Lazarus Group’s favorite exploit revealed — Crypto hacks analysis

Share via:


More than 70% of the crypto lost to North Korea-linked hacks since 2020 was stolen via private key exploits, according to Magazine’s analysis of data from the United Nations Security Council (UNSC) and DeFiLlama.

The combined figures suggest North Korea was responsible for about $2.4 billion of crypto heists since 2020, of which $1.69 billion was stolen due to compromised private keys.

These cybercrimes are often attributed to the Lazarus Group — a notorious hacking syndicate allegedly backed by the North Korean state — and allegedly support the hermit kingdom’s weapons of mass destruction program.

The UNSC published a 615-page report last month detailing probes into 58 crypto heists with suspected North Korean involvement dating back to 2017. The hacks netted approximately $3 billion, including $700 million during 2023 alone.

Gaining a comprehensive picture of every attack is difficult, however. Slava Demchuk, co-founder of blockchain intelligence platform AMLBot, tells Magazine that not all victims report losses and the true scale of hacks could potentially be underestimated.

Blockchain forensics firm Chainalysis estimates a higher figure than the UNSC, reporting in January that North Korea-linked hacks accounted for $1 billion of the $1.7 billion total stolen last year.



In 2020 North Korea denied being responsible for any “cyber threat,” putting it in the same quotation marks as other U.S. criticisms of the country regarding “human rights,” “sponsoring of terrorism” and “money laundering.”

Few outside of North Korea believe that, however, due to the on-chain evidence pointing back to North Korea-linked hackers.

A table from UNSC detailing cryptocurrency hacks attributed to North Korea.A table from UNSC detailing cryptocurrency hacks attributed to North Korea.
Crypto hacks in 2023 attributed to North Korea (UNSC)

Lazarus Group uses phishing and exploits software flaws

Julius Serenas, the founder of NeurochainAI, tells Magazine that hackers choose their targets wisely and only bother with high-value heists.

“As far as I am aware, North Korea is the only country that executes hacks for monetary gain, so this is no surprise that they are targeting groups where they have higher potential success rate,” he says. 

“The code data is available on-chain for everyone to read which gives hackers a lot of information as well as time to execute multiple tactics to exploit any potential vulnerability,” he adds.

According to the UNSC report, North Korean hackers often use phishing tactics and exploit software flaws to steal cryptocurrency, which is then laundered across thousands of addresses.

Screenshot of tweet from ZachXBT alleging Munchables hacker's connection to North Korea.Screenshot of tweet from ZachXBT alleging Munchables hacker's connection to North Korea.
Online detective ZachXBT claims Munchables hacker has ties to North Korea. (Munchables, ZachXBT)

They utilize crypto mixers and privacy tools to hide their tracks and frequently cash out through the TRON blockchain and Tether (USDT).

Their operations increasingly depend on services from Russia and China, the UNSC adds.

The exploits are notable for their sophistication, resources and time frames.

“[North Korean hackers] focus on a small number of high-value targets and can play a very long game, combining detailed technical knowledge with social engineering and spear-phishing capabilities,” ​​Gonçalo Magalhães, head of security at Immunefi, tells Magazine.

The most recent attack linked to North Korea was the $62.5 million stolen from Munchables late last month by the team’s developer, who has suspected ties to North Korea.

While the funds have since been recovered, it is recorded as the year’s largest heist, representing 44.5% of the total of $140 million.

The importance of high security around private keys

Private key compromises are not only frequent but typically lead to the largest losses, Magalhães says. And that goes for major attacks in general. 

Including North Korean attacks, there have been at least 41 major hacks involving private key exploits since 2020, resulting in $2.9 billion in losses, UNSC and DeFiLlama data shows. That’s about 38% of the $7.74 billion in total value hacked since the new decade began. 

Read also


Features

You Say You Want a Revolution: What Blockchain Can Learn from One Man’s Attempt to Save the World


Features

Are You Independent Yet? Financial Self-Sovereignty and the Decentralized Exchange

“A bug in a smart contract might get an attacker to steal a portion of user funds [but] a stolen private key will allow a hacker to withdraw the entire volume of funds or compromise a treasury,” ​​Magalhães says.

Risks related to private keys can target both individuals and protocols. Security experts often advise investors to keep their assets off of centralized exchanges as they are vulnerable to hacks and insolvencies.

Bar chart displayes total hacks from 2020 and North Korea's share.Bar chart displayes total hacks from 2020 and North Korea's share.

