“If the Internet is like a gun, cyberattacks are like atomic bombs.” – Kim Jon Il
“Cyberwarfare is an all-purpose sword that guarantees the North Korean People’s Armed Forces ruthless striking capability, along with nuclear weapons and missiles.” – Kim Jong-un
"The real purpose of the DPRK’s cyber, military, policy, and political aggressiveness is ultimately to control and subdue its own population and retain power."
- North Korean Cyber Attacks
- Recorded Future: North Korea's Cyber Strategy
- Recorded Future: Crypto Country
- The Incredible Rise of North Korea's Hacking Elite
- Comprehensive timeline of North Korea sanctions with the events that triggered them: 1985-2021
- Why is North Korea so Interested in Bitcoin? (2017)
- Exposing the Financial Footprints of North Korea’s Hackers
- Tracking Internet Use Out of North Korea Reveal The Adaptable and Innovative Ruling Elite
- Organizational Map of DPRK Cyber Operations (2022)
- Update to the Organizational Map of DPRK Cyber Operations (2023)
- Update to the Organizational Map of DPRK Cyber Operations (2024)
- Lazarus Group Deep Dive: 1
- Lazarus Group Deep Dive: 2
- Lazarus: Under The Hood
- Spotlight On Lazarus
- The All-Purpose Sword: North Korea’s Cyber Operations and Strategies (2019)
- US Army's Report on North Korean Tactics (2020)
- CISA's Guidance on the North Korean Cyber Threat (2020)
- North Korea's Military Power
- North Korea's Crypto Hackers Are Paving the Road to Nuclear Armageddon
- Kim Jong Un is directly handling results of new COVID-19 hacking organization's work
Tay's Totals | Tay's Count | Chain's 2024 Totals | Chain's 2024 Count | Chain's 2023 Totals | Chain's 2023 Count | TRM's Totals | TRM's Counts | UN Totals | UN Counts | |
---|---|---|---|---|---|---|---|---|---|---|
2016 | $1,500,000 | 1 | $2,000,000 | 1 | $1,500,000 | 1 | 0 | n/a | 0 | 0 |
2017 | $88,640,000 | 7 | $29,000,000 | 4 | $29,000,000 | 4 | $100,000,000 | n/a | $88,640,000 | 6 |
2018 | $456,265,000 | 17 | $522,000,000 | 10 | $522,000,000 | 10 | $400,000,000 | n/a | $447,600,000 | 11 |
2019 | $207,794,000 | 10 | $271,000,000 | 9 | $271,000,000 | 9 | $200,000,000 | n/a | $209,272,000 | 8 |
2020 | $315,987,000 | 14 | $300,000,000 | 5 | $300,000,000 | 5 | $290,000,000 | n/a | $300,200,000 | 4 |
2021 | $534,200,000 | 18 | $506,000,000 | 11 | $428,800,000 | 9 | $250,000,000 | n/a | $175,600,000 | 6 |
2022 | $755,605,000 | 14 | $1,100,000,000 | 14 | $1,650,000,000 | 15 | $850,000,000 | n/a | $991,700,000 | 5 |
2023 | $646,164,146 | 25 | $660,000,000 | 20 | $1,000,000,000 | 20 | $600,000,000 | n/a | $753,019,000 | 17 |
2024 | $904,770,112 | 41 | $1,300,000,000 | 49 | n/a | n/a | n/a | n/a | n/a | n/a |
$3,910,925,258 | 147 | $4,690,000,000 | $4,202,300,000 | 73 | $2,690,000,000 | n/a | $2,966,031,000 | 57 |
Date | Incident | Amt Stolen | |
---|---|---|---|
👛 | 2016-Oct-13 | Bitcurex | $1,500,000 |
2016 | TOTAL | $1,500,000 | |
👛 | 2017 | Youbit aka Yapizon aka Coinbin | $7,450,000 |
👛 | 2017 | Bithumb | $14,000,000 |
👛 | 2017-May-12 | Wannacry | $Unknown |
🔑 | 2017-Jul-?? | Korbit | $Unknown |
👛 | 2017-Jul-15 | 2017 Cryptojacking Incidents | $Unknown |
🔑 | 2017-Sep-23 | Coinis | $2,190,000 |
🔑 | 2017-Dec-06 | NiceHash | $65,000,000 |
2017 | TOTAL | $88,640,000 | |
💼 | 2018 | Marine Chain | $Unknown |
🔑 | 2018-Mar-18 | Cypherium | $8,500,000 |
👛 | 2018-Apr-12 | Coinsecure | $3,500,000 |
🔑 | 2018-Apr-19 | E7 Theft | $5,000,000 |
🍎 | 2018-Apr-21 | Gate.io | $234,000,000 |
🔑 | 2018-May-29 | Taylor ICO | $1,700,000 |
👛 | 2018-Jun-?? | Bithumb | $31,500,000 |
👛 | 2018-Jun-09 | Coinrail | $37,000,000 |
🔑 | 2018-Jun-16 | G13 Theft | $275,000 |
🔑 | 2018-Jul-09 | Bancor | $23,500,000 |
2018-Aug-?? | Unidentified Company | $13,000,000 | |
