] A stolen private key allows the hacker to withdraw the entire amount or breach the vault,” Magalhaes said.

Threats related to private keys can target both individuals and protocols. Security experts recommend that investors move their assets to a centralized exchange because they are vulnerable to hacking and losses.

A bar chart shows total abductions from 2020 and North Korea's share.A bar chart shows total abductions from 2020 and North Korea's share.

However, security concerns extend into the decentralized sphere.

Kieran Mesquita, a developer for the privacy protocol Railgun, says many decentralized projects exhibit centralized tendencies due to the management of administrator keys. While in the construction phase, most DeFi projects hold admin keys to recover from serious bugs or glitches. But these keys make the protocols vulnerable to attacks.

“Private key hacks are often caused by careless actions on DeFi protocols where mechanisms around modifications are added as an afterthought because they are not part of the core protocol functionality,” Mesquita told the newspaper.

The primary focus of DeFi protocols is on establishing core features that define the project's service, such as swaps or loans. As Mesquita points out, when upgradeable features are added later, they can create security holes.

Lazar group, Railgun and Vitalik Buterin

The US Federal Bureau of Investigation alleged in January that North Korean cybercriminals used Railgun – a privacy protocol backed by Ethereum founder Vitalik Buterin – to launder the stolen funds.

Railgun denied the claims and said the team was banned from using the system.

Railgun has denied that North Korean hackers used its privacy protocol.Railgun has denied that North Korean hackers used its privacy protocol.
Railgun says the allegations are false. (railgun)

Data from the UNSC and Defillama shows that private key hackers who stole $2.9 billion were the second most frequent form of exploitation, with 41 incidents since 2020. Flash loan attacks rank first in frequency, occurring on 64 protocols.

Flash lending attacks allow malicious actors to borrow large amounts of cryptocurrencies from DeFi protocols without collateral in the form of immediate payment.

This sudden access to capital opens the door to market manipulation tactics.

For example, attackers can take advantage of price differences on different trading platforms. Borrowed funds can be used to take advantage of price differences by buying assets on one exchange when it is cheaper and selling it on another when it is more expensive, but such large-scale trades can lead to sudden price drops.

Setting the market value of an asset can affect smart contract functions that rely on price feeds for operational decisions, such as loans, swaps or liquidity pools.

Read more

Main characteristics

How the crypto workforce changed during the pandemic

Main characteristics

Tim Draper's ‘unusual' rules for investing for success

As of 2020, flash loan attacks have caused a total loss of $1.16 billion.

“Flash loan attacks, while common in the DeFi sector, exhibit certain characteristics that make them both relatively easy to exploit, especially when compared to security breaches such as access control or private key hacking,” Demchuk said.

Although there are a few suspected cases, North Korean hackers do not have a quick credit attack on DEF files and the UNSC report.

Last year, a $200 million flash lending attack on DeFi's lending protocol involved the hacker sending a portion of the funds to Lazar Group's wallet, according to Chainalysis. However, after a North Korean syndicate conducted a phishing attempt against the Euler Financial hacker, the stolen funds were recovered, suggesting that the transaction was misdirected.

“With flash loans, anyone with as much money as a government-sponsored hacker can launch an attack,” says Magalhas.

In 2023, hacks linked to the Lazar Group increased but were less profitable.

According to Chinalysis, North Korean hackers were more active in 2023, but earned $700 million less than last year.

The total amount of crypto stolen from protocols also dropped to $1.53 billion last year. from $3.28 billion in 2022, according to the magazine's analysis of Defillama and UNSC data. The 2023 figure is also $2.34 billion less than 2021. This may indicate that projects are becoming smarter about security, which affects market value in whole or in a combination of the two.

DeFi platforms accounted for the majority of hacks, and Demchuk said the overall loss could indicate improvements in DeFi security. However, he cautions investors that the rate of hacking will continue to increase due to market conditions and the growing DeFi sector.

Chainalysis Chart Shows Stolen Cryptocurrencies Since 2016Chainalysis Chart Shows Stolen Cryptocurrencies Since 2016
Total value of stolen cryptocurrencies over the years. (table analysis)

Private users are at risk from phishing attacks.

Meanwhile, Tim Zini, chief marketing officer of 1inch hardware wallet, told the magazine that individual investors are also vulnerable to exploitation.

Read more

Main characteristics

Real AI matters in crypto, number 2: AIs can run DAOs.

Main characteristics

The Value of Inheritance: The Hunt for Satoshi's Bitcoin

“The growth in phishing attacks targeting individuals is alarming and likely reflects attackers as more retail users enter DeFi,” Zinin said.

Investors lost $71 million to fraud in March, a 50 percent increase from February this year, according to Scam Sniffer.

Scam Scam March Phishing HackScam Scam March Phishing Hacking
Damage due to phishing attacks in March. (cheat cheater)

Railgun's Mesquita advises users to take it a step further and reduce “blind signatures” from their wallets when dealing with DeFi protocols.

Since many transaction requests appear in hard-to-understand code, reducing the blind signing of transactions can be challenging for everyday users. Serenas from NeurochainAI believes artificial intelligence can help bridge this gap.

“[Blockchain projects] Serena says.

“AI doesn't sleep, it doesn't eat, and it can easily learn new methods of danger.”

John YunJohn Yun

John Yun

Yohan Yun is a multimedia journalist who has been reporting on blockchain since 2017. He has contributed as an editor to crypto media outlet Forkast and covered Asian technology stories as an assistant reporter for Bloomberg BNA and Forbes. He spends his free time cooking and experimenting with new recipes.

Read more

oct 21

Hodler's Digest

NY Sues Crypto Firms, FTX's Nishad Faces 75 Years in Prison, and Grayscale's New BTC File: Hodler Digest, October 15-21

by the editorial staff
7 minutes
October 21, 2023

Nishad Singh testifies in the Sam Bankman-Fried trial; New York Sues Gemini, Genesis and Digital Currency Group; and grayscale files for a new spot Bitcoin ETF.

Read more

feb 13 19

Hodler's Digest

BlockFi settles with SEC, Russia's CBCC trials begin and Cointelegraph releases 2022 top 100 list: Hodler Digest, February 13-19

by the editorial staff
7 minutes
February 19, 2022

The best (and worst) quotes, adoption and regulatory highlights, coin leaders, predictions and much more – a week on Cointelegraph in one link!

Read more

Leave a Reply

Pin It on Pinterest