However, security concerns extend to the decentralized sphere as well.

Kieran Mesquita, a contributor to the privacy protocol Railgun, notes that many decentralized projects exhibit centralized tendencies due to the management of admin keys. While in the building phase, most DeFi projects retain admin keys to upgrade and recover from serious bugs or flaws. But these keys also leave the protocols vulnerable to attacks. 

“Private key hacks often occur due to carelessness on the side of DeFi protocols where mechanisms around upgradability are added as an after-thought due to them not being part of the core protocol function,” Mesquita tells Magazine.

DeFi protocols’ primary focus tends to be on establishing the main features that define the project’s utility, like swaps or lending. As Mesquita points out, when upgradability features are added later, they can create security gaps.

Lazarus Group, Railgun and Vitalik Buterin

The U.S. Federal Bureau of Investigation in January alleged that North Korean cyber criminals used Railgun — a privacy protocol favored by Ethereum founder Vitalik Buterin — to launder stolen funds.

Railgun denies the claims and says that the group is blocked from using its system.

Railgun denies that North Korean hackers use its privacy protocol.Railgun denies that North Korean hackers use its privacy protocol.
Railgun claims the allegation is false. (Railgun)

Private key hacks, leading in volume with $2.9 billion stolen, are the second most frequent type of exploit, with 41 incidents since 2020, according to data from the UNSC and DefiLlama. Flash loan attacks rank first in frequency, with 64 incidents against protocols.

Flash loan attacks allow malicious actors to borrow large sums of cryptocurrencies from DeFi protocols without collateral on the condition that it is repaid immediately. 

This sudden access to capital opens doors to market manipulation strategies. 

For instance, attackers might exploit existing price discrepancies across different trading platforms.By using the borrowed funds to buy an asset on one exchange where it’s cheaper and then selling it on another where it’s more expensive, they can profit from the price differential, but such large-scale trades can lead to sudden price drops.

Manipulating the market price of an asset can impact smart contract functions that rely on price feeds for operational decisions, such as those managing loans, swaps, or liquidity pools. 

Read also


Features

How the crypto workforce changed in the pandemic


Features

Tim Draper’s ‘odd’ rules for investing in success

Since 2020, flash loan attacks have resulted in a lower total loss of $1.16 billion.

“Flash loan attacks, while being common in the DeFi sector, exhibit certain characteristics that make them both relatively easy to execute and typically result in lower average losses compared to other types of security breaches like access control or private key hacks,” Demchuk says.

North Korean hackers don’t have a flash loan attack on DefiLlama records and the UNSC’s report, although there are a few suspected cases.

Last year, a $200 million flash loan attack on DeFi lending protocol Euler Finance involved the hacker sending a small portion of the funds to the Lazarus Group’s wallet, according to Chainalysis. However, after a phishing attempt by the North Korean syndicate against the Euler Finance hacker, the stolen funds were returned, suggesting the transaction was intended for misdirection.

“With a flash loan, anyone can perform an attack as if they had as many funds as a state-sponsored hacker,” Magalhães says.

Lazarus Group-linked hacks increased in 2023 but were less profitable

According to Chainalysis, North Korean hackers were more active in 2023 but got away with $700 million less than the year before.

The overall amount of crypto hacked from protocols also dropped to $1.53 billion last year from $3.28 billion in 2022, according to Magazine’s analysis of DefiLlama and UNSC data. The 2023 figure is also lower than 2021’s $2.34 billion. This could indicate that projects are either getting smarter about security, that bear market prices impacted the total or a combination of the two.

DeFi platforms accounted for most of the hacks, and Demchuk says the declining total losses could hint at enhancements in DeFi security. However, he warns investors that hacking volume is expected to increase with favorable market conditions and the growing DeFi sector.

Chainalysis chart shows total cryptocurrencies stolen from 2016.Chainalysis chart shows total cryptocurrencies stolen from 2016.
Total value of cryptocurrencies stolen through the years. (Chainalysis)

Individual users at risk from phishing attacks

Meanwhile, Tim Zinin, chief marketing officer of 1inch Hardware Wallet, tells Magazine that individual investors are also at risk from exploits.

Read also


Features

Real AI use cases in crypto, No. 2: AIs can run DAOs


Features

The value of a legacy: Hunting down Satoshi’s Bitcoin

“The growth in losses from phishing attacks targeting individuals is concerning and likely reflects attackers following the money as more retail users enter DeFi,” Zinin says

Investors lost $71 million to phishing scams in March, which is a 50% increase from February this year, according to Scam Sniffer.