🔑 | 2018-Aug-07 | BTC Markets | $3,500,000 |
🔑 | 2018-Aug-09 | Klickl / IDCM | $620,000 |
👛 | 2018-Sep-01 | Indodax | $24,900,000 |
👛 | 2018-Sep-14 | Zaif | $59,000,000 |
🔑 | 2018-Oct-20 | Trade.io | $10,000,000 |
🔑 | 2018-Nov-04 | Kryptono | $270,000 |
2018 | TOTAL | $456,265,000 | |
🔑 | 2019-Jan-14 | Cryptopia | $16,000,000 |
👛 | 2019-Mar-?? | Bithumb | $16,000,000 |
👛 | 2019-Mar-23 | Etbox | $132,000 |
🍎 | 2019-Mar-24 | DragonEx | $7,090,000 |
🔑 | 2019-Mar-25 | Coinbene | $105,000,000 |
👛 | 2019-Mar-26 | BiKi | $12,300,000 |
👛 | 2019-Jun-30 | Bitcoin Norway (AlphaPoint) | $500,000 |
🔑 | 2019-Jul-01 | CoinTiger | $272,000 |
🔑 | 2019-Sep-25 | Algo Capital | $2,000,000 |
👛 | 2019-Nov-27 | Upbit | $48,500,000 |
2019 | TOTAL | $207,794,000 | |
2020 | BTC Changers | $Unknown | |
👛 | 2020-Aug-07 | New York Financial Services Company | $11,800,000 |
🔑 | 2020-Aug-18 | Hobocrypt | $134,000 |
🔑 | 2020-Aug-20 | Fetch.ai (Holder) | $2,600,000 |
🔑 | 2020-Aug-24 | Coinberry | $370,000 |
🔑 | 2020-Aug-29 | Tap Global | $Unknown |
👛 | 2020-Sep-07 | Eterbase | $5,400,000 |
🔑 | 2020-Sep-11 | Unibright | $500,000 |
👛 | 2020-Sep-26 | Kucoin | $275,000,000 |
🔑 | 2020-Oct-06 | CoinMetro | $740,000 |
🔑 | 2020-Oct-16 | LEAD Wallet Token | $50,000 |
🔑 | 2020-Nov-13 | L2 Theft | $893,000 |
🔑 | 2020-Dec-14 | Hugh Karp / Nexus Mutual | $8,000,000 |
👛 | 2020-Dec-21 | Exmo | $10,500,000 |
2020 | TOTAL | $315,987,000 | |
🍎 | 2021-Jan-22 | Indodax ATO | $2,830,000 |
💼 | 2021-Mar-05 | Paid Network | $160,000,000 |
🔑 | 2021-Apr-02 | Mudge / Etna / Mokens Deployer | $1,000,000 |
🔑 | 2021-Apr-19 | EasyFi Founder | $81,000,000 |
🍎 | 2021-May-12 | 990.1 BTC | $55,600,000 |
🔑 | 2021-May-17 | FinNexus | $7,000,000 |
🔑 | 2021-Jun-03 | NAOs Finance | $750,000 |
👛 | 2021-Jun-23 | Coinsquare | $22,620,000 |
🍎 | 2021-Jul-13 | Tower Capital | $Unknown |
🍎 | 2021-Jul-13 | Advcash | $14,000,000 |
🔑 | 2021-Jul-14 | Bondly Finance | $8,500,000 |
🔑 | 2021-Aug-01 | Misc August-September 2021 Hacks | $2,000,000 |
💼 | 2021-Aug-12 | DAO Maker | $7,000,000 |
👛 | 2021-Aug-18 | Liquid Global | $91,000,000 |
🔑 | 2021-Oct-08 | MNGR | $24,100,000 |
🔑 | 2021-Oct-28 | Metaplay / Polyplay | $1,600,000 |
🔑 | 2021-Nov-01 | YFETH Admin Key | $200,000 |
🔑 | 2021-Nov-03 | bZx | $55,000,000 |
2021 | TOTAL | $534,200,000 | |
🔑 | 2022-Jan-15 | Jan 15 2022 Theft | $555,000 |
🔑 | 2022-Jan-27 | Fantom Allo Receiver / ANKR founder | $1,200,000 |
🔑 | 2022-Feb-10 | Feb 10 2022 Theft | $300,000 |
🔑 | 2022-Mar-22 | Arthur_0x | $1,700,000 |
🔑 | 2022-Apr-07 | Wonderhero | $1,025,000 |
👛 | 2022-Apr-14 | Ronin Bridge | $620,000,000 |
👛 | 2022-Jun-24 | Harmony Horizon Bridge | $100,000,000 |
🔑 | 2022-Aug-05 | deBridge (Attempt) | $0 |
🔑 | 2022-Sep-7 | GERA Coin | $142,000 |
🔑 | 2022-Oct-11 | Algorand | $750,000 |
🔑 | 2022-Oct-17 | Darshan | $1,750,000 |
🔑 | 2022-Oct-31 | Oct 31 2022 Theft | $183,000 |
🍎 | 2022-Nov-02 | Deribit | $28,000,000 |
💼 | 2022 | Pixelcraft Potential IT Worker | $0 |
2022 | TOTAL | $755,605,000 | |
💼 | 2023 | Various 2023 Rug Pulls | $350,000 |
💼 | 2023-Apr-10 | Terraport | $3,900,000 |
💼 | 2023-Apr-26 | Merlin DEX | $1,800,000 |
👛 | 2023-Jun-03 | Atomic Wallet | $121,000,000 |
❓ | 2023-Jun-11 | A Large Theft / Investment Platform | $17,600,000 |
🍎 | 2023-Jul-01 | PolyNetwork | $10,000,000 |
👛 | 2023-Jul-22 | Alphapo + Coinspaid | $97,000,000 |
🎙️ | 2024-Aug-07 | Bitgert / BRISE | $437,000 |
🔑 | 2023-Aug-07 | Steadefi | $1,140,000 |
🔑 | 2023-Aug-16 | Coinshift | $2,900,000 |
🎙️ | 2023-Aug-17 | SPooCK | $38,032 |
👛 | 2023-Sep-04 | Stake | $41,000,000 |
👛 | 2023-Sep-12 | CoinEx | $54,000,000 |
❓ | 2023-Sep-24 | HTX Theft Returned | |
❓ | 2023-Sep-28 | Unidentified Company | $3,000,000 |
