On February 21, at 23:20 Beijing time, Bybit was hacked, resulting in the theft of approximately $1.5 billion in on-chain assets. Four hours after the incident, on-chain detective ZachXBT submitted conclusive evidence confirming that the attack on Bybit was carried out by the North Korean hacker organization Lazarus Group. This notorious hacking team has left a significant mark in the history of cryptocurrency and the entire financial market.
Source: Wikipedia
Translation: Yobo, Foresight News
The following content is translated from the Wikipedia entry "Lazarus Group":
Lazarus Group (also known as "Guardians" or "Peace or Whois Team") is a hacker organization composed of an unknown number of individuals, allegedly controlled by the North Korean government. Although little is known about the organization, researchers have attributed multiple cyberattacks to them since 2010.
The group initially started as a criminal gang but has since been identified as an advanced persistent threat organization due to their attack intentions, the threats they pose, and the various means they employ during operations. Cybersecurity agencies have given them several nicknames, such as "Hidden Cobra" (a term used by the U.S. Department of Homeland Security to refer to malicious cyber activities initiated by the North Korean government), as well as "ZINC" or "Diamond Sleet" (Microsoft's terminology). According to North Korean defector Kim Kuk-song, the organization is known domestically as the "414 Office."
Lazarus Group is closely linked to North Korea. The U.S. Department of Justice claims that the organization is part of the North Korean government's strategy to "disrupt global cybersecurity… and generate illegal income in violation of sanctions." North Korea can gain numerous benefits from conducting cyber operations, requiring only a very lean team to pose a "global" asymmetric threat (especially against South Korea).
Development History
The earliest known attack by the organization was the "Operation Troy" from 2009 to 2012. This was a cyber espionage campaign that targeted the South Korean government in Seoul using relatively simple distributed denial-of-service (DDoS) attack techniques. They also launched attacks in 2011 and 2013. Although it cannot be confirmed, an attack against South Korea in 2007 may also have been their doing. A notable attack by the organization occurred in 2014, targeting Sony Pictures. This attack employed more sophisticated techniques and demonstrated that the organization had become increasingly mature over time.
In 2015, it was reported that Lazarus Group stole $12 million from Ecuador's Banco del Austro and $1 million from Vietnam's VietinBank. They also targeted banks in Poland and Mexico. In a 2016 bank heist, they attacked a bank and successfully stole $81 million, which is also believed to be attributed to the organization. In 2017, reports indicated that Lazarus Group stole $60 million from Taiwan's Far Eastern International Bank, although the actual amount stolen is unclear, and most of the funds have been recovered.
It remains unclear who the true masterminds behind the organization are, but media reports indicate a close association with North Korea. In 2017, Kaspersky Lab reported that Lazarus Group tends to focus on espionage and infiltration-type cyberattacks, while a subgroup referred to as "Bluenoroff" by Kaspersky specializes in financial cyberattacks. Kaspersky discovered multiple attack incidents globally and found direct IP address associations between Bluenoroff and the country.
However, Kaspersky also acknowledged that the reuse of code could be a "false flag operation" intended to mislead investigators and frame North Korea, as the globally recognized "WannaCry" worm attack copied techniques from the U.S. National Security Agency. This ransomware exploited the "EternalBlue" vulnerability developed by the NSA, which was publicly disclosed in April 2017 by a hacker group called "Shadow Brokers." In 2017, Symantec reported that the "WannaCry" attack was highly likely to have been carried out by Lazarus Group.
2009 "Operation Troy"
Lazarus Group's first major hacking incident occurred on July 4, 2009, marking the beginning of "Operation Troy." This attack utilized the "MyDoom" and "Pushdo" malware to launch large-scale but relatively unsophisticated DDoS attacks against websites in the U.S. and South Korea. This wave of attacks targeted approximately 36 websites and embedded the phrase "Independence Day Memorial" in the master boot record (MBR).
2013 South Korea Cyber Attack ("Operation 1" / "Dark Seoul" Operation)
Over time, the organization's attack methods became increasingly sophisticated; their techniques and tools also became more mature and effective. The "Ten-Day Rain" attack in March 2011 targeted South Korean media, finance, and critical infrastructure, employing more complex DDoS attacks sourced from compromised computers within South Korea. On March 20, 2013, the "Dark Seoul" operation was launched, which was a data-wiping attack targeting three South Korean broadcasting companies, financial institutions, and an internet service provider. At the time, two other groups claiming to be responsible for the attack, "New Roman Cyber Army" and "WhoIs Team," were not known to be associated with Lazarus Group. Researchers now recognize Lazarus Group as the main perpetrator of these destructive attacks.
