North Korean Hackers are attacking the Cryptocurrency Network

Some cybercriminal groups such as North Korea-affiliated APT38 Groups and Lazarus Group specialize in financial cyberattacks because they are often highly profitable. Cryptocurrency exchange platforms (such as bitcoin) are among the “natural” targets with high potential for attackers: they focus significant financial flows that pass through blockchain technologies through many replace while sometimes not very safe. These information storage and transmission technologies are in the form of a distributed (non-centralized) database whose security is based on cryptography.

Platforms for converting cryptocurrencies to dollars or euros remain weak links in the security chain of the crypto financial cycle. Attackers are well aware of this and systematically take advantage of security vulnerabilities that they can discover themselves by studying a platform or buying from other cybercriminal groups in dark web marketplaces. We have entered the era of industrialization of cyberattacks and optimization of achievements for more professional and efficient cybercriminal groups, mafias and cartels. The very nature of cryptocurrencies through their decentralized and anonymous nature, blockchain technologies and the networks that carry them can only attract malicious actors.

Nearly 600 million euros were stolen

The latest cyberattack linked to APT38 and the Lazarus group was reported by the FBI on April 14, 2022. U.S. investigators confirmed that the two groups, acting on behalf of the People’s Republic of North Korea, were responsible for the theft (reported March 29) of $ 620 million (€ 573 million) in Ethereum cryptocurrency.

The “cyberheist” results from the hacking of blockchain-based online video game Axie Infinity. This very popular game was created in 2018 in Vietnam by Sky Mavis and immediately succeeded in the Philippines with several million users. It allows players to earn money in the form of NFTs, digital tokens that can be converted into cryptocurrencies. The game’s creators have set up an initial blockchain, collateral to the official Ethereum blockchain, which simplifies and speeds up internal in-game transactions, but at the expense of overall security. The attackers of APT38 and Lazarus were then very logically detected and then exploited the vulnerabilities of the game infrastructure to then smuggle more than 600 million dollars into cryptocurrencies. The diverted booty certainly feeds into the accounts of the North Korean government, and is specifically used to finance its nuclear armament program.

The APT38 and Lazarus groups rely on sophisticated tools to execute their attacks. The two groups implicated by the FBI have long experience in high-level hacking into targets with very high added value. They have demonstrated their offensive capabilities against systems with a good level of security. The attacks associated with APT38 and Lazarus are often sophisticated. They rely on sneaky malware (malicious software) that is sometimes developed or “customized” depending on financial targets expected. Like their latest attacks on Axie Infinity and the Ronin network (protocol that connects Ethereum to Axie Infinity), the return on investment is significant. The enormous benefit gained makes it possible to buy high-level, and therefore very expensive, “zero-day” vulnerabilities (unpublished vulnerabilities). A zero-day vulnerability is a defect in software that has not been patched.

They also make it possible to recruit talents to the best students or computer science affiliates in North Korea. High-potential hackers will be identified, recruited and trained in state hacking from an early age. This device should be seen as an integral part of the North Korean military-industrial apparatus as demonstrated by the CNAS study, an American analysis center that publishes reports on the cyber group.

A real war effort

The specialization contributes towards the financial targets of the war effort in North Korea. Malware powered by APT38 and Lazarus is often in the state of the art in cyberattacks and requires strong development capabilities.

As with any sophisticated cyberattack, the initial stages of screening potential targets, detecting vulnerabilities in the information system and planning an attack can take a long time.

This part of social engineering consists of a detailed study of the organization to be targeted and its information system. Attackers identify weak infrastructure links at the system level as well as human users. They then look for security vulnerabilities that can be exploited from the malware they have. When there is no effective “off the shelf” software, development teams can form cybercriminal groups to produce specialized malware tailored to the target. The high level of stealthiness of the run malware characterizes the various APT groups. Sometimes attacks are carried out in several stages with one stage focused on identifying the target’s defense systems. The first attack was launched to assess the level of detection and remediation powered by the targeted system. In other cases, a malicious payload is introduced into the system without being activated. It remains dormant until the appropriate moment of the attack, which can occur several weeks after this first stage. Either way, the offensive strategies and tactics fit the target and the complexity of their digital shields.