💼 | 2023-Oct-5 | Blockbusters Tech | |
🔑 | 2023-Oct-17 | Fantom Foundation | $7,624,588 |
🔑 | 2023-Oct-26 | Maverick | $8,300,000 |
👛 | 2023-Nov-10 | Poloniex | $130,000,000 |
🔑 | 2023-Nov-10 | Samudai | $1,100,000 |
🎙️ | 2023-Nov-10 | Waygate | $200,000 |
🔐 | 2023-Nov-19 | Kronos | $26,000,000 |
🎙️ | 2023-Nov-14 | UnoRe DAO | $219,000 |
👛 | 2023-Nov-22 | HTX / Heco | $116,000,000 |
🔑 | 2023-Dec-10 | Degen Reborn | $164,000 |
🎙️ | 2023-Dec-12 | OKX Dex | $2,390,976 |
🎙️ | 2023-Dec-28 | Upwork Developer Jobs Scams | $550 |
2023 | TOTAL | $646,164,146 | |
🎙️ | 2024-Jan-22 | ConcentricFi | $1,720,000 |
🎙️ | 2024-Jan-25 | Wall Street Memes | $2,500,000 |
🎙️ | 2024-Feb-01 | Linkedin Job Dev Scam | $200,000 |
🔐 | 2024-Feb-13 | Duelbits | $4,600,000 |
🎙️ | 2024-Feb-27 | Serenity Shield | $586,000 |
🎙️ | 2024-Feb-28 | Braintrust Job Dev Scam | $100,000 |
🎙️ | 2024-Mar-05 | MurAll | $278,000 |
🎙️ | 2024-Mar-13 | CloudAI | $309,400 |
🎙️ | 2024-Mar-16 | Wilder World (Also Apr 2) | $2,314,583 |
🔑 | 2024-Mar-20 | Huge March 2024 Theft | $90,000,000 |
💼 | 2024-Mar-26 | Munchables ($62m, returned) | $62,000,000 |
💼 | 2024-Mar-29 | Solareum ($1.1m, frozen) | $1,114,813 |
🎙️ | 2024-Apr-11 | Endblock | $72,000 |
🔐 | 2024-Apr-29 | Rain | $14,800,000 |
🎙️ | 2024-May-06 | Genius / GNUS Token (Original compromise Jan 25) | $1,262,630 |
🔑 | 2024-May-15 | ALEX Labs | $4,300,000 |
🎙️ | 2024-May-28 | HYVE | |
🎙️ | 2024-May-29 | SpaceCatch | $200,000 |
👛 | 2024-May-31 | Bitcoin DMM | $305,800,000 |
🔑 | 2024-Jun-11 | Theft from Individual C7 | $4,200,000 |
👛 | 2024-Jun-22 | CoinStats | $2,300,000 |
🔑 | 2024-Jun-28 | Theft from Individual C4 | $400,000 |
👛 | 2024-Jul-01 | Kyrrex | $13,500,000 |
👛 | 2024-Jul-18 | Wazirx | $230,000,000 |
🔑 | 2024-Jul-22 | Theft from Individual I4 | $1,500,000 |
🔐 | 2024-Jul-24 | T6 | $400,000 |
🎙️ | 2024-Aug-07 | Nexera | $1,900,000 |
🔑 | 2024-Aug-16 | Theft from Individual A4 | $2,500,000 |
🔑 | 2024-Aug-30 | Metaschool | $212,182 |
👛 | 2024-Sep-10 | Indodax | $20,000,000 |
🔑 | 2024-Sep-13 | Adot | $300,000 |
🎙️ | 2024-Sep-19 | NiiFi | |
👛 | 2024-Sep-19 | BingX | $45,000,000 |
🔑 | 2024-Sep-20 | Dexnet | $459,484 |
🔑 | 2024-Sep-25 | Truflation | $5,000,000 |
🍎 | 2024-Oct-16 | Radiant | $50,000,000 |
🎙️ | 2024-Oct-18 | Tapioca | $4,700,000 |
🔑 | 2024-Oct-18 | Fake Hack VC Thefts | $77,000 |
🔑 | 2024-Jul-06 | Theft from Individual M4 | $1,400,000 |
🎙️ | 2024-Oct-30 | Bitbucket Dev Scam | |
🎙️ | 2024-Oct-31 | Scallop | |
🔐 | 2024-Oct-31 | M2 | $13,000,000 |
🎙️ | 2024-Nov-15 | Nov 15 Contagious Interview | |
👛 | 2024-Nov-28 | XT | $1,700,000 |
🔑 | 2024-Nov-25 | TON Dude | $14,000,000 |
🎙️ | 2024-Dec-12 | Willo Campaign | $64,020 |
🔑 | 2024-Dec-18 | Fake Foresight | $1,600,000 |
2024 | TOTAL | $904,770,112 |
See more at /lazarus-evolution
Note: all my research starts onchain and works backwards from there using victim reports and osint done by those tracking the malware, c2s, etc. I often get it wrong bc the clustering and dynamic nature of DPRK is insane to keep track of. Don't take any of this as gospel. I am always learning.
- aka: CryptoCore, APT38, Bluenoroff, Alluring Pisces, Leery Turtle, SnatchCrypto, CryptoMimic, UNC1069, Black Alicanto, CageyChameleon
- This group has targeted financial institutions, cryptocurrency businesses and ATMs. It has also conducted significant cyber heists.
- Revenue generation priority, like its overarching APT38 subunits, however on a much smaller financial scale.
- 2023/2024 activity usually referred to as SquidSquad by on-chain folks
- Today: VC impersonating, Telegram messagers, fake video meet calls, Fake Google Drive links, RustBucket, Mac malware, Applescript. Tornado Cash, eXch, Noones, Paxful, Instaswappers.
