Paradigm: Unraveling the Mystery of the North Korean Hacker Group Lazarus Group

Original Article Title: "Demystifying the North Korean Threat"

Original Article Author: samczsun, Research Partner at Paradigm

Original Article Translation: Bright, Foresight News

One morning in February, the SEAL 911 team's alarm bells went off as we watched in confusion as Bybit moved over $1 billion worth of tokens from their cold wallet to a brand-new address and promptly initiated the liquidation of over $200 million worth of LST. Within minutes, through confirmations from the Bybit team and independent analysis (multi-signature, previously using a publicly verifiable Safe Wallet implementation, now deploying a newly deployed unverified contract), it became clear that this was not a routine maintenance. Someone had orchestrated the largest hack in cryptocurrency history, and we were sitting in the front row of this historical spectacle.

While some team members (and the broader intelligence community) began tracing the funds and notifying cooperating exchanges, other team members were trying to figure out what exactly had happened and whether other funds were at risk. Luckily, identifying the culprit was straightforward. Only one known actor had successfully stolen billions of dollars from cryptocurrency exchanges over the past few years: North Korea, also known as the DPRK.

However, beyond that, we had little to go on. Due to the cunning nature of North Korean hackers and their adeptness at self-obliteration, not only was it hard to pinpoint the root cause of the breach, but it was also challenging to determine which specific DPRK unit internally was responsible for this. Our only recourse was existing intelligence, which suggested that North Korea indeed favored infiltrating cryptocurrency exchanges through social engineering. Therefore, we speculated that North Korea likely compromised Bybit's signers and then deployed some malware to interfere with the signing process.

As it turned out, this speculation was entirely baseless. Days later, we discovered that North Korea had actually compromised the infrastructure of the Safe Wallet itself and launched a targeted malicious overload against Bybit. This level of sophistication was something no one had ever considered or prepared for, posing a significant challenge to many security models in the market.

North Korean hackers pose an increasingly serious threat to our industry, and we cannot defeat an enemy we do not know or understand. While there are numerous documented incidents and articles about various aspects of North Korean cyber operations, piecing them together has proven difficult. I hope this overview helps shed light on how North Korea operates and their tactics and procedures, making it easier for us to implement the right mitigation strategies.

Organizational Structure

Perhaps the most significant misconception to address is how to categorize and name the extensive network activities of North Korea. While using the term "Lazarus Group" informally to refer to them is acceptable, employing more precise terminology can be helpful when discussing North Korea's systemic cyber threats in detail.

Firstly, understanding North Korea's "organizational chart" can be helpful. At the top of the hierarchy is North Korea's ruling party (also the only ruling party) — the Workers' Party of Korea (WPK), which leads all of North Korea's governmental entities. This includes the Korean People's Army (KPA) and the Central Committee. Within the People's Army is the General Staff Department (GSD), with the Reconnaissance General Bureau (RGB) housed within. Under the Central Committee is the Ministry of Military Affairs (MID).

The RGB is responsible for nearly all of North Korea's cyber warfare activities, including almost all the activities related to the cryptocurrency industry. Apart from the notorious Lazarus Group, other threat actors that have emerged from the RGB include AppleJeus, APT38, DangerousPassword, and TraderTraitor. On the other hand, the MID oversees North Korea's nuclear missile program, serving as a primary source of North Korean IT workers, known in the intelligence community as Contagious Interview and Wagemole.

Lazarus Group

The Lazarus Group is a highly sophisticated hacking organization, with cybersecurity experts believing that some of the largest and most destructive cyberattacks in history have been attributed to this group. In 2016, Novetta first identified the Lazarus Group while analyzing the Sony Pictures Entertainment hack.

In 2014, Sony was producing the action comedy film "The Interview," with a major plot point involving the embarrassing and subsequent assassination of Kim Jong-un. Understandably, this did not sit well with the North Korean regime, which retaliated by breaching Sony's network, exfiltrating terabytes of data, leaking hundreds of gigabytes of confidential or otherwise sensitive information, and deleting originals. As then-CEO Michael Lynton put it, "The people who did this are criminals. They destroyed a company." Ultimately, the cost of investigation and remediation for Sony in this attack was at least $15 million, with potentially more losses incurred.