Scam Sniffer March phishing hacksScam Sniffer March phishing hacks
Damage caused by phishing attacks in March. (Scam Sniffer)

Railgun’s Mesquita recommends users take it a step further and reduce “blind signing” transactions from their wallets when interacting with DeFi protocols.

Reducing blind signing of transactions can be challenging for everyday users, as many transaction requests appear in code that is difficult to understand. Serenas from NeurochainAI believes that artificial intelligence can help bridge this gap.

“[Blockchain projects] could easily employ AI solutions to analyze and provide security index of a particular project before the user confirms any transaction,” Serenas says.

“AI does not sleep, does not eat and can learn new threat tactics with ease.”

Yohan YunYohan Yun

Yohan Yun

Yohan Yun is a multimedia journalist covering blockchain since 2017. He has contributed to crypto media outlet Forkast as an editor and has covered Asian tech stories as an assistant reporter for Bloomberg BNA and Forbes. He spends his free time cooking, and experimenting with new recipes.

Read also


Hodler’s Digest

NY sues crypto firms, FTX’s Nishad faces 75 years in jail, and Grayscale’s new BTC filing: Hodler’s Digest, Oct. 15-21

by
Editorial Staff

7 min
October 21, 2023

Nishad Singh testifies in Sam Bankman-Fried’s trial; New York sues Gemini, Genesis and Digital Currency Group; and Grayscale files for new spot Bitcoin ETF.

Read more


Hodler’s Digest

BlockFi settles with the SEC, Russia’s CBDC trials begin and Cointelegraph releases its 2022 Top 100 list: Hodler’s Digest, Feb. 13-19

by
Editorial Staff

7 min
February 19, 2022

The best (and worst) quotes, adoption and regulation highlights, leading coins, predictions and much more — one week on Cointelegraph in one link!

Read more





Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Popular

More Like this

Lazarus Group’s favorite exploit revealed — Crypto hacks analysis


More than 70% of the crypto lost to North Korea-linked hacks since 2020 was stolen via private key exploits, according to Magazine’s analysis of data from the United Nations Security Council (UNSC) and DeFiLlama.

The combined figures suggest North Korea was responsible for about $2.4 billion of crypto heists since 2020, of which $1.69 billion was stolen due to compromised private keys.

These cybercrimes are often attributed to the Lazarus Group — a notorious hacking syndicate allegedly backed by the North Korean state — and allegedly support the hermit kingdom’s weapons of mass destruction program.

The UNSC published a 615-page report last month detailing probes into 58 crypto heists with suspected North Korean involvement dating back to 2017. The hacks netted approximately $3 billion, including $700 million during 2023 alone.

Gaining a comprehensive picture of every attack is difficult, however. Slava Demchuk, co-founder of blockchain intelligence platform AMLBot, tells Magazine that not all victims report losses and the true scale of hacks could potentially be underestimated.

Blockchain forensics firm Chainalysis estimates a higher figure than the UNSC, reporting in January that North Korea-linked hacks accounted for $1 billion of the $1.7 billion total stolen last year.



In 2020 North Korea denied being responsible for any “cyber threat,” putting it in the same quotation marks as other U.S. criticisms of the country regarding “human rights,” “sponsoring of terrorism” and “money laundering.”

Few outside of North Korea believe that, however, due to the on-chain evidence pointing back to North Korea-linked hackers.

A table from UNSC detailing cryptocurrency hacks attributed to North Korea.A table from UNSC detailing cryptocurrency hacks attributed to North Korea.
Crypto hacks in 2023 attributed to North Korea (UNSC)

Lazarus Group uses phishing and exploits software flaws

Julius Serenas, the founder of NeurochainAI, tells Magazine that hackers choose their targets wisely and only bother with high-value heists.

“As far as I am aware, North Korea is the only country that executes hacks for monetary gain, so this is no surprise that they are targeting groups where they have higher potential success rate,” he says. 

“The code data is available on-chain for everyone to read which gives hackers a lot of information as well as time to execute multiple tactics to exploit any potential vulnerability,” he adds.

According to the UNSC report, North Korean hackers often use phishing tactics and exploit software flaws to steal cryptocurrency, which is then laundered across thousands of addresses.