Late 2014: Sony Pictures Hacked
On November 24, 2014, the attacks by Lazarus Group reached a climax. On that day, a post appeared on Reddit claiming that Sony Pictures had been hacked by unknown means, with the attackers calling themselves "Guardians of Peace." A large amount of data was stolen and gradually leaked in the days following the attack. A person claiming to be a member of the organization stated in an interview that they had been stealing data from Sony for over a year.
The hackers gained access to unreleased films, some movie scripts, future film plans, executive salary information, emails, and personal information of approximately 4,000 employees.
Early 2016 Investigation: "Operation Blockbuster"
Codenamed "Operation Blockbuster," an alliance of several security companies led by Novetta analyzed malware samples found in various cybersecurity incidents. Using this data, the team analyzed the hackers' methods. They linked Lazarus Group to multiple attacks through code reuse patterns. For example, they used a little-known encryption algorithm called "Caracas."
2016 Bank Cyber Heist
In February 2016, a bank heist occurred. Security hackers issued 35 fraudulent instructions through the SWIFT network, attempting to illegally transfer nearly $1 billion from a country's central bank account at the New York Federal Reserve Bank. Of the 35 fraudulent instructions, 5 successfully transferred $101 million, with $20 million going to Sri Lanka and $81 million to the Philippines. The New York Federal Reserve Bank became suspicious due to a spelling error in one instruction, preventing the remaining 30 transactions, which involved $850 million. Cybersecurity experts attributed the attack to Lazarus Group from a certain country.
May 2017 "WannaCry" Ransomware Attack
The "WannaCry" attack was a large-scale ransomware cyberattack that affected numerous institutions worldwide, from the UK's National Health Service (NHS) to Boeing and even some universities in China, on May 12, 2017. The attack lasted for 7 hours and 19 minutes. Europol estimated that the attack affected nearly 200,000 computers in 150 countries, with the most impacted regions including Russia, India, Ukraine, and Taiwan. This was one of the earliest examples of a cryptoworm attack. Cryptoworms are a type of malware that can spread between computers over a network without direct user action—this attack exploited TCP port 445. Computers could be infected by the virus without clicking on malicious links, as the malware could automatically spread from one computer to connected printers and then to other computers connected to the same wireless network. The vulnerability in port 445 allowed the malware to spread freely within internal networks, rapidly infecting thousands of computers. The "WannaCry" attack was one of the first large-scale uses of a cryptoworm.
Attack method: The virus exploited vulnerabilities in the Windows operating system, encrypting computer data and demanding payment of approximately $300 in Bitcoin for the decryption key. To encourage victims to pay, the ransom doubled after three days, and if not paid within a week, the malware would delete the encrypted data files. The malware used a legitimate software developed by Microsoft called "Windows Crypto" to encrypt files. Once encryption was complete, the file names were appended with the "Wincry" suffix, which is the origin of the name "WannaCry." "Wincry" is the basis of the encryption, but the malware also exploited two other vulnerabilities, "EternalBlue" and "DoublePulsar," making it a cryptoworm. "EternalBlue" allowed the virus to spread automatically over the network, while "DoublePulsar" triggered the virus to activate on the victim's computer. In other words, "EternalBlue" spread the infected link to your computer, and "DoublePulsar" clicked it for you.
Security researcher Marcus Hutchins received a sample of the virus from a friend at a security research company and discovered that the virus contained a hard-coded "kill switch" that halted the attack. The malware would periodically check if a specific domain name had been registered, and it would only continue encrypting if that domain did not exist. Hutchins discovered this check mechanism and registered the relevant domain at 3:03 PM UTC. The malware immediately stopped spreading and infecting new devices. This situation is intriguing and provided clues for tracking the virus's creators. Typically, stopping malware requires months of back-and-forth between hackers and security experts, so winning so easily was unexpected. Another unusual aspect of this attack was that even after paying the ransom, files could not be recovered: the hackers only received $160,000 in ransom, leading many to believe their motive was not financial gain but rather chaos.
The ease of bypassing the "kill switch" and the meager ransom earnings led many to believe that this attack was state-sponsored; its motive was not economic compensation but rather to create disorder. After the attack, security experts traced the "DoublePulsar" vulnerability back to the U.S. National Security Agency, which had initially developed it as a cyber weapon. Later, the hacker group "Shadow Brokers" stole this vulnerability, initially attempting to auction it but failing, and ultimately released it for free. The NSA subsequently informed Microsoft about the vulnerability, and Microsoft released an update on March 14, 2017, less than a month before the attack occurred. However, this was not enough, as the update was not mandatory, and by May 12, most computers with the vulnerability had not been patched, leading to the attack's astonishing damage.
