Skip to main content

The enigmatic Lazarus Group, although largely shrouded in secrecy, has been connected to a myriad of cyberattacks spanning the last decade, with hints pointing to Russian links.

A Glimpse into Lazarus Group’s Infamous Actions

Lazarus Group, sometimes referred to as the Guardians of Peace or the Whois Team, is a shadowy collective of cyber criminals.

Their cyber-criminal footprint can be traced back to events like “Operation Troy” between 2009-2012. By 2014, they gained notoriety for hacking Sony Pictures Entertainment and leaking over 276,000 internal files, which eventually surfaced on WikiLeaks. This data leak unveiled Sony’s strategic plans, payment structures for actors, working conditions, and their political lobbying endeavors.

A 2017 report by Kaspersky Lab indicated that Lazarus primarily engaged in cyber espionage, with a subset of their group named Bluenoroff specializing in cyberattacks.

2017 saw Lazarus-linked North Korean hackers pilfering $7 million from South Korea’s Bithumb. That year, another attack led the South Korean crypto platform, Youbit, to declare bankruptcy after a significant cyber heist.

Their activities surged in 2021, targeting cybersecurity researchers and showing increased involvement in the decentralized finance space. In 2022, a monumental hack on crypto gaming giant Axie Infinity resulted in a loss of $620 million, with the Lazarus Group’s fingerprints purportedly on the crime.

The group is also suspected of targeting other crypto entities, such as the Ronin sidechain, Atomic Wallet, Alphapo platform, and Horizon cross-chain bridge.

Estimating Lazarus Group’s Crypto Holdings

Analysts from 21.co estimate the group’s cryptocurrency holdings to be valued at roughly $45 million. This is deduced from 295 addresses linked to the hackers as per the FBI and the Office of Foreign Assets Control. Surprisingly, rather than using hard-to-track cryptocurrencies like Monero, Dash, and Zcash, a staggering 90% of their assets are in Bitcoin. Other holdings include Ethereum (ETH), Binance Coin (BNB), Binance USD (BUSD), staked Ether (stETH), and Aave (AAVE).

Ties to Russia?

Lazarus began targeting Russian entities in early 2019, with a subsequent quiet period. Kaspersky Lab cites instances where Lazarus preyed on cryptocurrency traders with malware. Other efforts focused on data harvesting from Russian organizations linked to research and manufacturing.

Chananalysis’ 2023 report highlighted North Korean hacker groups’ growing dependency on Russian cryptocurrency exchanges for money laundering. Recent on-chain data suggests that nearly $21.9 million pilfered from the Harmony protocol was funneled to a dubious Russian exchange. This exchange and others have been implicated in laundering operations since 2021.

Cooperation between North Korean and Russian cybercriminals poses an intricate challenge. Russia’s historical reticence to international law enforcement collaboration dims the hopes of retrieving assets directed to its exchanges. Unlike other major exchanges that often collaborate in such cases, Russian platforms tend to be uncooperative.

The Puppet Masters

While the true puppeteers behind Lazarus remain undisclosed, many analysts and media outlets speculate the North Korean government’s involvement. They posit that these cyber thefts fund weapons development, resource procurement, and sanctions evasion.

North Korea: A Cyber Haven with Minimal Internet

Drawing a parallel to grooming Olympic talents, Martin Williams from the Stimson think tank likens North Korea’s hacker cultivation process to elite athlete training. Handpicked talents, displaying exceptional skill and ideological alignment, ascend through the nation’s educational hierarchy. Some, upon graduating, are presented irresistible offers from state agencies.

The New Yorker claims that North Korea’s government has informally backed criminal rings since the 1970s, which were involved in smuggling, counterfeiting, and drug trafficking. Their shift to cybercrime is seen as an evolution of these earlier illicit activities.

AUTHOR: