The North Korean hacker group Lazarus appears to have stepped up its operations recently, with four confirmed attacks on cryptocurrency entities since June 3. Now, they are suspected of carrying out a fifth attack, this time on CoinEx on September 12. In response, CoinEx issued several tweets stating that the suspicious wallet address is still being confirmed, so the total value of the stolen funds is unknown, but is currently believed to be around $54 million.

Over the past 104 days, Lazarus has been confirmed to have stolen nearly $240 million in crypto assets from AtomicWallet ($100 million), CoinsPaid ($37.3 million), Alphapo ($60 million), and Stake.com ($41 million).

Latest Lazarus Attack

As shown above, analysis by security agency Elliptic confirmed that some of the funds stolen from CoinEx were sent to an address that was used by the Lazarus group to launder funds stolen from Stake.com, albeit on a different blockchain. The funds were then bridged to Ethereum, using a bridge previously used by Lazarus, and then sent back to an address known to be controlled by CoinEx hackers. Ilipu has observed Lazarus mixing funds from different hackers, most recently when funds stolen from Stake.com overlapped with funds stolen from AtomicWallet. These instances of funds from different hackers being combined are shown in orange in the image below.

Given this blockchain activity and the lack of information suggesting that the CoinEx hack was carried out by any other threat group, Illip agrees that the Lazarus Group should be suspected of stealing CoinEx funds.

Five Lazarus attacks in 104 days

In 2022, several high-profile hacks were attributed to Lazarus, including Harmony's Horizon bridge and AxieInfinity's Ronin bridge, both of which occurred in the first half of last year. Between then and June of this year, no major cryptoheists had been publicly attributed to Lazarus. Therefore, the various hacking incidents that occurred over the past 104 days indicate an increase in the activities of North Korean threat groups.

On June 3, 2023, users of the non-custodial decentralized cryptocurrency wallet AtomicWallet lost more than $100 million. On June 6, 2023, Illip attributed the hack to Lazarus after identifying multiple factors that indicated a North Korean threat group was responsible. This attribution was later confirmed by the FBI.

On July 22, 2023, Lazarus gained access to a hot wallet belonging to the cryptocurrency payment platform CoinsPaid through a successful social engineering attack. The access allowed the attackers to create authorization requests to withdraw approximately $37.3 million in crypto assets from the platform’s hot wallets. On July 26, CoinsPaid published a report claiming that Lazarus was responsible for the attack. The FBI later confirmed the attribution.

On the same day, July 22, Lazarus launched another high-profile attack, this time targeting centralized crypto payments provider Alphapo, stealing $60 million in crypto assets. The attacker may have gained access through a previously leaked private key. As mentioned above, the FBI later attributed the attack to Lazarus.

On September 4, 2023, the online cryptocurrency casino Stake.com was attacked and approximately $41 million in virtual currency was stolen, possibly as a result of stolen private keys. The FBI issued a press release on September 6 confirming that the Lazarus Group was behind the attack.

Finally, on September 12, 2023, the centralized cryptocurrency exchange CoinEx was hacked and $54 million was stolen. As detailed above, a number of factors point to Lazarus being responsible for this attack.

Change strategy?

Analysis of Lazarus’ latest activity shows that since last year they have shifted their focus from decentralized services to centralized services. Of the five recent hacks discussed previously, four targeted centralized virtual asset service providers. Before the rapid rise of the decentralized finance (DeFi) ecosystem, centralized exchanges were Lazarus’ preferred target before 2020.

There could be a number of reasons why Lazarus is once again turning its attention to centralized services.

Pay more attention to security: Yilip’s previous research on DeFi hacking incidents in 2022 found that an exploit occurred every four days, with an average of $32.6 million stolen each time. Cross-chain bridges were a relatively new form of service in early 2022, but have now become some of the most hacked types of DeFi protocols. These trends are likely to lead to improved smart contract auditing and development standards, narrowing the scope for hackers to identify and exploit vulnerabilities.

Vulnerable to social engineering: In many hacking attacks, the Lazarus Group’s attack method of choice was social engineering. For example, the $540 million RoninBridge hack was caused by fake job postings on LinkedIn. Nonetheless, decentralized services typically have smaller workforces and, as the name suggests, are decentralized to varying degrees. Therefore, gaining malicious access to a developer is not necessarily the same as gaining administrative access to a smart contract.

At the same time, centralized exchanges are likely to have larger headcounts, broadening the scope of possible targets. They may also operate using centralized internal information technology systems, giving the Lazarus malware a greater opportunity to penetrate the intended functions of their business.