Screenshot of tweet from ZachXBT alleging Munchables hacker's connection to North Korea.Screenshot of tweet from ZachXBT alleging Munchables hacker's connection to North Korea.
Online detective ZachXBT claims Munchables hacker has ties to North Korea. (Munchables, ZachXBT)

They utilize crypto mixers and privacy tools to hide their tracks and frequently cash out through the TRON blockchain and Tether (USDT).

Their operations increasingly depend on services from Russia and China, the UNSC adds.

The exploits are notable for their sophistication, resources and time frames.

“[North Korean hackers] focus on a small number of high-value targets and can play a very long game, combining detailed technical knowledge with social engineering and spear-phishing capabilities,” ​​Gonçalo Magalhães, head of security at Immunefi, tells Magazine.

The most recent attack linked to North Korea was the $62.5 million stolen from Munchables late last month by the team’s developer, who has suspected ties to North Korea.

While the funds have since been recovered, it is recorded as the year’s largest heist, representing 44.5% of the total of $140 million.

The importance of high security around private keys

Private key compromises are not only frequent but typically lead to the largest losses, Magalhães says. And that goes for major attacks in general. 

Including North Korean attacks, there have been at least 41 major hacks involving private key exploits since 2020, resulting in $2.9 billion in losses, UNSC and DeFiLlama data shows. That’s about 38% of the $7.74 billion in total value hacked since the new decade began. 

Read also


Features

You Say You Want a Revolution: What Blockchain Can Learn from One Man’s Attempt to Save the World


Features

Are You Independent Yet? Financial Self-Sovereignty and the Decentralized Exchange

“A bug in a smart contract might get an attacker to steal a portion of user funds [but] a stolen private key will allow a hacker to withdraw the entire volume of funds or compromise a treasury,” ​​Magalhães says.

Risks related to private keys can target both individuals and protocols. Security experts often advise investors to keep their assets off of centralized exchanges as they are vulnerable to hacks and insolvencies.

Bar chart displayes total hacks from 2020 and North Korea's share.Bar chart displayes total hacks from 2020 and North Korea's share.

However, security concerns extend to the decentralized sphere as well.

Kieran Mesquita, a contributor to the privacy protocol Railgun, notes that many decentralized projects exhibit centralized tendencies due to the management of admin keys. While in the building phase, most DeFi projects retain admin keys to upgrade and recover from serious bugs or flaws. But these keys also leave the protocols vulnerable to attacks. 

“Private key hacks often occur due to carelessness on the side of DeFi protocols where mechanisms around upgradability are added as an after-thought due to them not being part of the core protocol function,” Mesquita tells Magazine.

DeFi protocols’ primary focus tends to be on establishing the main features that define the project’s utility, like swaps or lending. As Mesquita points out, when upgradability features are added later, they can create security gaps.

Lazarus Group, Railgun and Vitalik Buterin

The U.S. Federal Bureau of Investigation in January alleged that North Korean cyber criminals used Railgun — a privacy protocol favored by Ethereum founder Vitalik Buterin — to launder stolen funds.

Railgun denies the claims and says that the group is blocked from using its system.

Railgun denies that North Korean hackers use its privacy protocol.Railgun denies that North Korean hackers use its privacy protocol.
Railgun claims the allegation is false. (Railgun)

Private key hacks, leading in volume with $2.9 billion stolen, are the second most frequent type of exploit, with 41 incidents since 2020, according to data from the UNSC and DefiLlama. Flash loan attacks rank first in frequency, with 64 incidents against protocols.

Flash loan attacks allow malicious actors to borrow large sums of cryptocurrencies from DeFi protocols without collateral on the condition that it is repaid immediately. 

This sudden access to capital opens doors to market manipulation strategies. 

For instance, attackers might exploit existing price discrepancies across different trading platforms.By using the borrowed funds to buy an asset on one exchange where it’s cheaper and then selling it on another where it’s more expensive, they can profit from the price differential, but such large-scale trades can lead to sudden price drops.

Manipulating the market price of an asset can impact smart contract functions that rely on price feeds for operational decisions, such as those managing loans, swaps, or liquidity pools. 

Read also


Features

How the crypto workforce changed in the pandemic


Features

Tim Draper’s ‘odd’ rules for investing in success

Since 2020, flash loan attacks have resulted in a lower total loss of $1.16 billion.

“Flash loan attacks, while being common in the DeFi sector, exhibit certain characteristics that make them both relatively easy to execute and typically result in lower average losses compared to other types of security breaches like access control or private key hacks,” Demchuk says.