- Before: Google Drive phishing, malicious PDFs, "Fast changes to stablecoin risk.pdf",
Password.txt.lnk
, Tornado Cash, Renbridge, Chipmixer, Noones, Paxful. Dust Collectors! - May include individuals or units previously tracked as APT38. Has minor overlaps with APT43 but operates distinctly
- UNC1069 has targeted a variety of financial services firms and cryptocurrency exchanges, commonly employing spear-phishing techniques that result in LONEJOGGER (and other) malware infections
- Past Attacks: A4 (Founder/CEO), I4 (Founder/CEO of DeFi Thing), C4 (defi media person), C7 (CEO of blockchain infra company), ALEX Labs, Samudai Founder, Maverick Founder, Fantom Foundation CEO, Coinshift C-Level, Steadefi, GERA Coin, deBridge (Attempt), Wonderhero, Arthur_0x, bZx, YFETH Admin Key, Metaplay / Polyplay, MNGR, Bondly Finance, Tower Capital, NAOs Finance, FinNexus Admin Key, 990.1 BTC, EasyFi Founder, Mudge / Etna / Mokens Deployer, Indodax ATO, Hugh Karp / Nexus Mutual, L2 Theft (crypto investor), LEAD Wallet Token, CoinMetro, Unibright, Tap Global, Coinberry, Fetch.ai
- On-chain Laundry Observes: Express VPN, occasional leak Ryugyong-dong IPs
- Apr 2024 | How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020–2023
- Feb 2024 | Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram
- Dec 2023 | Alex Masmej's Near Miss Story
- Dec 2023 | Analysis of North Korean Hackers’ Targeted Phishing Scams on Telegram
- Nov 2023 | Sapphire Sleet, which overlaps with threat actors tracked by other researchers as BlueNoroff, CageyChameleon, and CryptoCore, is a nation-state sponsored threat actor based in North Korea and has targeted organizations in the cryptocurrency sector.
- Nov 2023 | jamf: BlueNoroff strikes again with new macOS malware
- May 2023 | Attack Trends Related to DangerousPassword
- Apr 2023 | BlueNoroff APT group targets macOS with ‘RustBucket’ Malware
- Dec 2022 | BlueNoroff introduces new methods bypassing MoTW
- Jan 2022 | The BlueNoroff cryptocurrency hunt is still on
- Jan 2022 | VBA Downloads, Bypassing MOTW, Bumblebee
- May 2021 | Attributing CryptoCore Attacks Against Crypto Exchanges to Lazarus / North Korea
- May 2021 | Attributing CryptoCore Attacks Against Crypto Exchanges to Lazarus / North Korea (PDF)
- Oct 2020 | Unveiling The Cryptomimic
- Jun 2020 | CryptoCore: A Threat Actor Targetting Crypto Exchanges
- Jun 2019 | JPCert: VBScript,
Password.txt.lnk
- Jan 2018 | Proofpoint: Analyzing CHM Files, Malicious LNKs, VBScript Macros, Microsoft Office Docs, PowerShell implants, Gh0st RAT
- aka: UNC4899, Slow Pisces
- The big boys, the insane on-chain laundry sessions
- Targets blockchain companies through spear-phishing messages, fake job offers
- It was also involved in a supply chain attack targeting a U.S.-based software platform and is known for distributing a series of malicious applications called TraderTraitor.
- Messages employees, particularly those in system administration or software development roles, on various communication platforms, intended to gain access to these start-up and high-tech companies
- Today: Job offers and/or skills tests in python, sql, etc. Github, malicious npm packages are utilized. Personas on Linkedin usually white and impersonating/cloned legit profile. Github repos may be private. Conversation style usually more casual, conversational, adaptable?
- Before: Same except ultimately deliverered malicious electron trading apps
- More time passes between compromise and theft (at times 6+ months) making it especially hard to identify intiial social engineering that led to compromise.
- May be the work of operators previously responsible for broader APT38 activity
- On-chain Observations: Express VPN, occasional leak of Ryugyong-dong IPs
- Example applications (all designed to appear as legitimate cryptocurrency trading or portfolio management tools): TokenAIS, CryptAIS, CreAI Deck, AlticGO, and Esilet
- Past Attacks: WazriX, DMM Bitcoin, Poloniex, HTX/Heco, Stake, Coinex, Alphapo, Coinspaid, Atomic Wallet, JumpCloud, 3CX, Harmony, Ronin
- Jul 2024 | Recent Social Engineering - Raw Convos, Takeaways
- Jun 2024 | North Korean Government-Backed Groups Targeting Brazil
- Jul 2023 | Social engineering campaign targets technology industry employees
- Jul 2023 | The CoinsPaid Hack Explained: We Know Exactly How Attackers Stole and Laundered $37M USD
- Jul 2023 | North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack
- Jun 2023 | Phylum Discovers Sophisticated Ongoing Attack on NPM
- Apr 2022 | TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (PDF)
- Apr 2022 | TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (Web)
- aka: Gleaming Pisces, Labyrinth Chollima, UNC4736, Hidden Cobra, DEV-0139
- A threat group that has been active since at least 2018
- This group performed attacks targeting the cryptocurrency industry and is known for its association with the AppleJeus campaign.
- Primarily targets: financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain.
- The FudModule rootkit described in this blog has now been tied to Citrine Sleet as shared tooling with Diamond Sleet.
