Discover more from Token Dispatch
The Lazarus Job ⛓💀
Who is behind the largest crypto thefts in history? From Sony Pictures to CoinEx: decoding the tactics, motives, and impact of the Lazarus Group's grand digital heists across the crypto space.
Hello, y'all. What’s Sunday feelin like, eh? Find out here 👇🏻
👉 ImFeeling - A platform that understands your emotions and crafts the perfect soundtrack for them. Let music be your companion 🙌
What’s Sunday like? We feel a lil golden👇🏻
This is The Token Dispatch, you can hit us on telegram 🤟
The North Korean Ocean's Eleven of the crypto world since 2007.
Stolen at least $3.4 billion in crypto since emerging in 2007.
And 250 million in just last 104 days.
Origins and Background
The Lazarus Group's operations can be traced back to 2007. With links to the North Korean government's Reconnaissance General Bureau, this group serves as a key tool for the regime's cyber endeavors.
Their rise to international infamy began with a series of attacks between 2009 and 2013, targeting the South Korean government, media outlets, and infrastructure. These were largely distributed denial-of-service (DDoS) attacks and wiper attacks, resulting in significant digital chaos.
Stepping Onto the Global Stage
The Lazarus Group truly announced its presence on the world stage with the notorious 2014 hack of Sony Pictures Entertainment. This audacious move, seemingly in retaliation for the film "The Interview" (which satirised North Korean leader Kim Jong-Un), resulted in the leak of unreleased films, sensitive personal emails, and even scripts. It was a watershed moment in cyber warfare, showing the world the lengths to which North Korea was willing to go.
Malware Development: Lazarus is known for crafting customised malware, often used in tailored attacks. Their malware toolkit includes destructive payloads, backdoors, and financial theft tools.
Spear Phishing: The group often employs spear-phishing emails laced with malicious attachments or links. They carefully select their targets, tailoring emails to lure victims effectively.
Cryptocurrency Heists: With North Korea facing heavy international sanctions, stealing cryptocurrency offers an untraceable avenue to secure funds. Lazarus is believed to be behind multiple attacks on cryptocurrency exchanges.
Watering Hole Attacks: Lazarus also employs watering hole attacks where they compromise a website often visited by their target audience, ensuring that visitors are infected with malicious software.
Lazarus and North Korea's Nuclear Ambitions:
It's widely speculated that the proceeds from Lazarus Group's heists go into financing North Korea's nuclear weapons program. The group's cyber heists seem to correlate with periods when North Korea has been under increased economic sanctions, hinting at a strategic approach to acquiring funds for the nation's objectives.
Here's a timeline of some of the most notable operations:
March: Novetta notes the development of Lazarus's first-generation malware, which would later play a role in several cyberattacks.
Operation Troy: This long-term campaign targeted South Korean military institutions, utilising malware for espionage purposes.
Ten Days of Rain: DDoS attacks targeted South Korean media, financial, and critical infrastructure.
Operation DarkSeoul: Attacks on South Korea's financial sector, media houses, and broadcasting companies were seen, causing widespread damage and chaos.
Sony Pictures Entertainment Hack: In retaliation for the film "The Interview," this massive breach led to the leak of unreleased films, sensitive emails, and other private data. It was one of the most publicised cyberattacks to date.
Bangladesh Bank Heist: Attackers tried to steal $1 billion from the Central Bank of Bangladesh's account at the Federal Reserve Bank of New York and successfully got away with $81 million.
WannaCry Ransomware Attack: This global cyberattack affected organisations in over 150 countries, including the UK's NHS, causing disruptions and financial damages.
Various Crypto Heists: Lazarus shifted its attention to cryptocurrency exchanges and has been implicated in multiple crypto thefts, helping North Korea amass digital currency.
Lazarus pilfers $73 million from the Bitcoin exchange, Youbit. And, Crypto marketplace, Nicehash, is plundered of over $60 million.
FASTCash Campaign: Lazarus targeted ATMs across Asia and Africa, manipulating transactions and withdrawing vast sums of money.
