Rob Behnke
November 16th, 2023
Hacks of DeFi protocols and other smart contracts are a regular occurrence. Each month, several projects lose millions or hundreds of millions of dollars to smart contract exploits, private key theft, and similar security incidents.
However, while there are a number of threat actors in the crypto space, one stands out from the crowd: the Lazarus Group. Many of the biggest crypto hacks to date have been attributed to or suspected to have been performed by the Lazarus Group. In this article, we’ll reveal more about the Lazarus Group’s background (although for a fuller picture of their history, you can read our prior blog on the Lazarus Group), review some of its biggest hacks and how they’re attributed, as well as provide some tips for organizations on how they can protect their assets from the Lazarus Group’s notorious hackers.
The Lazarus Group is an advanced persistent threat (APT) group associated with the government of North Korea. The group has been in operation since 2009 and has been implicated in a number of high-profile cyberattacks.
The Lazarus Group is a sophisticated cybercrime group that has refined and expanded its capabilities during the years that it has been in operation. However, the group is especially known for its social engineering and malware attacks. Many of the attacks attributed to the Lazarus Group begin as a phishing attack designed to deliver the group’s custom malware to the target or to steal sensitive information — such as login credentials or private keys — that can be used to carry out the later stages of the attack.
The Lazarus Group has a diverse history of cyberattacks performed outside of the Web3 space, including ones with both financial and political motives. However, in recent years, the group has increasingly moved into the crypto space, performing large-scale attacks that have drained hundreds of millions of dollars from blockchain projects.
Attributing a cyberattack is difficult, especially in the blockchain space where accounts are anonymous and tools like Tornado Cash can be used to launder money and obfuscate the trail.
However, many attacks have been linked to the Lazarus Group with a high degree of certainty, including the following:
Ronin Network: The biggest DeFi hack to date, the 2022 Ronin Network hack resulted in the theft of an estimated $624 million from the cross-chain bridge. The Lazarus Group gained access to five of the validators needed to approve cross-chain transactions, enabling them to digitally sign malicious transactions that drained value from the cross-chain bridge.
Horizon Bridge: The Harmony Horizon cross-chain bridge was exploited in June 2022 by the Lazarus Group. This is another high-profile hack of a cross-chain bridge by the Lazarus Group that netted the cybercriminals an estimated $100 million.
Atomic Wallet: In June 2023, the Lazarus Group stole over $100 million from users of Atomic Wallet. The attacker exploited known vulnerabilities in the wallet software to drain value from multiple user accounts across 13 blockchains.
AlphaPo: In July 2023, an estimated $60 million was drained from the wallets of the crypto payments processor across three blockchains. The Lazarus Group is believed to have stolen private keys that allowed them to carry out the attack.
Stake.com: Another private key theft targeted the Stake on-chain casino in September 2023. In this case, the Lazarus Group is believed to have stolen about $41 million from the project’s hot wallets.
CoinEx: CoinEx suffered drained hot wallets across thirteen blockchains in September 2023. In this case, the attacker stole an estimated $54.3 million in total.
This is a list of attacks that have been attributed to the Lazarus Group with a high degree of confidence. However, the group likely performed several other blockchain hacks that were not linked to the group.
Anonymity — or more accurately pseudonymity — is one of the defining attributes of blockchain protocols. Since blockchain addresses are linked to random private rather than real-world identities, it can be difficult to determine who is behind a blockchain hack.
The attributions of blockchain hacks to the Lazarus Group are based on various different factors. Some of the common bases for these attributions include:
Tactics and Techniques: The Lazarus Group is well-known for its social engineering skills, and many of the largest blockchain hacks involved the use of social engineering to steal private keys. As a result, many of these types of attacks are often suspected to be related to the Lazarus Group.
On-Chain Activity: The Lazarus Group also has a standard pattern of on-chain activity as they move stolen funds from a compromised platform to tools such as Tornado Cash used to cover the attacker’s trail. This pattern of activity can also be used to link attacks to the Lazarus Group, especially when the attackers use the same addresses across multiple attacks (as occurred in the case of the Stake.com and CoinEx hacks).
While these are some of the top signs of a Lazarus Group attack, other indicators may be used as well. For example, some attacks may employ custom malware known to have been developed and used by the Lazarus Group.
The Lazarus group has emerged as one of the main threats to crypto projects and their users.
Some best practices that DeFi projects can adopt to help protect against these attacks include the following:
Use Multi-Signature Wallets: Lazarus Group attacks commonly involve the theft of private keys. Multi-signature wallets — which require multiple keys to perform transactions — make these attacks more difficult by requiring attackers to steal multiple keys.
Have Endpoint Security Solutions: The Lazarus Group is also known for using social engineering to deliver malware to target systems. Endpoint security solutions — such as an antivirus — can help to detect and block these attacks.
Offer Employee Security Training: The Lazarus Group specializes in social engineering attacks, Teaching employees to identify these attacks can help prevent them from falling for these deceptions.
The Lazarus Group is one of the most well-known and sophisticated cybercrime groups in operation today. In addition to attacks spanning various industries and geographic regions, the Lazarus Group has also emerged as one of the most effective cyber threat actors in the crypto space.
In general, the Lazarus Group’s attacks have used social engineering to deliver custom malware or steal private keys. Security best practices such as multi-signature wallets, endpoint security solutions, and cybersecurity awareness training can help to protect blockchain projects against these attacks.
For more information about protecting your DeFi project, get in touch with Halborn.