"One of the most successful fake personas used by the Lazarus Group was Waliy Darwish—a man who supposedly worked for a cryptocurrency company, based in Michigan, called Celas L.L.C." —The Incredible Rise of North Korea’s Hacking Army
- Known Attacks:
- 2018 Gate.io Hack (Celas Trade Pro)
- 2019 DragonEx Hack (WorldBit-Bot)
- 2021 990.1 BTC from Derbit Acct
- 2021 Tower Capital
- 2021 Advcash
- 2022 Deribit
- 2023 Polynetwork
- 2024 Radiant
- Aug 2024 | CVE-2024-7971: North Korean threat actor Citrine Sleet exploiting Chromium zero-day
- [Mar 2022 | CVE-2022-1096: Chrome Update Released - type confusion V8]
- Apr 2023 | Linux malware strengthens links between Lazarus and the 3CX supply-chain attack
- Dec 2022 | DEV-0139 launches targeted attacks against the cryptocurrency industry
- Dec 2022 | ₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
- Mar 2022 | Countering threats from North Korea
- Oct 2021 | Multi-Universe Of Adversary: Multiple Campaigns Of Lazarus Group
- Apr 2021 | AppleJeus
- Feb 2021 | CISA: AppleJeus: Celas Trade Pro
- Jan 2021 | New campaign targeting security researchers
- Aug 2020 | Operation Dream Job
- Jan 2020 | Operation AppleJeus Sequel
- Oct 2019 | AppleJeus - JMT Trading
- Aug 2018 | Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
- Merlin DEX, Munchables, Solareum, a bunch of unknown others or misidentified shit from Contagious Interview.
- Have resumes. Get hired. Get paid payroll that goes to DPRK.
- Primarily fall under the KWP’s Munitions Industry Department
- Made up of thousands of highly skilled IT workers from North Korea
- Deployed both domestically and abroad to generate revenue and finance the country's weapons of mass destruction and ballistic missile programs
- Acquire freelance contracts from clients around the world and sometimes pretend to be based in the US or other countries to secure employment.
- Mainly engage in legitimate IT work, they have misused their access to enable malicious cyber intrusions.
- Sep 2024 | UNC5267 - Staying a Step Ahead: Mitigating the DPRK IT Worker Threat
- Sep 2024 | Dozens of Fortune 100 companies have unwittingly hired North Korean IT workers, according to report
- Jul 2024 | How a North Korean IT Worker Tried to Infiltrate Us
- May 2024 | Charges and Seizures Brought in Fraud Scheme Aimed at Denying Revenue for Workers Associated with North Korea
- Mar 2024 | re: DPRK IT Workers I
- Mar 2024 | re: DPRK IT Workers II
- Mar 2024 | re: DPRK IT Workers III
- Nov 2023 | North Koreans use fake names, scripts to land remote IT work for cash
- Oct 2023 | Zero Day: How North Korean Workers Tricked U.S. Companies into Hiring Them and Secretly Funneled Their Earnings into Weapons Programs
- Oct 2023 | U.S. DOJ: Justice Department Announces Court-Authorized Action to Disrupt Illicit Revenue Generation Efforts of DPRK IT Workers
- Oct 2023 | U.S. Treasury: Additonal Guidance on the DPRK IT Workers
- Apr 2023 | U.S. DOJ: North Korean Foreign Trade Bank Representative Charged in Crypto Laundering Conspiracies
- May 2022 | U.S. Treasury: Guidance on the DPRK IT Workers
- New onchain cluster / laundry patterns first observed early 2023, fully baked out by late 2023
- This may actually map back to some dudes that originally did TraderTraitor or APT38 type stuff like Nexus Mutual but I dunno yet. On-chain they certainly Dust Collect like Hugh Karp / EasyFi / etc. and they certainly love to compromise private keys and pivot to taking over protocols but most everything else is different.
- UnoReDAO, OKX Dex, ConcentricFi, Serenity Shield, Wilder World, Hyve, on and on and on and on and on. Also the Upwork/Braintrust/Linkedin Job Scams. Flickthebean, etc.
- Connects af onchain. Is a real fucking mess. Stargate / Defiway / RhinoFi / Railgun / Dust Collectors.
- In the cases of protocol exploits, the private keys that have critical access are compromised and used to upgrade the protocol in order to mint an infinite amount of new tokens or drain the protocol of any locked assets. Lots of
transferOwnerships
. - On the social engineering side: Developers often reach out to the attacker in response to a job or freelance post. The attacker asks them to complete a job interview, skills test, or fix some issues in an existing codebase. Details about the test or code issues are often provided via Google Docs or similar text document. They have much more information and provide actual requirements, as opposed to some of the conversations seen used in TraderTraitor. The code is typically provided via Github, Bitbucket, or a zip file hosted on Google Drive. They are Javascript / Node JS projects and use npm install / run / build. Often the personal addresses that are active and in unlocked browser extensions or desktop wallets are drained of all assets nearly immediately. Shortly thereafter, these private keys, or additional private keys stored on the developers machine, are further drained of assets and/or used to exploit smart contracts or protocols.
- There are also cases where the attacker reaches out to a developer or dev shop or asking to hire / contract them to help finish a project. They then grant the dev shop access to a private (malicious) repo. The lead of the dev shop will then run the repo to see what the issue is, what work is required, and provide a quote. That tech lead's device is thus compromised, alongside their own wallets/projects or previous clients.
- Public reporting and first-hand victim reports often make these incidents sound like a malicious employee or insider or new hire is responsible and thus leads to them being tagged as DPRK IT Workers. However, more often it is simply that an employee’s device was compromised and their access was used. The key difference in victim reports is whether they actually hired and paid. For IT Workers, often the team will have and mention resumes, payroll, etc.
- 2024 Linkedins from the on-chain cluster of activity include: “Lucas Sousa Santos” “Maria Mercedes Gonzalez” “Juan D Suareza” “Eduardo Morales Cortés”
- Astrill, Russia TTK observed.
