Back to all stories
Reports
Incident Analysis
Lazarus Group's Web3 Rampage
9/13/2023
Lazarus Group's Web3 Rampage

TL;DR

Since the $650 million exploit of the Ronin bridge in 2022, attention has been on North Korea’s Lazarus Group. The group has been linked to multiple exploits, cumulatively costing the Web3 community at least $291.3 million across five distinct incidents in 2023. CertiK has identified transactions connecting the Atomic Wallet, Alphapo, CoinsPaid, Stake.com, and CoinEx breaches, serving as on-chain evidence of Lazarus Group’s involvement in all exploits.

Introduction

The North Korean-backed Lazarus group has been one of the most prolific Advanced Persistent Threats (APTs) facing the Web3 community. In 2022, the group was responsible for a total of at least $750 million lost, representing approximately 20% of the overall value stolen from the industry that year. The group has continued its activities and is behind some of 2023’s biggest exploits. As of September 2023, CertiK has recorded losses amounting to $291.3 million across five incidents. A common thread between these attacks is the compromise of private keys, which are likely to be the result of prior breaches at the affected companies.

A report by Mandiant unveils a software supply chain attack on 3CX - the developer of a business communication system linking multiple media - likely orchestrated by North Korean hackers. JumpCloud suffered a data breach in June, which impacted numerous Web3 firms. This intrusion has also been traced back to a Lazarus subgroup, named Labyrinth Chollima.

36b29866-1896-4c38-95c0-98a5ab122b3e

In a post mortem of the incident published by CoinsPaid, the company detailed the scheme. Fake recruiters on LinkedIn targeted CoinsPaid employees with offers ranging from $16,000 to $24,000 monthly. These employees were then asked to install a JumpCloud Agent, ostensibly to complete a technical task. However, this "technical task" contained malware that granted access to the interviewee's systems.

The breaches at 3CX and JumpCloud highlight North Korea's strategy of exploiting vulnerabilities in the Web 2.0 infrastructure that these Web3 companies depend on. There is substantial evidence to suggest that the JumpCloud incident played a role in enabling the CoinsPaid exploit. This pattern may also extend to the attacks on Atomic Wallet, Alphapo, Stake.com, and CoinEx.

On-Chain Connections Between Lazarus Group Private Key Compromises

2023 has witnessed five major private key compromises, with a collective impact of $291.3 million. This accounts for 77.7% of total losses attributed to such breaches. The FBI findings indictate that the malicious operations on Stake: Crypto Casino & Sports Betting - BTC Casino Online can also be traced back to the Lazarus Group. Our investigations have uncovered on-chain links between the exploits on Atomic Wallet, Alphapo, CoinsPaid, Stake.com, and CoinEx.

The Stake.com breach appears to be related with private key compromises at Atomic Wallet, Alphapo, Stake and CoinEx. Presented below is a simplified transaction flow highlighting these connections.

2b843259-e308-496b-93c4-57ab28d6508a

Funds were moved to Ethereum wallet address 0x9D5, which subsequently transferred them to 0x22b. This Ethereum wallet, 0x22b, had previously received funds from the Alphapo exploit on the Tron network. The exploiters swapped TRX for ETH using Transit Swap, while the culprits behind the Atomic Wallet breach transferred funds directly to the same address: 0x22b.

Alphapo & CoinsPaid

On the 22nd of July, CoinsPaid and Alphapo both fell victim to security breaches resulting in losses of $37m and $23m, respectively, with compromised private keys as the root cause. In the process of removing assets from CoinsPaid, the attackers moved funds from Tron EOA TUGFXf to EOA TGGMvM, via intermediate EOAs TJ6k7a and TNMW5i.

1cd918f9-85d5-44d8-ab9a-3f57ce947c8a

Funds from the Alphapo exploit were also sent to EOA TGGMvM via TJF7md.

35519336-89e3-4ee7-80c6-47b82d25bd78

TNNW5i, connected to Alphapo, was also involved in transferring a substantial volume of TRX to EOA TJXXme, which had previously been active in the Atomic Wallet breach on June 2. This interconnected web of transactions draws a clear line connecting all these breaches to the Lazarus Group.

2b36a2bd-c9fb-4090-b4f2-4ff6a41b9832

Conclusion

Some of the largest security incidents during this ongoing crypto winter have been due to private key compromises. Incidents like the Ronin Bridge exploit and the FTX hack saw losses exceeding $500 million apiece. Fast forward to today, and approximately $291.3 million has been stolen due to private key breaches. 77.7% originates from the five major incidents dissected in this analysis. September alone saw losses upwards of $120 million. The Stake.com and CoinEx exploits account for 78% of September's total.

Historical data, including the Ronin Bridge and CoinsPaid exploits, reveals the Lazarus Group's mode of attack: spear-phishing targeting Web3 company personnel to hijack sensitive credentials. Employees in the Web3 world need to be highly careful with unsolicited job pitches offering overly lucrative compensation packages.