Skip to content

Latest commit

 

History

History
653 lines (545 loc) · 105 KB

README.md

File metadata and controls

653 lines (545 loc) · 105 KB

Lazarus / DPRK / Cryptocurrency / Web3 / Etc

“If the Internet is like a gun, cyberattacks are like atomic bombs.” – Kim Jon Il

“Cyberwarfare is an all-purpose sword that guarantees the North Korean People’s Armed Forces ruthless striking capability, along with nuclear weapons and missiles.” – Kim Jong-un

"The real purpose of the DPRK’s cyber, military, policy, and political aggressiveness is ultimately to control and subdue its own population and retain power."

Really Good Links: Overview & Background

Background, Malware & Articles, Phishing Samples

Hacks, Thefts, and Total Amounts Stolen

Tay's Totals Tay's Count Chain's 2024 Totals Chain's 2024 Count Chain's 2023 Totals Chain's 2023 Count TRM's Totals TRM's Counts UN Totals UN Counts
2016 $1,500,000 1 $2,000,000 1 $1,500,000 1 0 n/a 0 0
2017 $88,640,000 7 $29,000,000 4 $29,000,000 4 $100,000,000 n/a $88,640,000 6
2018 $456,265,000 17 $522,000,000 10 $522,000,000 10 $400,000,000 n/a $447,600,000 11
2019 $207,794,000 10 $271,000,000 9 $271,000,000 9 $200,000,000 n/a $209,272,000 8
2020 $315,987,000 14 $300,000,000 5 $300,000,000 5 $290,000,000 n/a $300,200,000 4
2021 $534,200,000 18 $506,000,000 11 $428,800,000 9 $250,000,000 n/a $175,600,000 6
2022 $755,605,000 14 $1,100,000,000 14 $1,650,000,000 15 $850,000,000 n/a $991,700,000 5
2023 $646,164,146 25 $660,000,000 20 $1,000,000,000 20 $600,000,000 n/a $753,019,000 17
2024 $904,770,112 41 $1,300,000,000 49 n/a n/a n/a n/a n/a n/a
$3,910,925,258 147 $4,690,000,000 $4,202,300,000 73 $2,690,000,000 n/a $2,966,031,000 57