- Jul 2024 | Decipher: New Version Of Beavertail Macos Malware Identified
- Jul 2024 | Patrick Wardle: This Meeting Should Have Been an Email - A DPRK stealer, dubbed BeaverTail, targets users via a trojanized meeting app
- Nov 2023 | Palo Alto: Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors
- May 2024 | From Opportunity to Threat: My Encounter with a Blockchain Job Scam
- Apr 2024 | SlowMist's im23pds: "Lazarus group appears to be currently reaching out to targets via LinkedIn and steal employee privileges or assets through malware"
- Mar 2024 | ZachXBT: "Same group just hacked another project one hour ago for $278K"
- Feb 2024 | Fake Developer Jobs Laced With Malware
- Dec 2023 | Seongsu Park: "The actor continues with familiar tactics, incorporating a cleverly obfuscated BeaverTail script. The endgame remains the InvisibleFerret script, with the C2 using IP addresses previously employed by the actor: 147.124.212.89:1244"
- Dec 2023 | /r/hacking: Obfuscated code a "recruiter" sent me
- Dec 2023 | Blockchain dev's wallet emptied in "job interview" using npm package
- May 2024 | 针对区块链从业者的招聘陷阱:疑似Lazarus(APT-Q-1)窃密行动分析
- Aug 2024 | North Korea Still Attacking Developers via npm
https://github.com/tayvano/lazarus-bluenoroff-research/tree/main/pdfs
Date | Document |
---|---|
2017-03-01 | UN Security Council: 2016 Year End Report |
2018-03-01 | UN Security Council: 2017 Year End Report |
2019-03-01 | UN Security Council: 2018 Year End Report |
2019-09-01 | UN Security Council: 2019 Midterm Report |
2020-03-01 | UN Security Council: 2019 Year End Report |
2020-09-01 | UN Security Council: 2020 Midterm Report |
2021-03-01 | UN Security Council: 2020 Year End Report |
2021-09-01 | UN Security Council: 2021 Midterm Report |
2022-03-01 | UN Security Council: 2021 Year End Report |
2022-09-01 | UN Security Council: 2022 Midterm Report |
2023-03-01 | UN Security Council: 2022 Year End Report |
2023-09-01 | UN Security Council: 2023 Midterm Report |
2024-03-01 | UN Security Council: 2023 Year End Report |
- Also covered by OXT Research (corrections to some of this below)
Identifier | Entity | Date / Defendant Property |
---|---|---|
Exchange 1 | Gate.io Hack (10k BTC, $230m total) | April 21, 2018 |
Exchange 2 | Youbit Hack ("17% Assets") | April 22nd, 2017 |
Exchange 3 | Upbit Hack (342,000 ETH) | November 27, 2019 |
Exchange 4 | Coinrail Hack ($40m) | Summer 2018 |
VCE 1 | HitBTC/Changelly | DP 63-64 |
VCE 2 | KuCoin | DP 112 |
VCE 3 | Bittrex | DP 50-52 |
VCE 4 | Yobit | DP 92-111 |
VCE 5 | Huobi | DP 65-70 |
VCE 6 | CoinCola | DP 55-62 |
VCE 7 | Paxful | DP 83-84 |
VCE 8 | LocalBitcoin | DP 71-80 |
VCE 9 | P2Pb2b | DP 113 |
VCE 10 | Binance | DP 44-49 |
VCE 11 | Poloniex | DP 85-90 |
VCE 12 | Unknown | DP 53-54 |
Identifier | Entity | Quote |
---|---|---|
Exchange 2 | Upbit (Victim) | On November 27, 2019 342,000 ETH was stolen from Exchange 2. |
Exchange 3 | CoinTiger (Victim) | On July 1, 2019, 400m PTT Tokens were stolen |
Exchange 4 | HitBTC (Laundry) | All deposit activity for Target Actor 1’s account at Exchange 4 occurred on or about July 1, 2019, the same day as the theft from Exchange 3. The PXG and IHT deposits (17,829,785 PXG @ 2019-07-01 8:42 + 137,793 IHT @ 2019-07-01 13:22) came directly from the theft at Exchange 3. |
Exchange 5 | BiKi (Laundry) | 1BHnp77MqZGGFaCGQ9J4GhLstPUeBshVcc also received approximately 15 BTC from accounts at Exchange 3 (CoinTiger), Exchange 5 (BiKi), and Exchange 6 (Huobi) |
Exchange 6 | Huobi (Laundry) | The 4,342,294.43 Yee (“YEE”), 171,145.04 All Sports Coin (“SOC”), 71,237.03 StatusNetworks (“SNT”), and 23,300.29 Cortex Coin (“CTXC”) stolen from CoinTiger were deposited to an account at Exchange 6 on or about July 2, 2019 at 10:29, 22:32, 10:42, and 07:13 respectively. - 0x1016b7835d409692e02ed2035e053fbfb4602982 |
Exchange 7 | KuCoin (Laundry) | 0x2dbc0f6b71e341c7eca01c5287eb57af3038a9c5 also received approximately 41,702 USDT from an account at Exchange 7” via 14 transactions between August 12, 2019 and August 14, 2019. - e.g. txn 0xa690bf67b9347ac0ca155a473df26d91b20a62acc63546863dae0b1418c11782 |
Exchange 8 | Switchain (Laundry) | 0x2dbc0f6b71e341c7eca01c5287eb57af3038a9c5 sent the USDT to Exchange 8, converted to BTC, and withdrawn to 1BHnp77MqZGGFaCGQ9J4GhLstPUeBshVcc. On or about December 20, 2019, Exchange 8 received approximately 8.65658 ETH that was converted to 0.15012721 BTC e.g. txn bf4f4c33fb1613524ad72cd082adb42d1816b1aef8907ce30b73bf9b78078c94 |
Exchange 9 | Changelly? (Laundry) | In December 2019, Target Actor 1 attempted to convert ETH to BTC through a cryptocurrency trading platform “Exchange 9” which was designed to enable the transfer of one form of cryptocurrency in exchange for another. The stolen REP in 0x2DBC0f6B71e341C7Eca01c5287Eb57AF3038A9c5 was then sent to Exchange 9, converted to BTC, and also withdrawn to cluster 1BHnp. The funds associated with Order ID 6918d31f-097c-4afe-8d06-054dd38a34ac are currently frozen at Exchange 9, pursuant to their own internal policies. |
Exchange 10 | Algo Capital (Victim) | U.S. Algorand crypto company hacked on September 25, 2019 - Defendant Property 25–130 |
Exchange 11 | Binance (Laundry) | The photos submitted to Exchange 11 were likely stolen during the 2018 hack of a U.S.-based CEX where IDT Victim 1 was a customer. |
Exchange 12 | Unknown | Algo Capital's Binance Account also sent approximately 2.0285 BTC to an account at Exchange 12. |
