TL;DR

Since the $650 million exploit of the Ronin bridge in 2022, attention has firmly been on North Korea’s Lazarus Group—the culprits behind the operation. Following this heist, the group has been linked to multiple exploits, cumulatively costing the Web3 community at least $291.3 million across five distinct incidents in 2023. CertiK has identified transactions connecting the Atomic Wallet, Alphapo, CoinsPaid, Stake.com, and CoinEx breaches, serving as on-chain evidence of Lazarus Group’s involvement in all exploits.

Introduction

In recent years, the North Korean-backed Lazarus group has been one of the most prolific Advanced Persistent Threats (APTs) facing the Web3 community. In 2022, the group was responsible for a total of at least $750 million lost, representing approximately 20% of the overall value stolen from the industry that year. The current year paints a similarly grim picture, with the group behind some of 2023’s biggest exploits. As of now September, CertiK has recorded losses amounting to $291.3 million across five major incidents. A common thread weaving these attacks together is the compromise of private keys, indicating potential prior breaches at the affected companies.

A report by Mandiant unveils a software supply chain attack on 3CX, likely orchestrated by North Korean hackers. Lazarus spread malware by corrupting a legitimate version of 3CX's software. In another concerning development, JumpCloud suffered a data breach, impacting numerous Web3 firms. This intrusion has been traced back to a Lazarus subgroup, named Labyrinth Chollima. Acting promptly, JumpCloud informed its user base, invalidating all existing API keys in the aftermath.

In a post mortem of the incident from CoinsPaid, the company uncovered a well-coordinated scheme. Phony recruiters on LinkedIn targeted CoinsPaid employees, dangling lucrative job offers that ranged from $16,000 to $24,000 monthly. These employees were then lured into installing a JumpCloud Agent, under the guise of a technical task. However, this "technical task" was a ruse—loaded with malicious code designed to exfiltrate sensitive data. For a comprehensive breakdown, refer to CoinsPaid's post mortem.

The breaches at 3CX and JumpCloud underscore a concerning trend: hackers supported by North Korea have shifted their focus to Web3 entities. Their method? Exploiting vulnerabilities in the Web2 infrastructures that these Web3 companies depend on. Given the intricacies of these breaches, there's substantial evidence to suggest that the JumpCloud incident played a role in enabling the CoinsPaid exploit. This pattern may also extend to the attacks on Atomic Wallet, Alphapo, Stake.com, and CoinEx.

On-Chain Connections Between Lazarus Group Private Key Compromises

2023 has witnessed five major private key compromises, with a collective impact of $291.3 million. This accounts for an alarming 77.7% of total losses attributed to such breaches. According to FBI findings, the malicious operations on Stake: Crypto Casino & Sports Betting - BTC Casino Online can be traced back to the Lazarus Group. Further corroborating this, CertiK's investigations have unearthed on-chain correlations between the exploits on Atomic Wallet, Alphapo, CoinsPaid, Stake.com, and CoinEx.

Diving deeper into the on-chain movements associated with the Stake.com breach, a pattern emerges. This breach appears to be intertwined with private key compromises at Atomic Wallet, Alphapo, Stake and CoinEx. Presented below is a simplified transaction flow highlighting these connections.

The Stake.com breach revealed a distinct trail: funds were moved to Ethereum wallet address 0x9D5, which subsequently transferred them to 0x22b. This Ethereum wallet, 0x22b, had previously received funds from the Alphapo exploit on the Tron network. Notably, the exploiters swapped TRX for ETH using Transit Swap, while the culprits behind the Atomic Wallet breach transferred funds directly to the same address, 0x22b.

Alphapo & CoinsPaid

On the 22nd of July, CoinsPaid and Alphapo fell victim to security breaches resulting in losses of $37m and $23m, respectively, with compromised private keys as the root cause. In the process of extracting assets from CoinsPaid, the assailants moved funds from Tron EOA TUGFXf to externally-owned account (EOA) TGGMvM, via intermediate EOAs TJ6k7a and TNMW5i.

Funds from the Alphapo exploit were also sent to EOA TGGMvM via TJF7md.

TNNW5i, while being connected to Alphapo, was also involved in transferring a substantial volume of TRX to EOA TJXXme, which had previously been active in the Atomic Wallet breach on June 2. This interconnected web of transactions draws a clear line connecting all these breaches to the Lazarus Group.

Conclusion

Some of the largest security incidents during this ongoing crypto winter have been due to private key incidents. Incidents like the Ronin Bridge exploit and the FTX hack saw staggering losses exceeding $500 million apiece. Fast forward to today, and approximately $291.3 million has vanished due to private key breaches. 77.7% originates from the five major incidents dissected in this analysis. September alone saw losses upwards of $120 million. The Stake.com and CoinEx exploits account for 78% of September's total.

Historical data, including the Ronin Bridge and CoinsPaid exploits, pinpoints the Lazarus Group's modus operandi: spear-phishing targeting Web3 company personnel to hijack sensitive credentials. Employees in the Web3 sphere need to be acutely vigilant of unsolicited job pitches, especially those boasting overly lucrative compensation packages. For investors, the emphasis on self-custody of funds becomes paramount, offering a buffer against the domino effect of such breaches, while also requiring strict management of personal private keys.