Chainalysis

TRM

United Nations Security Council

List of Incidents Documented in this Repo

Date Incident Amt Stolen
👛 2016-Oct-13 Bitcurex $1,500,000
2016 TOTAL $1,500,000
👛 2017 Youbit aka Yapizon aka Coinbin $7,450,000
👛 2017 Bithumb $14,000,000
👛 2017-May-12 Wannacry $Unknown
🔑 2017-Jul-?? Korbit $Unknown
👛 2017-Jul-15 2017 Cryptojacking Incidents $Unknown
🔑 2017-Sep-23 Coinis $2,190,000
🔑 2017-Dec-06 NiceHash $65,000,000
2017 TOTAL $88,640,000
💼 2018 Marine Chain $Unknown
🔑 2018-Mar-18 Cypherium $8,500,000
👛 2018-Apr-12 Coinsecure $3,500,000
🔑 2018-Apr-19 E7 Theft $5,000,000
🍎 2018-Apr-21 Gate.io $234,000,000
🔑 2018-May-29 Taylor ICO $1,700,000
👛 2018-Jun-?? Bithumb $31,500,000
👛 2018-Jun-09 Coinrail $37,000,000
🔑 2018-Jun-16 G13 Theft $275,000
🔑 2018-Jul-09 Bancor $23,500,000
2018-Aug-?? Unidentified Company $13,000,000
🔑 2018-Aug-07 BTC Markets $3,500,000
🔑 2018-Aug-09 Klickl / IDCM $620,000
👛 2018-Sep-01 Indodax $24,900,000
👛 2018-Sep-14 Zaif $59,000,000
🔑 2018-Oct-20 Trade.io $10,000,000
🔑 2018-Nov-04 Kryptono $270,000
2018 TOTAL $456,265,000
🔑 2019-Jan-14 Cryptopia $16,000,000
👛 2019-Mar-?? Bithumb $16,000,000
👛 2019-Mar-23 Etbox $132,000
🍎 2019-Mar-24 DragonEx $7,090,000
🔑 2019-Mar-25 Coinbene $105,000,000
👛 2019-Mar-26 BiKi $12,300,000
👛 2019-Jun-30 Bitcoin Norway (AlphaPoint) $500,000
🔑 2019-Jul-01 CoinTiger $272,000
🔑 2019-Sep-25 Algo Capital $2,000,000
👛 2019-Nov-27 Upbit $48,500,000
2019 TOTAL $207,794,000
2020 BTC Changers $Unknown
👛 2020-Aug-07 New York Financial Services Company $11,800,000
🔑 2020-Aug-18 Hobocrypt $134,000
🔑 2020-Aug-20 Fetch.ai (Holder) $2,600,000
🔑 2020-Aug-24 Coinberry $370,000
🔑 2020-Aug-29 Tap Global $Unknown
👛 2020-Sep-07 Eterbase $5,400,000
🔑 2020-Sep-11 Unibright $500,000
👛 2020-Sep-26 Kucoin $275,000,000
🔑 2020-Oct-06 CoinMetro $740,000
🔑 2020-Oct-16 LEAD Wallet Token $50,000
🔑 2020-Nov-13 L2 Theft $893,000
🔑 2020-Dec-14 Hugh Karp / Nexus Mutual $8,000,000
👛 2020-Dec-21 Exmo $10,500,000
2020 TOTAL $315,987,000
🍎 2021-Jan-22 Indodax ATO $2,830,000
💼 2021-Mar-05 Paid Network $160,000,000
🔑 2021-Apr-02 Mudge / Etna / Mokens Deployer $1,000,000
🔑 2021-Apr-19 EasyFi Founder $81,000,000
🍎 2021-May-12 990.1 BTC $55,600,000
🔑 2021-May-17 FinNexus $7,000,000
🔑 2021-Jun-03 NAOs Finance $750,000
👛 2021-Jun-23 Coinsquare $22,620,000
🍎 2021-Jul-13 Tower Capital $Unknown
🍎 2021-Jul-13 Advcash $14,000,000
🔑 2021-Jul-14 Bondly Finance $8,500,000
🔑 2021-Aug-01 Misc August-September 2021 Hacks $2,000,000
💼 2021-Aug-12 DAO Maker $7,000,000
👛 2021-Aug-18 Liquid Global $91,000,000
🔑 2021-Oct-08 MNGR $24,100,000
🔑 2021-Oct-28 Metaplay / Polyplay $1,600,000
🔑 2021-Nov-01 YFETH Admin Key $200,000
🔑 2021-Nov-03 bZx $55,000,000
2021 TOTAL $534,200,000
🔑 2022-Jan-15 Jan 15 2022 Theft $555,000
🔑 2022-Jan-27 Fantom Allo Receiver / ANKR founder $1,200,000
🔑 2022-Feb-10 Feb 10 2022 Theft $300,000
🔑 2022-Mar-22 Arthur_0x $1,700,000
🔑 2022-Apr-07 Wonderhero $1,025,000
👛 2022-Apr-14 Ronin Bridge $620,000,000
👛 2022-Jun-24 Harmony Horizon Bridge $100,000,000
🔑 2022-Aug-05 deBridge (Attempt) $0
🔑 2022-Sep-7 GERA Coin $142,000
🔑 2022-Oct-11 Algorand $750,000
🔑 2022-Oct-17 Darshan $1,750,000
🔑 2022-Oct-31 Oct 31 2022 Theft $183,000
🍎 2022-Nov-02 Deribit $28,000,000
💼 2022 Pixelcraft Potential IT Worker $0
2022 TOTAL $755,605,000
💼 2023 Various 2023 Rug Pulls $350,000
💼 2023-Apr-10 Terraport $3,900,000
💼 2023-Apr-26 Merlin DEX $1,800,000
👛 2023-Jun-03 Atomic Wallet $121,000,000
2023-Jun-11 A Large Theft / Investment Platform $17,600,000
🍎 2023-Jul-01 PolyNetwork $10,000,000
👛 2023-Jul-22 Alphapo + Coinspaid $97,000,000
🎙️ 2024-Aug-07 Bitgert / BRISE $437,000
🔑 2023-Aug-07 Steadefi $1,140,000
🔑 2023-Aug-16 Coinshift $2,900,000
🎙️ 2023-Aug-17 SPooCK $38,032
👛 2023-Sep-04 Stake $41,000,000
👛 2023-Sep-12 CoinEx $54,000,000
2023-Sep-24 HTX Theft Returned
2023-Sep-28 Unidentified Company $3,000,000
💼 2023-Oct-5 Blockbusters Tech
🔑 2023-Oct-17 Fantom Foundation $7,624,588
🔑 2023-Oct-26 Maverick $8,300,000
👛 2023-Nov-10 Poloniex $130,000,000
🔑 2023-Nov-10 Samudai $1,100,000
🎙️ 2023-Nov-10 Waygate $200,000
🔐 2023-Nov-19 Kronos $26,000,000
🎙️ 2023-Nov-14 UnoRe DAO $219,000
👛 2023-Nov-22 HTX / Heco $116,000,000
🔑 2023-Dec-10 Degen Reborn $164,000
🎙️ 2023-Dec-12 OKX Dex $2,390,976
🎙️ 2023-Dec-28 Upwork Developer Jobs Scams $550
2023 TOTAL $646,164,146
🎙️ 2024-Jan-22 ConcentricFi $1,720,000
🎙️ 2024-Jan-25 Wall Street Memes $2,500,000
🎙️ 2024-Feb-01 Linkedin Job Dev Scam $200,000
🔐 2024-Feb-13 Duelbits $4,600,000
🎙️ 2024-Feb-27 Serenity Shield $586,000
🎙️ 2024-Feb-28 Braintrust Job Dev Scam $100,000
🎙️ 2024-Mar-05 MurAll $278,000
🎙️ 2024-Mar-13 CloudAI $309,400
🎙️ 2024-Mar-16 Wilder World (Also Apr 2) $2,314,583
🔑 2024-Mar-20 Huge March 2024 Theft $90,000,000
💼 2024-Mar-26 Munchables ($62m, returned) $62,000,000
💼 2024-Mar-29 Solareum ($1.1m, frozen) $1,114,813
🎙️ 2024-Apr-11 Endblock $72,000
🔐 2024-Apr-29 Rain $14,800,000
🎙️ 2024-May-06 Genius / GNUS Token (Original compromise Jan 25) $1,262,630
🔑 2024-May-15 ALEX Labs $4,300,000
🎙️ 2024-May-28 HYVE
🎙️ 2024-May-29 SpaceCatch $200,000
👛 2024-May-31 Bitcoin DMM $305,800,000
🔑 2024-Jun-11 Theft from Individual C7 $4,200,000
👛 2024-Jun-22 CoinStats $2,300,000
🔑 2024-Jun-28 Theft from Individual C4 $400,000
👛 2024-Jul-01 Kyrrex $13,500,000
👛 2024-Jul-18 Wazirx $230,000,000
🔑 2024-Jul-22 Theft from Individual I4 $1,500,000
🔐 2024-Jul-24 T6 $400,000
🎙️ 2024-Aug-07 Nexera $1,900,000
🔑 2024-Aug-16 Theft from Individual A4 $2,500,000
🔑 2024-Aug-30 Metaschool $212,182
👛 2024-Sep-10 Indodax $20,000,000
🔑 2024-Sep-13 Adot $300,000
🎙️ 2024-Sep-19 NiiFi
👛 2024-Sep-19 BingX $45,000,000
🔑 2024-Sep-20 Dexnet $459,484
🔑 2024-Sep-25 Truflation $5,000,000
🍎 2024-Oct-16 Radiant $50,000,000
🎙️ 2024-Oct-18 Tapioca $4,700,000
🔑 2024-Oct-18 Fake Hack VC Thefts $77,000
🔑 2024-Jul-06 Theft from Individual M4 $1,400,000
🎙️ 2024-Oct-30 Bitbucket Dev Scam
🎙️ 2024-Oct-31 Scallop
🔐 2024-Oct-31 M2 $13,000,000
🎙️ 2024-Nov-15 Nov 15 Contagious Interview
👛 2024-Nov-28 XT $1,700,000
🔑 2024-Nov-25 TON Dude $14,000,000
🎙️ 2024-Dec-12 Willo Campaign $64,020
🔑 2024-Dec-18 Fake Foresight $1,600,000
2024 TOTAL $904,770,112