Subsequently, in 2016, a hacker group bearing a striking resemblance to the Lazarus Group infiltrated the Bangladesh Bank with the intention of stealing nearly $1 billion. Over the course of a year, the hackers diligently engaged in social engineering attacks on Bangladesh Bank employees, eventually gaining remote access and moving laterally within the bank's internal network until reaching the computer responsible for interfacing with the SWIFT network. From then on, they waited for the perfect moment to strike: the Bangladesh Bank observed a Thursday holiday, while the Federal Reserve Bank of New York had a Friday holiday.

On Thursday night local time in Bangladesh, threat actors utilized their access to the SWIFT network to send 36 separate transfer requests to the Federal Reserve Bank of New York, which was Thursday morning local time. Over the next 24 hours, the Federal Reserve Bank of New York forwarded these transfers to the Rizal Commercial Banking Corporation (RCBC) in the Philippines, which took action. Subsequently, when the Bangladesh Bank resumed business hours, they discovered the hack and attempted to notify RCBC to halt the transactions in progress, only to find that RCBC was closed for the Lunar New Year.

Finally, in 2017, a large-scale WannaCry 2.0 ransomware attack crippled industries worldwide, partly attributed to the Lazarus Group. WannaCry is estimated to have caused billions of dollars in damages, exploiting an NSA-developed Microsoft Windows 0day, encrypting local devices and spreading to other accessible devices, eventually infecting hundreds of thousands of devices globally. Fortunately, security researcher Marcus Hutchins discovered and activated a kill switch within eight hours, limiting the ultimate damage.

Throughout the evolution of the Lazarus Group, they have demonstrated high technical capabilities and operational sophistication, with one of their goals being revenue generation for the North Korean regime. Therefore, their shift of focus to the cryptocurrency industry was only a matter of time.

Derivatives

Over time, as the Lazarus Group has become the catch-all term the media likes to use when describing North Korean cyber activity, the cybersecurity industry has coined more precise names for the specific activities of the Lazarus Group and North Korea. One example is APT38, which split from the Lazarus Group around 2016, focusing on financial crime, initially targeting banks (such as the Bangladesh Bank) and later moving on to cryptocurrency. In 2018, a new threat named AppleJeus was discovered spreading malware targeting cryptocurrency users. Finally, as early as 2018, when OFAC first announced sanctions against two front companies used by North Koreans, North Korean actors posing as IT professionals had already infiltrated the tech industry.

North Korean IT Workers

Although the earliest records mentioning North Korean IT workers date back to OFAC sanctions in 2018, a Unit 42 report in 2023 provided a more detailed account, identifying two distinct threat actors: Contagious Interview and Wagemole.

It has been reported that the Contagious Interview scam involves impersonating recruiters from well-known companies to deceive developers into participating in a fake interview process. Subsequently, the prospective candidates are instructed to clone a repository for local debugging, presented as a coding challenge on the surface, but the repository actually contains a backdoor. Executing the backdoor grants the attacker control of the affected machine. This activity has been ongoing, with the most recent recorded instance on August 11, 2024.

On the other hand, Wagemole operatives' primary objective is not to hire potential victims but to be hired by companies, where they simply work like regular engineers, albeit potentially less efficiently. Nevertheless, there are records of IT workers leveraging their access for attacks, such as in the Munchables incident, where an employee associated with North Korean activities used their privileged access to smart contracts to steal all assets.

The complexity of Wagemole operatives varies, from generic resume templates and reluctance to engage in video calls, to highly customized resumes, deeply faked video interviews, and identity documents like driver's licenses and utility bills. In some cases, operatives have infiltrated victim organizations for up to a year, then used their access to breach other systems and/or cash out completely.

AppleJeus

AppleJeus primarily focuses on spreading malware and excels in sophisticated supply chain attacks. In 2023, the 3CX supply chain attack enabled attackers to potentially infect over 12 million users of 3CX VoIP software, but it was later discovered that 3CX itself was also compromised due to an attack on one of its upstream suppliers, Trading Technologies.