Chilean interbank network (Redbanc) Attack: A malware called PowerRatankba was used to gain access to the bank's interconnectivity system.
Operation AppleJeus: Lazarus created fake cryptocurrency companies and used them to deliver malware, targeting macOS users with a trojanised cryptocurrency app.
A suspicious transaction amounting to about $19 million against the Upbit exchange is linked to Lazarus.
COVID-19 related attacks: Lazarus was reported to be targeting various organisations involved in the research and development of COVID-19 treatments.
MT103 SWIFT System Attack: Lazarus targeted the system used for large sums of money transfers in banks.
South Korean cyber heist: Lazarus was implicated in a series of attacks targeting South Korean users, leveraging a new backdoor method.
The very recent years has been a blast!
March 23: The colossal Ronin Bridge exploit, accounting for $625 million, is carried out, marking it as the most significant DeFi exploit to date. The FBI attributes this attack to Lazarus, which impacted the sidechain of the widely-played web3 game, Axie Infinity.
June 24: Harmony's "Horizon Bridge" becomes the latest casualty, with Lazarus siphoning off $99.6 million. Elliptic, a crypto investigation agency, is the first to associate the hack with Lazarus, later corroborated by the FBI.
August 16: ESET Research unveils "Operation In(ter)ception," a deeply-entrenched operation by Lazarus. Their modus operandi involves luring macOS users with bogus job vacancies at Coinbase. SentinelOne also discovers an escalation in Lazarus's spearphishing campaigns, this time targeting Crypto.com.
Lazarus sets a new personal record, having misappropriated $1.7 billion in crypto throughout 2022, dwarfing North Korea's 2020 export revenue by over twelve-fold.
June 3: Atomic, a non-custodial crypto wallet, alerts its user base about potential vulnerabilities after many reported unauthorised withdrawals. The theft, which approximated $100 million, was attributed to Lazarus by the analytic firm Elliptic.
July 23: Alphapo, a centralised crypto payment platform, experiences a breach, leading to a nearly $60 million loss. Lazarus is believed to be behind the attack.
August 22: The FBI reveals that Lazarus is gearing up to liquidate around $41 million in ill-gotten crypto, amalgamated from various heists.
September 4: Stake.com faces a security lapse suspected to arise from a compromised hot wallet key, leading to a $41 million exfiltration. The FBI subsequently ties Lazarus to the breach.
September 12: The crypto exchange CoinEx falls victim to a cyber intrusion. ZachXBT, a crypto Twitter detective, proposes a potential connection between Lazarus and the CoinEx breach. SlowMist, a blockchain research entity, later substantiates this claim. The theft is evaluated at an approximate $54 million.
Why Cyber? The North Korean Perspective
Given its global diplomatic isolation and stringent sanctions, North Korea has turned to unconventional avenues to project power, procure funds, and gather intelligence. The digital realm is the perfect playground. Not only does it provide a platform for North Korea to engage in espionage and wage asymmetric warfare against its adversaries, but the decentralized world of cryptocurrencies also offers an avenue to bypass global financial restrictions.
TTD Week That Was 📆
The week of Binance, SBF and the underlying volatility.
Saturday: How much BTC does Coinbase have?
Friday: Namaste India 🙏 🇮🇳
Thursday: Memecoin Mayhem 🌬️🔥
Wednesday: Family matters... 👨👩👧
Tuesday: America's wallet hole🕳️
Monday: Vitalik vs/ who? ⚔️
TTD Week in Funding 💰
Proof of Play. $33 million. A game studio & technology company aims to create uncompromisingly fun, accessible on-chain games.
CoinScan. $6.3 million. A new crypto analytics platform aiming to tackle the massive sums being lost in crypto exploits, hacks and scams.
Essential. $5.15 million. Intent-based infrastructure & tooling to accelerate the transition from value extraction to intent satisfaction.
If you like us, if you don't like us .. either ways do tell us✌️
So long. OKAY? ✋
The Token Dispatch is a daily newsletter that takes you on a 4-5 minute drive through the wild west of the Crypto World. Daily in your email inbox @13:00 GMT. Almost always.