North Korean Hackers Have Crypto In Their Crosshairs

(Bloomberg Opinion) -- The world of crypto isn’t just suffering from a market malaise that has seen the price of Bitcoin drop from $69,000 to around $20,000 today — it also faces a troubling number of security risks.

There have been dozens of breaches in the past few years showing that cybercriminals are gravitating toward the world of cryptocurrencies. In many cases, we don’t know who the attackers are, but one culprit that keeps coming up is the band of state-backed hackers from North Korea known as the Lazarus Group.

According to a new book by Geoff White, “The Lazarus Heist,” the regime’s hackers have been become increasingly sophisticated over the past decade, managing to steal an estimated $2 billion worth of cryptocurrency to date. Crypto investors should expect the gang to continue exploiting blockchain targets, or the “the soft underbelly of the financial system,” according to White, who believes the $2 billion figure is a “vast underestimate.”

It stands to reason the hacker group would target crypto networks: Lazarus’s modus operandi for years has been to generate as much cash as it could to help prop up the North Korean regime and its nuclear weapons program. In the past decade, its schemes have included sophisticated ATM hacks and ransomware, including the infamous WannaCry cyber attack.

Now decentralized finance, or DeFi, has become a more lucrative target than banks, thanks to the billions of dollars locked up in its various applications. But the move-fast-and-break-things culture still prevalent in web3 development hasn’t helped the security of those networks. Neither does the fact that building web3 apps is unusually hard for programmers, who can create gaping financial vulnerabilities with simple coding errors.

Across the board, the amount of money lost through hacks of DeFi projects more than doubled in 2021, with security website CrytpoSec listing 102 reported breaches between Jan. 2020 and June 2022, totaling $3.4 billion lost.

Lazarus has gone after several crypto networks, including a Slovakian crypto exchange in 2020 from which it stole virtual currency worth $5.4 million. The hackers went on to launder the funds through the cryptocurrency exchange Binance, according a Reuters investigation. They were also behind the more-than-$600 million hack on play-to-earn-game Axie Infinity, which when measured by money stolen could be one of the biggest single hacks of all time. (The U.S. Treasury Department blamed Lazarus as being behind the attack.)    

I spoke to White in a Twitter Spaces discussion this past week about the group, and some of its strategies for targeting DeFi networks in the future. Below is an edited excerpt from that discussion:    

Parmy: Do we have any idea of how many people are in the Lazarus group? How are its members selected and trained?

Geoff: In terms of how many there are, there’s a publicly quoted figure, which is 6,000, which has come from analysis of testimony from defectors who’ve come out of North Korea. To train these people, the North Korean government can’t rely on hackers in hoodies in bedrooms, kids who just go on YouTube, because in North Korea you can’t just pick up a laptop and go on the Internet. All the computer hackers in North Korea have come up through the school system. They've been spotted and groomed by the regime to go into elite universities, to hone their skills. A lot will go into either the nuclear program or government hacking.

Parmy: North Korean hackers went after Axie Infinity in March. It seems that unlike other state-backed hackers they’re not targeting any particular country. Who or what do you expect them to go after in the future?

Geoff: Cryptocurrency is absolutely the direction of travel. If you’re looking at how much was stolen in one fell swoop, I think the $625 million stolen from Axie Infinity may be the biggest single hack of any amount of money from one company, in one hit, ever … If you look at the banks that they’ve hacked into, you’re talking Vietnam, the Philippines, Chile, Bangladesh. They will go anywhere where the security is weakest.

Parmy: They seem opportunistic in terms of scope. Given that blockchain networks have experienced a number of breaches and vulnerabilities, thanks in part to their difficult coding environment, do you expect blockchain to become an attractive target to North Korean hackers in the next few years?

Geoff: I think so. There have been reports coming out from alleged North Korean hackers advertising jobs and targeting cryptocurrency workers and saying, “Hey, I’ve got a great job for you. A perfect job.” And then tricking cryptocurrency workers into downloading malware and getting into the cryptocurrencies that way.

Bizarrely, it also seems that North Korea’s hackers are trying to get jobs at cryptocurrency companies. There’s been an alert put out by the US Treasury warning cryptocurrency firms about North Korean hackers turning up and applying for jobs. We’ve interviewed somebody who claims he actually interviewed a North Korean hacker who applied for a job at his company and realized halfway through the interview what was afoot. But when you think about it, it makes a lot of sense. If you’re inside a cryptocurrency company, you might be able to steal money from them directly.

You might be able to get the passwords, and even if you don’t, you might be able to introduce a flaw or vulnerability into that company’s code, which allows you to extricate money later on. And even if none of that works, if you’ve got a company email address, you can email other people in the crypto industry and say, “Hey, I just started work for company X. Have you seen this exciting news? See attachment to the email.” And that’s how you get your viruses out.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

Parmy Olson is a Bloomberg Opinion columnist covering technology. A former reporter for the Wall Street Journal and Forbes, she is author of “We Are Anonymous.”

More stories like this are available on bloomberg.com/opinion

©2022 Bloomberg L.P.