USA v PARK JIN HYOK (2018)
- Chosun Expo
- Sony Pictures Entertainmnet
- Mammoth Screen
- AMC Pictures
- WannaCry
- Lockheed Martin
- Bangladesh Bank
- Philippine Bank
Entity | Description |
---|---|
Sony Pictures | Sony Pictures Entertainment Inc. |
AMC Theatres | |
Mammoth Screen | A United Kingdom television production company |
African Bank | A bank headquartered in a country in Africa |
Bangladesh Bank | The central bank of Bangladesh, was headquartered in Dhaka, Bangladesh |
Bancomext aka Banco Nacional De Comercio Exterior | A Mexican state-owned bank headquartered in Mexico City, Mexico |
Maltese Bank | A bank headquartered in Malta |
BankIslami aka BankIslami Pakistan Limited | A bank headquartered in Karachi, Pakistan |
New York Financial Services Company | A financial services company headquartered in New York, New York |
Polish Financial Supervision Authority | The financial regulatory authority for Poland, and was based in Warsaw, Poland |
Philippine Bank | A bank headquartered in Makati, Philippines |
Far Eastern International Bank | A bank headquartered in Taipei, Taiwan |
Vietnamese Bank | A bank headquartered in Hanoi, Vietnam |
Indodax aka Indonesian Cryptocurrency Company | A cryptocurrency exchange based in Jakarta, Indonesia |
South Korean Cryptocurrency Company | A cryptocurrency exchange based in the Republic of Korea |
NiceHash aka Slovenian Cryptocurrency Company | A crypto-mining company headquartered in Ljubljana, Slovenia |
Central American Online Casino 1 | An online casino business headquartered in a Central American country |
Central American Online Casino 2 | An online casino business headquartered in a Central American country |
Date | Location / Bank | Details |
---|---|---|
Dec 2015 | Guatemala | Reported loss of $16M USD |
Dec 2015 | Vietnam Tien Phong Bank |
Attempted theft of more than 1 million Euro ($1.1M USD) of funds through fraudulent SWIFT messages according to statement Tien Phong Bank later issued |
Feb 2016 | Bangladesh Bangladesh Bank |
Attempted theft of $951M USD |
May 2016 | South Africa / Japan Standard Bank |
Reported theft of $18M USD from Standard Bank that caused a malfunction of the system shortly before the cash was withdrawn from ATM machines at convenience stores in Tokyo and 16 prefectures across Japan with forged cards made with data stolen from credit cards issued by the bank. A reply from the Government of Japan to the Panel dated 25 July 2019 stated, “As of 9 July 2019, approximately 260 suspects, including organized crime group members, have been arrested, and the total amount of the cash illegally withdrawn from the ATMs across Japan was approximately 1.86 billion yen. The suspects used forged cards with data of roughly 3,000 pieces of customer information stolen from the Standard Bank in the Republic of South Africa, in order to withdraw cash from approximately 1,700 ATMs located in Tokyo and 16 prefectures across Japan. The case is still under investigation.” |
Jul 2016 | India | Attempted theft of $166M USD using tactics and techniques similar to February 2016 attack on Bangladesh Bank. Funds were transferred to the Canadia Bank Plc and RHB IndoChina Bank Ltd in Cambodia, the Siam Commercial Bank in Thailand, Bank Sinopac in Taiwan Province of China, and a bank in Australia (routed by Citibank New York and JP Morgan Chase New York). |
Jul 2016 | Nigeria | Attempted theft of $100M USD |
Oct 2017 | Tunisia | Attempted theft of $60M USD |
Oct 2017 | Taiwan Far Eastern International Bank |
Attempted theft of $60M USD from Far Eastern International Bank. All but $500,000 recovered by the bank |
Jan 2018 | Mexico Bancomext |
Attempted theft of $110M USD from Bancomext |
Jan 2018 | Costa Rica | Attempted theft of $19M USD. “A private financial institution experienced an alleged cyberattack in Costa Rica in January 2018. An investigation has been launched by the Offic e of the Public Prosecutor's Division on Fraud. On July 17, 2019, the Division delegated the investigation to the Ministry of Science, Technology and Telecommunication. Because the investigation is still ongoing, it is not possible for the Mission to provide the Panel with any result.” |
Feb 2018 | India City Union Bank |
Attempted theft of $16.8M USD from City Union Bank using techniques similar to February 2016 attack on Bangladesh Bank. |
Mar 2018 | Malaysia | Attempted theft of $390M USD. 29 March 2018 cybersecurity incident involving attempted unauthorized fund transfers using falsified SWIFT messages |
May 2018 | Chile Banco de Chile |
Theft of approximately $10M USD from Banco de Chile through unauthorized transactions using SWIFT, mainly to Hong Kong. The hackers distracted bank employs from the theft by using malware to render 9000 bank owned computers inoperable. |
Jun 2018 | Liberia | Attempted theft of $32M USD |
Aug 2018 | India Cosmos Bank |
Reported theft of $13M USD through attack on Cosmos Bank through simultaneous ATM withdrawals across 23 countries in five hours as well as the transfer of 139 million Rupees to a Hong Kong-based company’s account in three unauthorized SWIFT transactions. On 8 October 2018 the United States included this and other similar DPRK attacks in its alert regarding the “FASTCash Campaign” |
Oct 2018 | Chile Redbanc |
Attack on Redbanc using malware called POWERRATANKBA. Sophisticated social engineering via LinkedIn, Skype. |