The morphology of the APT38 and Lazarus groups remains poorly understood. The nature of the targets and the typology of the attacks make it possible to identify them in the global ecosystem of APT groups. Their numbers are not precisely known. We know that the most talented North Korean hackers are constantly being recruited to strengthen operational teams. Active since 2014, the APT38 group targets banks, financial institutions, casinos, cryptocurrency exchanges, Swift system endpoints and ATMs in at least 38 countries around the world.

Multiple targets

The most significant cyber operation related to APT38 was related to the theft of Bangladesh Bank in 2016, in which the group stole $ 81 million. He carried out attacks on Bancomext in 2018 and, in the same year, on Banco de Chile. Cybercriminal groups linked to North Korea are estimated to have stolen more than $ 400 million in cryptocurrencies through cyberattacks in 2021.

The Lazarus Group (also known as Guardians of Peace or Whois Team) is a cybercriminal group operated by the state of North Korea. Between 2010 and 2021, it carried out numerous cyberattacks and is now considered an APT (Advanced Persistent Threat) group due to the intentional nature of the threat and the wide range of techniques used when conducting operations. The ideological impregnation of APT38 and Lazarus is the power of North Korea, in a mode of operation very close to the military unit part of a modern cyberarmy.

It is not possible to accurately assess the breakdown of loot harvested by North Korean APT groups. This data is by definition a military secret. One can only imagine that from the profit of 620 million dollars earned in the last attack, a small portion of the loot was devoted to operating costs and the budget of the APT38 group: salaries of members, recruitment of new members, ongoing training prior to operational integration, malware development costs, purchase of IT and ZeroDay vulnerabilities in international markets, e.g. Zerodium.

Although the operating costs of the APT38 and LAZARUS groups are likely to be relatively high, they remain negligible compared to the amounts stolen that then feed into North Korean power accounts. North Korea’s nuclear program is mobilizing huge budgets in a very poor country. We understand that the financial windfall resulting from cyberattacks on cryptocurrency infrastructures is a very good opportunity to finance expensive …

In general, the global volume and intensity of cyberattacks is systematically increasing everywhere in tandem with the growth of attack surfaces: connected objects, cloud computing, blockchain and cryptocurrency architectures, edge computing, e-commerce, e-banking, telecommuting … So North Korea is no exception to this global trend. Moreover, North Korea’s cyberoffensive infrastructures have proven their effectiveness, a safe bet that groups like APT38 and LAZARUS will continue their prohibited activities and adapt to new cybersecurity challenges: hacking satellites, using artificial intelligence to design future malware, ransomware, spyware, DDoS attacks integrating AI, attacks at the source against cryptocurrency mining farms … As more technology is developed, more systems are developed. deploy and more come out attackers and get opportunities for attackers. North Korea promotes the emergence of talents among hackers, this will continue and intensify the rise of power. In addition, international geopolitical crises (war in Ukraine, Sino-American tensions) have contributed to the escalation of cyberattacks and the emergence of new destructive malware. Russia, Iran, China, Turkey, Syria, Saudi Arabia, but also many other countries have cyberoffensive or cybercriminal groups that work directly with local intelligence services that can use them in outsourced assignments or service. The model of cybermercenary groups meets an operational need and allows countries like Russia to assign certain attacks to Russia’s APT groups. The case of North Korea is particularly the case because the country is subject to international sanctions related to its nuclear weapons program.

APT groups are often affiliated with China, Russia, North Korea, Vietnam, Iran, Syria. There are cybercriminal groups on the American side, but they are not APT: groups associated with Mexican Cartels, Colombian for example.

Payment in cryptocurrencies is becoming prevalent on many digital platforms. Social networks with paid content integrate them by linking them to NFT tokens. Auction houses allow payment in Bitcoins. More and more online games rely on blockchain infrastructures with gains in cryptocurrencies and NFT. Cryptocurrency exchanges and exchange platforms have multiplied with increasingly large flows. New cryptocurrencies supported by raw materials or mining are emerging and evolving in related markets. The deployment of the private and public blockchain opens up new prospects for growth in a decentralized economy, but also offers new attack opportunities and massive “Crypto-Magots” for groups like APT38 and LAZARUS. .


By Thierry BerthierLecturer in mathematics, cybersecurity and cyberdefence, Saint-Cyr cyberdefense chair, University of Limoges.

The original version of this article was published in The Conversation.