In the cryptocurrency industry, AppleJeus initially distributed malware disguised as legitimate software (such as trading apps or cryptocurrency wallets). However, over time, their strategy evolved. In October 2024, Radiant Capital was compromised by a threat actor who posed as a trusted contractor and sent malicious software via Telegram. Mandiant attributed this incident to AppleJeus.

Dangerous Password

Dangerous Password is responsible for conducting low-complexity, social engineering-based attacks on the cryptocurrency industry. As early as 2019, JPCERT/CC documented that Dangerous Password would send phishing emails with enticing attachments for users to download. In the earlier years, Dangerous Password was known for impersonating industry figures to send phishing emails with subjects like "Stablecoin and Cryptocurrency Risk Assessment."

Today, Dangerous Password is still sending phishing emails, but has also expanded to other platforms. For example, Radiant Capital reports that they received a phishing message via Telegram from someone impersonating a security researcher, who distributed a file named "Penpie_Hacking_Analysis_Report.zip." Furthermore, users reported that someone impersonating journalists and investors contacted them, requesting a call using an inconspicuous video conferencing app. Similar to Zoom, these apps would download a one-time installation program that would, when run, install malware on the device.

TraderTraitor

TraderTraitor is the most seasoned North Korean hacker targeting the cryptocurrency industry, initiating hacks on platforms such as Axie Infinity and Rain.com. TraderTraitor primarily targets exchanges and other companies with significant reserves, opting not to deploy zero-day vulnerabilities against its targets but instead using highly sophisticated spear-phishing techniques to attack victims. In the Axie Infinity hack case, TraderTraitor reached out to a senior engineer via LinkedIn, successfully convincing them to undergo a series of interviews and then sending a "proposal," which delivered malware.

Subsequently, in the WazirX hack, TraderTraitor operatives disrupted an as-yet-unidentified component in the signing pipeline and drained the exchange's hot wallet through repeated deposits and withdrawals, forcing WazirX engineers to rebalance from cold to hot wallet. When the WazirX engineers attempted to sign transactions to transfer funds, they were tricked into signing a transaction handing control of the cold wallet to TraderTraitor. This incident was very similar to the attack on Bybit in February 2025, where TraderTraitor first compromised the Safe{Wallet} infrastructure through social engineering attacks and then deployed malicious JavaScript to the Safe Wallet frontend specifically targeting Bybit's cold wallet. When Bybit attempted to rebalance their wallets, the malicious code was triggered, leading Bybit engineers to sign a transaction handing control of the cold wallet to TraderTraitor.

Stay Safe

North Korea has demonstrated the ability to exploit zero-day vulnerabilities against adversaries, but currently has no recorded incidents or known events of North Korea deploying zero-day vulnerabilities against the cryptocurrency industry. Therefore, typical security recommendations apply to almost all North Korean hacker threats.

For individuals, it is important to use common sense and be cautious of social engineering tactics. For example, if someone claims to have highly confidential information and is willing to share it with you, proceed with caution. Or if someone is exerting time pressure on you to download and run certain software, consider if they are trying to push you into a situation where rational thinking may be compromised.

For organizations, applying the principle of least privilege is crucial. Minimize the number of people with access to sensitive systems as much as possible, and ensure they use password managers and 2FA. Keep personal devices separate from work devices, and install Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) software on work devices to ensure security pre-breach and visibility post-breach.

Unfortunately, for large exchanges or other high-value targets, TraderTraitor can cause more damage than expected even without the need for zero-day vulnerabilities. Therefore, additional preventive measures must be taken to eliminate single points of failure and prevent total loss of funds from a single intrusion.

However, even if all else fails, there is still hope. The FBI has a dedicated division to track and prevent North Korean intrusions, which has been conducting victim notifications for years, and recently I was pleased to assist agents from that division in reaching out to potential North Korean targets. Therefore, to be prepared for the worst-case scenario, ensure you have public contact information available, or that you are connected with a sufficient number of people in the ecosystem (e.g., SEAL 911), so that messages traversing the social graph can reach you at the fastest pace.

Original Article Link