CYFIRMA, a cyber threat security firm has finally revealed that North Korean hacker group Lazarus was behind the WazirX hack which caused the $235 Million theft.
As per CYFIRMA’s report, Lazarus Group is linked to North Korea's intelligence agency, the Reconnaissance General Bureau (RGB). The RGB group has two subgroups, APT38 and BlueNoroff, which specifically target financial institutions and cryptocurrency exchanges worldwide.
WazirX’s crypto assets theft included $96.7 million in Shiba Inu, $52.6 million in Ether, $11 million in Matic and $7.6 million in Pepe.
CYFIRMA’s report further claimed that the attackers have already started laundering these crypto assets by swapping them for Ether through various decentralized services.
Kumar Ritesh, CEO & Founder, Cyfirma, stated, “Heists have been ongoing for several years, with notable attacks occurring since at least 2017. Significant heists have occurred in various countries, including South Korea, Japan, the United States, and others. The frequency of these attacks can vary, but they often occur in waves. The primary motivation is to generate revenue for the North Korean regime. The stolen cryptocurrency is used to fund the country’s weapons programs and to evade international sanctions.”
The Lazarus Group has an infamous history of attacks on Asian cryptocurrency exchanges including multiple hacks on South Korea's largest exchanges, Bithumb , both in 2017 and 2018. The group was also the mastermind of the infamous Coincheck attack in Japan, which drained over $530 million worth of NEM tokens.
The group often carries out phishing attacks by sending targeted emails to employees that contain malicious attachments or links. On opening these mails, malware is installed on the victim's computer, thus breaching the system.
The group also makes use of social engineering tactics to trick employees into revealing confidential data. Lazarus Group might impersonate trusted individuals or create fake profiles and companies to gain trust and access.
Another approach this group uses is exploiting software vulnerabilities. The hackers look for weaknesses in the software used by crypto exchanges, including web applications, servers, and employee workstations. Upon finding the vulnerability, they use it to gain unauthorized access.
After pervading within the network, Lazarus deploys malware like remote access Trojans (RATs) and keyloggers. This malware assists the group in maintaining persistent access and monitoring activities to capture valuable information such as passwords and private keys.
With the initial access, they move within the network to gain higher levels of access and control, and target the servers that manage cryptocurrency wallets. Finally, they move the stolen cryptocurrency to wallets controlled by them. To hide the origin of the stolen funds, Lazarus Group laundered them using various methods, including mixing services, converting to different cryptos, and making multiple transactions across different exchanges.
WazirX is yet to respond on the matter.