Subsequent impact: The U.S. Department of Justice and British authorities later determined that the "WannaCry" attack was carried out by the North Korean hacker organization Lazarus Group.
2017 Cryptocurrency Attack Incident
In 2018, Recorded Future released a report stating that Lazarus Group was involved in attacks targeting cryptocurrency users of Bitcoin and Monero, primarily aimed at South Korean users. These attacks were reportedly technically similar to previous attacks using the "WannaCry" ransomware and the attack on Sony Pictures. One of the methods used by Lazarus Group hackers was exploiting vulnerabilities in the Hangul word processing software (developed by Hancom). Another method involved sending spear-phishing bait containing malware, targeting South Korean students and users of cryptocurrency trading platforms like Coinlink.
If users opened the malware, their email addresses and passwords would be stolen. Coinlink denied that its website or users' email addresses and passwords were hacked. The report concluded: "This series of attacks at the end of 2017 indicates that a certain country has an increasing interest in cryptocurrencies, which we now know encompasses a wide range of activities including mining, ransomware attacks, and direct theft…" The report also noted that this country was using these cryptocurrency attacks to evade international financial sanctions.
In February 2017, hackers from a certain country stole $7 million from the South Korean cryptocurrency exchange Bithumb. Another South Korean Bitcoin exchange, Youbit, suffered an attack in April 2017 and had to file for bankruptcy in December of the same year after 17% of its assets were stolen. Lazarus Group and hackers from a certain country were identified as the masterminds behind these attacks. In December 2017, the cryptocurrency cloud mining market Nicehash lost over 4,500 Bitcoins. An investigation update indicated that this attack was related to Lazarus Group.
September 2019 Attack Incident
In mid-September 2019, the U.S. issued a public alert about a new type of malware called "ElectricFish." Since early 2019, agents from a certain country had carried out five major cyber thefts globally, including successfully stealing $49 million from an institution in Kuwait.
Late 2020 Pharmaceutical Company Attack Incident
Due to the ongoing COVID-19 pandemic, pharmaceutical companies became a primary target for Lazarus Group. Members of Lazarus Group used spear-phishing techniques, posing as health officials, to send malicious links to pharmaceutical company employees. It is believed that several large pharmaceutical companies were targeted, but only AstraZeneca, a joint venture with the UK and Sweden, has been confirmed so far. According to Reuters, numerous employees were targeted, many of whom were involved in the development of the COVID-19 vaccine. It remains unclear what Lazarus Group's motives for these attacks were, but they may include: stealing sensitive information for profit, implementing extortion schemes, and allowing foreign regimes to obtain proprietary research related to the coronavirus. AstraZeneca has not commented on the incident, and experts believe that no sensitive data has been leaked so far.
January 2021 Attack Incident Targeting Cybersecurity Researchers
In January 2021, both Google and Microsoft publicly reported that a group of hackers from a certain country had launched attacks against cybersecurity researchers using social engineering techniques, with Microsoft explicitly stating that the attack was carried out by Lazarus Group.
The hackers created multiple profiles on platforms like Twitter, GitHub, and LinkedIn, posing as legitimate software vulnerability researchers, interacting with posts and content published by others in the security research community. They then directly contacted specific security researchers, luring victims into downloading files containing malware or visiting blog posts on websites controlled by the hackers under the pretense of collaborative research.
Some victims who accessed the blog posts reported that despite using a fully patched Google Chrome browser, their computers were still compromised, indicating that the hackers may have exploited a previously unknown Chrome zero-day vulnerability; however, Google stated at the time of the report that it could not determine the specific method of intrusion.
March 2022 Axie Infinity Attack Incident
In March 2022, Lazarus Group was accused of stealing $620 million worth of cryptocurrency from the Ronin network used by the Axie Infinity game. The FBI stated: "Through investigation, we confirm that Lazarus Group and APT38 (a cyber actor associated with North Korea) are the masterminds behind this theft."
June 2022 Horizon Bridge Attack Incident
The FBI confirmed that the North Korean malicious cyber actor organization Lazarus Group (also known as APT38) was behind the theft of $100 million in virtual currency reported on June 24, 2022, from Harmony's Horizon Bridge.
Other Related Cryptocurrency Attack Incidents in 2023
A report released by blockchain security platform Immunefi stated that Lazarus Group was responsible for over $300 million in losses from cryptocurrency hacking incidents in 2023, accounting for 17.6% of the total losses that year.
June 2023 Atomic Wallet Attack Incident: In June 2023, users of the Atomic Wallet service had over $100 million worth of cryptocurrency stolen, which the FBI subsequently confirmed.
