Study Shows One Hacker Group Is Responsible For More Than Half of Crypto
The cryptocurrency industry has been likened to the Wild West, when bandits robbed banks, taverns, and coaches for gold, silver, and greenbacks. However, in the digital age, bandits don’t wield pistols and ride horseback. Rather, they are armed with lines of code, and they commit cybercrime through orchestrated digital hacking attacks.
A report published on March 26 from Kaspersky Lab, a cybersecurity and anti-virus company, reveals that cybercrime group, allegedly sponsored by North Korea, called Lazarus is responsible for more than half of all crypto hacks since 2017, and continue to target cryptocurrencies and adopt new tactics.
Who Is Lazarus?
Lazarus is the cybercrime group purportedly responsible for stealing $571 million of the $882 million in cryptocurrency stolen from online crypto exchanges from 2017-2018. This staggering amount accounts for nearly 65% of crypto stolen from exchanges during this time period.
Further data from the Group-IB annual report on cybercrime trends reveals that out of 14 separate exchange hacks, 5 of them were attributed to the Lazarus group. Among these exchanges was the record-breaking $532 million NEM (XEM) hack from Japan’s Coincheck crypto exchange.
As previously reported by IIB, the UN Security Council revealed that North Korea is responsible for Asian crypto exchange hacks totaling an estimated $571 million in stolen crypto funds. While it’s not clear which groups facilitated these attacks, it’s likely the Lazarus cybercrime group played a large role.
Lazarus Active With New Operations
According to the report published by Kaspersky Lab, the alleged state-sponsored hacking group has been active with a new type of hacking operation since last November.
Their new operation involves the use of PowerShell, a task automation and configuration management framework which allows the hackers to control Windows and macOS malware.
Per the report, the hackers have developed custom PowerShell scripts that communicate with malicious C2 servers and execute commands from the operator. The C2 server scripts are disguised as popular open-source projects such as WordPress files and others.
Once the malware control session is established with the server, the malware functionality includes:
- Set sleep time (delay between C2 interactions)
- Exit malware
- Collect basic host information
- Check malware status
- Show current malware configuration
- Update malware configuration
- Execute system shell command
- Download & Upload files
Kaspersky Lab advises participants involved in the cryptocurrency and fintech sector to remain cautious and exercise best practices to prevent malicious software from being downloaded.
Per the report, they said:
“If you’re part of the booming cryptocurrency or technological startup industry, exercise extra caution when dealing with new third parties or installing software on your systems… And never ‘Enable Content’ (macro scripting) in Microsoft Office documents received from new or untrusted sources.”
All in all, the cryptocurrency and fintech industry still has a ways to go before the proper infrastructure is built to prevent digital hacking groups like Lazarus from stealing cryptocurrency. However, just like the Wild West was eventually tamed, the crypto industry will be as well.