North Korean hackers responsible for $235 million theft from Indian crypto exchange WazirX, says Cyfirma

More than a week after $230 million was stolen from the Indian crypto exchange WazirX, it has been identified that the North Korean hacker group Lazarus Group was behind this massive theft. 

According to Cyfirma, the state-sponsored attack is linked to North Korea's Reconnaissance General Bureau (RGB), a primary intelligence service. CYFIRMA’s researchers' analysis revealed that close to $235 million in crypto assets were lost due to the breach.

This included over 200 different assets, such as approximately $96.7 million of Shiba Inu, $52.6 million of Ether, $11 million of Matic, and $7.6 million of Pepe.

The threat actor has already swapped a number of these tokens for Ether using a variety of decentralized services, an expected initial step in a typical laundering process, the firm said.

The attacks were carried out by two subgroups of the Lazarus Group, namely APT38 and Blue Noroff. Lazarus mainly targets crypto exchanges and financial institutions worldwide.

Who are these two groups?

APT38 primarily focuses on financial crimes, including attacks on banks and cryptocurrency exchanges. They are known for orchestrating large-scale heists and have been linked to several high-profile attacks on Asian financial institutions and crypto exchanges.

APT38 uses sophisticated techniques such as custom malware, spear-phishing campaigns, and exploiting software vulnerabilities to infiltrate and steal funds. BlueNoroff is focused on targeting financial institutions and cryptocurrency exchanges.

Cyfirma said the group has been implicated in various attacks on crypto exchanges in Asia, employing tactics such as phishing, malware deployment, and social engineering to compromise their targets.

BlueNoroff has been known to set up fake companies and personas to establish trust and infiltrate the systems of crypto exchanges.

Motive behind attacks

Kumar Ritesh, CEO & Founder, Cyfirma, said, “Heists have been ongoing for several years, with notable attacks  occurring since at least 2017. Significant heists have occurred in various countries, including South Korea, Japan, the United States, and others. The frequency of these attacks can vary, but they often occur in wave."

According to Ritesh, the primary motivation behind the attacks is to generate revenue for the North Korean regime.

The stolen cryptocurrency is used to fund the country's weapons programs and to evade international sanctions, he said.

Notable attacks

In 2017 and 2018, Bithumb, one of South Korea's largest cryptocurrency exchanges, suffered multiple hacks attributed to Lazarus Group, resulting in millions of dollars in stolen cryptocurrency. 

In January 2018, Coincheck, a Japanese cryptocurrency exchange, was hacked, resulting in the theft of over $530 million worth of NEM tokens.

While not definitively attributed to Lazarus, the methods used were consistent with their tactics.

In December 2017, Youbit, a South Korean cryptocurrency exchange, declared bankruptcy after a hack attributed to Lazarus Group resulted in the loss of 17% of its assets.

Methods used by attackers

Lazarus often begins with spear-phishing campaigns, sending targeted emails to employees of crypto exchanges. These emails contain malicious attachments or links that, once opened, install malware on the victim's computer.

Based on the latest learnings, Cyfirma claims that either the Liminal Custody UI was compromised, or WazirX laptops were compromised to phish signatures. This was not an insider attack, and no private keys were compromised, the report said.

The group uses social engineering tactics to gain the trust of employees and trick them into revealing sensitive information or performing actions that compromise the exchange's security.

Lazarus exploits known and zero-day vulnerabilities in the software used by crypto exchanges. This can include vulnerabilities in web applications, servers, or employee workstations.

The group then deploys various types of malware, such as remote access Trojans (RATs) and keyloggers, to gain persistent access to the exchange's network and monitor activities.

Once inside the network, It moves laterally to gain higher levels of access and control, often aiming to reach the servers that manage cryptocurrency wallets.

After gaining access, they transfer the stolen cryptocurrency to wallets they control. These funds are often laundered through various means, including mixing services and multiple transactions across different cryptocurrencies and exchanges to obscure the origin of the funds.

What does Cyfirma do?

CYFIRMA is a Singapore-based external threat landscape management platform company. The company combines cyber intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. 

Notably, the company's cloud-based AI and ML-powered analytics platforms provide the hacker’s view with deep insights into the external cyber landscape, helping clients prepare for impending attacks.

Apart from Singapore, CYFIRMA also has offices in Japan, India, the US, and the EU.