September 2023 Stake.com Hacker Attack Incident: In September 2023, the FBI confirmed that $41 million worth of cryptocurrency was stolen from the online casino and betting platform Stake.com, with the perpetrators being Lazarus Group.
U.S. Sanctions Measures
On April 14, 2022, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) added Lazarus Group to the Specially Designated Nationals List (SDN List) under the sanctions regulations of a certain country.
2024 Cryptocurrency Attack Incident
According to Indian media reports, a local cryptocurrency exchange named WazirX was attacked by the organization, resulting in the theft of $234.9 million in cryptocurrency assets.
Personnel Training
It is rumored that some North Korean hackers are sent to Shenyang, China, for specialized training on how to implant various types of malware into computers, computer networks, and servers. Within North Korea, Kim Chaek University of Technology, Kim Il Sung University, and Mangyongdae Revolutionary School are responsible for related educational tasks, selecting the best students from across the country to receive six years of special education. In addition to university education, "some of the best programmers… are sent to Mangyongdae Revolutionary School or Mirim College for further study."
Organizational Branches
Lazarus Group is believed to have two branches.
BlueNorOff
BlueNorOff (also known as APT38, "Star Chollima," "BeagleBoyz," "NICKEL GLADSTONE") is an organization driven by economic interests, engaging in illegal fund transfers through forged SWIFT instructions. Mandiant refers to it as APT38, while Crowdstrike calls it "Star Chollima."
According to a 2020 report by the U.S. Army, BlueNorOff has approximately 1,700 members who focus on long-term assessments and exploitation of enemy network vulnerabilities and systems, engaging in financial cybercrime activities to obtain economic benefits or control related systems for the regime. Between 2014 and 2021, their targets included 16 institutions across at least 13 countries, including Bangladesh, Chile, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey, and Vietnam. It is believed that these illegal proceeds were used for the development of the country's missile and nuclear technology.
The most notorious attack by BlueNorOff was a bank heist in 2016, where they attempted to illegally transfer nearly $1 billion from a certain country's central bank account at the New York Federal Reserve Bank via the SWIFT network. After some transactions were successfully completed ($20 million went to Sri Lanka, $81 million went to the Philippines), the New York Federal Reserve Bank became suspicious due to a spelling error in one instruction, preventing the remaining transactions.
Malware associated with BlueNorOff includes: "DarkComet," "Mimikatz," "Nestegg," "Macktruck," "WannaCry," "Whiteout," "Quickcafe," "Rawhide," "Smoothride," "TightVNC," "Sorrybrute," "Keylime," "Snapshot," "Mapmaker," "net.exe," "sysmon," "Bootwreck," "Cleantoad," "Closeshave," "Dyepack," "Hermes," "Twopence," "Electricfish," "Powerratankba," and "Powerspritz," among others.
Common tactics used by BlueNorOff include: phishing, setting up backdoors, exploiting vulnerabilities, watering hole attacks, executing code on systems using outdated and insecure versions of Apache Struts 2, strategically compromising websites, and accessing Linux servers. Reports indicate that they sometimes collaborate with criminal hackers.
AndAriel
AndAriel, also spelled Andarial, has other aliases: Silent Chollima, Dark Seoul, Rifle, and Wassonite, logically characterized by targeting South Korea. The alias "Silent Chollima" derives from the organization's secretive nature. Any institution in South Korea could be a target of AndAriel, including government departments, defense agencies, and various economic entities.
According to a 2020 report by the U.S. Army, the AndAriel organization has about 1,600 members whose mission is to conduct reconnaissance, assess network vulnerabilities, and map enemy networks for potential attacks. Besides South Korea, they also target governments, infrastructure, and businesses in other countries. Attack methods include exploiting ActiveX controls, vulnerabilities in South Korean software, watering hole attacks, spear-phishing (macro virus methods), targeting IT management products (such as antivirus software and project management software), and launching attacks through supply chains (installers and updates). The malware used includes Aryan, Gh0st RAT, Rifdoor, Phandoor, and Andarat.
Related Personnel Prosecution Status
In February 2021, the U.S. Department of Justice indicted three members of North Korea's military intelligence agency, the Reconnaissance General Bureau—Park Jin Hyok, Jon Chang Hyok, and Kim Il Park—accusing them of participating in multiple hacking activities of Lazarus Group. Park Jin Hyok had already been indicted in September 2018. These suspects are currently not in U.S. custody. Additionally, a Canadian and two Chinese individuals have also been accused of acting as fund transporters and money launderers for Lazarus Group.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
