North Korean government hackers are believed to have stolen about $400 million worth of cryptocurrency from seven companies they hacked during 2021, up from $300 million stolen from four companies the year before, according to a new report.
North Korean cybercriminals had a very successful year in 2021, carrying out at least seven attacks against cryptocurrency platforms and withdrawing about $400 million worth of digital assets last year. These attacks primarily targeted investment firms and centralized exchanges, using phishing lures, code exploits, malware, and sophisticated social engineering to siphon funds from the Internet-connected “hot” wallets of these organizations to North Korean-controlled addresses. The money was then siphoned off to North Korea-controlled addresses. Once North Korea took custody of the funds, it began a careful laundering process to conceal and cash them out.
A report by Chainalysis, a company that tracks illegal blockchain transactions, said that 58% of the stolen funds were in Ether (ETH), while Bitcoin (BTC) accounted for only 20%.
Researchers say North Korean hackers used cryptocurrency mixers and Asia-based crypto-to-fiat exchanges to launder and cash out most of the money.
However, the hackers did not cash in all of the stolen funds, and according to Chainalysis, more than $170 million in cryptocurrency that the hackers stole from 49 crypto exchanges between 2017 and 2021 is in what appears to be “holding accounts,” following the group’s initial theft. Funds were found that had not yet been moved or laundered.
For whatever reason, the length of time that the DPRK is willing to hold these funds suggests that it is not desperate and hasty, but a prudent plan
Chainalysis attributed all of these attacks to the Lazarus Group, a generic term often used to describe multiple North Korean threat groups.
The reality, however, is that North Korean hackers operate across specific sectors, including politically-focused cyber-espionage, tracking dissidents, economic espionage, and financial theft.
The Lazarus division most often associated with banking and cryptocurrency hacking is the group tracked as BlueNoroff with the US Treasury Department describing the group in 2019 as a money-making machine for North Korea’s nuclear weapons and ballistic missile programs.
In a separate report, Russian security firm Kaspersky announced that after several years of research, it has finally succeeded in linking BlueNoroff to numerous hacks around the world at cryptocurrency companies in Russia, Poland, Slovenia, Ukraine, Czech Republic, China, India, the United States, Hong Kong, Singapore, UAE, and Vietnam. The company has announced that it has successfully linked it to a number of hacks.
The attack, which Kaspersky had been tracking internally as SnatchCrypto since 2017, used malicious documents sent via email and LinkedIn messages to individuals working for cryptocurrency companies.
When a victim views and interacts with these files, they become infected with a backdoor that allows hackers to search through the computer and monitor what the individual is doing.
There were also less sophisticated attacks that used LNK (Windows shortcut) files, but the end result was the same in that the BlueNoroff crew gained access to the victim’s device.
In some cases, when attackers decided they had found a prime target, they would closely monitor the user for weeks or months. They would collect keystrokes and monitor the user’s daily operations while formulating strategies for financial theft.
Replacing a victim’s Chrome extension to steal funds
According to Kaspersky, as a testament to their skill, the BlueNoroff hackers developed a malicious version of the official Metamask Chrome extension, which they later installed locally on the victim’s device, replacing the original one installed from the Chrome Web Store.
The extension has been modified to detect transactions when the victim initiates them, hijack the transaction parameters, and send most of the victim’s funds to the BlueNoroff account.
It all sounds like an easy task, but it actually requires a thorough analysis of the Metamask Chrome extension, which is over 6MB of JavaScript code (about 170,000 lines)
This injection is very difficult to find manually, unless you are very familiar with the Metamask codebase.
It points out that if the attack had been carried out, the developer mode option in the Chrome Extensions section would have had to be turned on and the source of the Metamask extension would also have been changed from the Play Store to a local address.
Translated with www.DeepL.com/Translator (free version)
Comments