North Korean hackers don’t have a flash loan attack on DefiLlama records and the UNSC’s report, although there are a few suspected cases.

Last year, a $200 million flash loan attack on DeFi lending protocol Euler Finance involved the hacker sending a small portion of the funds to the Lazarus Group’s wallet, according to Chainalysis. However, after a phishing attempt by the North Korean syndicate against the Euler Finance hacker, the stolen funds were returned, suggesting the transaction was intended for misdirection.

“With a flash loan, anyone can perform an attack as if they had as many funds as a state-sponsored hacker,” Magalhães says.

Lazarus Group-linked hacks increased in 2023 but were less profitable

According to Chainalysis, North Korean hackers were more active in 2023 but got away with $700 million less than the year before.

The overall amount of crypto hacked from protocols also dropped to $1.53 billion last year from $3.28 billion in 2022, according to Magazine’s analysis of DefiLlama and UNSC data. The 2023 figure is also lower than 2021’s $2.34 billion. This could indicate that projects are either getting smarter about security, that bear market prices impacted the total or a combination of the two.

DeFi platforms accounted for most of the hacks, and Demchuk says the declining total losses could hint at enhancements in DeFi security. However, he warns investors that hacking volume is expected to increase with favorable market conditions and the growing DeFi sector.

Chainalysis chart shows total cryptocurrencies stolen from 2016.Chainalysis chart shows total cryptocurrencies stolen from 2016.
Total value of cryptocurrencies stolen through the years. (Chainalysis)

Individual users at risk from phishing attacks

Meanwhile, Tim Zinin, chief marketing officer of 1inch Hardware Wallet, tells Magazine that individual investors are also at risk from exploits.

Read also


Features

Real AI use cases in crypto, No. 2: AIs can run DAOs


Features

The value of a legacy: Hunting down Satoshi’s Bitcoin

“The growth in losses from phishing attacks targeting individuals is concerning and likely reflects attackers following the money as more retail users enter DeFi,” Zinin says

Investors lost $71 million to phishing scams in March, which is a 50% increase from February this year, according to Scam Sniffer.

Scam Sniffer March phishing hacksScam Sniffer March phishing hacks
Damage caused by phishing attacks in March. (Scam Sniffer)

Railgun’s Mesquita recommends users take it a step further and reduce “blind signing” transactions from their wallets when interacting with DeFi protocols.

Reducing blind signing of transactions can be challenging for everyday users, as many transaction requests appear in code that is difficult to understand. Serenas from NeurochainAI believes that artificial intelligence can help bridge this gap.

“[Blockchain projects] could easily employ AI solutions to analyze and provide security index of a particular project before the user confirms any transaction,” Serenas says.

“AI does not sleep, does not eat and can learn new threat tactics with ease.”

Yohan YunYohan Yun

Yohan Yun

Yohan Yun is a multimedia journalist covering blockchain since 2017. He has contributed to crypto media outlet Forkast as an editor and has covered Asian tech stories as an assistant reporter for Bloomberg BNA and Forbes. He spends his free time cooking, and experimenting with new recipes.

Read also


Hodler’s Digest

NY sues crypto firms, FTX’s Nishad faces 75 years in jail, and Grayscale’s new BTC filing: Hodler’s Digest, Oct. 15-21

by
Editorial Staff

7 min
October 21, 2023

Nishad Singh testifies in Sam Bankman-Fried’s trial; New York sues Gemini, Genesis and Digital Currency Group; and Grayscale files for new spot Bitcoin ETF.

Read more


Hodler’s Digest

BlockFi settles with the SEC, Russia’s CBDC trials begin and Cointelegraph releases its 2022 Top 100 list: Hodler’s Digest, Feb. 13-19

by
Editorial Staff

7 min
February 19, 2022

The best (and worst) quotes, adoption and regulation highlights, leading coins, predictions and much more — one week on Cointelegraph in one link!

Read more





Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at office@startupnews.fyi

More like this

Apple is reportedly building a more conversational Siri powered...

Apple is developing a new version of its...

Future Google supplier Kairos gets approval to build two...

Nuclear startup Kairos Power received approval from the...

The Graph introduces GRC-20 standard for Web3 data structure

The Graph advances from subgraphs to knowledge graphs...

Popular

Upcoming Events

Startup Information that matters. Get in your inbox Daily!