Feb 2019 | Malta Bank of Valletta |
Attempted theft of $14.5M USD from the Bank of Valletta (BOV) on 13 February. Before being reversed, transfers were made to banks located in the UK, the US, Czech Republic, and Hong Kong, China. “phishing” activity using the same digital fingerprint had been detected since October 2018. |
Feb 2019 | Spain | Attempted theft of $10.8M USD. Spain’s National Cryptologic Centre (CCN), under the National Intelligence Centre stated in its 2019 Cyberthreats and Trends report that hackers associated with the DPRK government conducted the largest number of reported cyberattacks against Spain in 2018. |
Mar 2019 | Gambia | Attempted theft of $12.2M USD |
Mar 2019 | Nigeria | Attempted theft of $9.3M USD |
Mar 2019 | Kuwait | Reported theft of $49M USD |
Feb 2017 | Bithumb #1 ROK |
Theft of $7M USD in first attack on Bithumb |
Apr 2017 | Youbit #1 ROK |
Theft of $4.8M USD in first attack on Youbit (3618 Bitcoin) |
May 2017 | WannaCry Global |
WannaCry attack resulted in Bitcoin laundered through Monero 144,000 USD (52 Bitcoin) |
Jul 2017 | Bithumb #2 ROK |
Reported theft of more than $7M USD in second attack on Bithumb including: 870,000 USD in Bitcoin and $7M USD in Bitcoin and Ethereum. National Intelligence Services attributed to the DPRK. |
Summer 2017 | Cryptojacking ROK |
25,000 USD (70 Monero) through Monero cryptojacking / mining through illegal seizure of a Republic of Korea company server. According to a news article, an assessment by Kwak Kyoung-ju at the Republic of Korea Financial Security Institute attributed the seizure of a server at an ROK to a hacking unit called “Andariel”. Sam Kim, “North Korean Hackers Hijack Computers to Mine Cryptocurrencies” Bloomberg, 31 December 2017 |
May-Sep 2017 | ROK | ROK Police reported attacks on three cryptocurrency exchanges by DPRK actors and detailed that 25 employees at four different exchanges were targeted in 10 separate “spear phishing” attempts since July 2017 |
23 Sep 2017 | Coinis ROK |
Theft of undisclosed amount of Bitcoin in attack on Coinis. Possibly $2.19M USD. Total of $6.99M USD reported in losses from this and the April 2017 Youbit attack combined |
Dec 2017 | Youbit #2 ROK |
Theft of 17% of Youbit assets in second attack on Youbit. Youbit later declared bankruptcy as a result of hack. |
Dec 2017 | NiceHash Slovenia |
Reported theft of $70M USD from the bitcoin mining company, NiceHash, which reported “a highly professional attack with sophisticated social engineering” that resulted in approximately $63.92M USD of Bitcoin being stolen. |
Jun 2018 | Bithumb #3 ROK |
Third attack on Bithumb. Bithumb announced in a since deleted tweet that hackers stole approximately $31 million. Proceeds were laundered through a separate crypto-currency exchange called YoBit. |
Aug 2018 | India | Reported theft of $13M USD |
Oct 2018 | Bangladesh | Attempted theft of 2.6M USD |
Mar 2019 | DragonEx Thailand/Singapore/Hong Kong, China |
Reported theft of 9M USD from DragonEx. According to the company’s Twitter and LinkedIn accounts, it is based in Singapore. The LinkedIn page states, “Registered in Singapore, Operation Department headquartered in Bangkok.” However, Singapore indicated to the Panel that it does not currently have any registration information for a company under the name of DragonEx. Singapore further stated, “We note that DragonEx’s announcement of 27 March 2019 on its Telegram channel states that the Hong Kong Cyber Security and Technology Crime Investigation Bureau is investigating the incident.” DragonEx stated in its announcement of the cyberattack that it informed the judicial administrations of Estonia, Thailand, Singapore and Hong Kong. For more information on the attack, see http://www.coinwire.com/360-security-warns-about-lazarus-hacker-group and https://www.secrss.com/articles/9511 |
Mar 2019 | Bithumb #4 ROK |
Reported theft of 20M USD in fourth attack on Bithumb (3M EOS and 20 million Ripple coins stolen worth $13.4M USD and 6M USD, respectively) |
May 2019 | UpBit ROK |
UpBit attacked. No losses reported. |
- https://x.com/tayvano_/status/1668935273047261185
- https://x.com/tayvano_/status/1686916598899281920
- https://x.com/zachxbt/status/1686327312843780097
- https://x.com/zachxbt/status/1683747073227624448
- https://docs.google.com/spreadsheets/d/1n_z0RCCXSfAkhmYAkutqGugUzniLeS7AK_rK3pxS8nc/edit?usp=sharing
- https://docs.google.com/spreadsheets/d/1Uh-kQPRhR0GzDMFhrYtU6rrYBWmcMBcQUDI40CtWcAQ/edit?usp=sharing
- https://docs.google.com/spreadsheets/d/1ZEEAmXjpN8kL9BvITg9GKu-dbeUra6c14YLpLkCp5Zo/edit?usp=sharing
-
no real purpose. i like rabbitholes, i'm weird. i've follow lazarus for a long, long time
-
i had multiple irl friends back in the day who worked at sony. now i have had multiple friends, founders, builders, users who have been rekt by these same fools, grown up
-
if you read about all the hacks and phishing campaigns in crypto, youre basically reading about lazarus, even if you dont know it
-
realizing there's guys on the other side of the world watching you...who likely know your product and codebase better than some of your own team members...guys who come from such a fundamentally different place than you do with regards to experience, ideology, motivation, and desires...and want to steal all your crypto...it's a lot
-
thus, i dive into my rabbithole for comfort. 🕳️🐇
-
gl.