North Korean Lazarus Group heads $900m crypto hacking campaign

October 18, 2018
Chris Wheal

Group-IB, a Russian cyber security firm, estimates that cryptocurrency exchanges suffered losses of $882m through targeted attacks in 2017 and the first three-quarters of 2018.

Group-IB’s forensics lab

At least 14 crypto exchanges were hacked, five of which have been linked to the North Korean state-sponsored Lazarus Group, the Russian company said in its annual Hi-Tech Crime Trends report.

Lazarus Group

Lazarus – also known as Hidden Cobra – is a cybercrime group consisting of an unknown number of hackers and malware developers, whose earliest known attack was “Operation Troy”, a cyber-espionage campaign that targeted the South Korean government between 2009-12.

The group, allegedly sanctioned by North Korean leader Kim Jong-un, has also targeted banks and were reported to have hacked $12m from Banco del Austro in Ecuador in 2015.

Lazarus’ biggest hack on a cryptocurrency exchange occured in January when $534m was stolen from Tokyo-based Coincheck in mainly NEM tokens. The group also attacked Yapizon, Coinis, YouBit and Bithumb.

Hacking techniques

Group-IB said in its report that hackers use tools and methods such as spear phishing, social engineering and malware distribution. Spear phishing involves the deployment of malware under the cover of spam emails.

“Last year we warned that hackers competent enough to carry out a targeted attack might have a new target – cryptocurrency exchanges, and at the beginning of 2018 hackers’ interest in crypto exchanges ramped up,” said Group-IB chief technology officer Dmitry Volkov (left).

Initial coin offerings (ICOs)

Hackers have also caused serious damage to ICOs, the report said. They attack founders, community members and platforms, and in 2017 more than 10% of funds raised through ICOs were stolen.

Phishing is popular technique, and in 2018 cybercriminals targeted the TON project and stole $35,000 in ether tokens.


Group-IB’s report made a number of forecasts for the coming months and years:

  • Attacks on ICOs will remain a threat for every project potentially able to attract investors
  • Phishing and malware will remain the most tangible threats for private crypto investors
  • In 2019 cryptocurrency exchanges will be a new target for the most aggressive hacker groups that usually target banks
  • Fraudulent phishing-schemes involving crypto-brands will get more complex
  • Automated phishing and the use of so-called “phishing-kits” will become more widespread
  • The world’s largest mining pools may become the target not only for financially-motivated cybercriminals, but also for state-sponsored hackers
Post written by Chris Wheal
Chris Wheal is editor of OpenLedger's news and features service. An award-wining business journalists himself, he runs a team of freelance journalists from across the UK and north America.

Related News

OL DEX is closing all activities April 25, 2020
USDT (ERC-20) Gateway Enabled April 17, 2020