Breaking Down / Mapping the Clusters

See more at /lazarus-evolution

Note: all my research starts onchain and works backwards from there using victim reports and osint done by those tracking the malware, c2s, etc. I often get it wrong bc the clustering and dynamic nature of DPRK is insane to keep track of. Don't take any of this as gospel. I am always learning.

🔑 SquidSquad / Sapphire Sleet / DangerousPassword

👛 TraderTraitor / Jade Sleet

🍎 Applejeus / Citrine Sleet

  • aka: Gleaming Pisces, Labyrinth Chollima, UNC4736, Hidden Cobra, DEV-0139
  • A threat group that has been active since at least 2018
  • This group performed attacks targeting the cryptocurrency industry and is known for its association with the AppleJeus campaign.
  • Primarily targets: financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain.
  • The FudModule rootkit described in this blog has now been tied to Citrine Sleet as shared tooling with Diamond Sleet.

"One of the most successful fake personas used by the Lazarus Group was Waliy Darwish—a man who supposedly worked for a cryptocurrency company, based in Michigan, called Celas L.L.C." —The Incredible Rise of North Korea’s Hacking Army

💼 DPRK IT Workers

🎙️ Contagious Interview

PDFs - Indictments & Formal Reports

https://github.com/tayvano/lazarus-bluenoroff-research/tree/main/pdfs

All PDF Reports

Date Document
2007 CHRG 109shrg28241
2019 North Koreas Cyber Threat: The All Purpose Sword
2014-02-01 KEI aps mansourov
2014-12-01 HPSR Security Briefing North Korea
2015-12-16 CSIS North Koreas Cyber Operations
2016-08-09 Korean Special Asymmetric Paramilitary Forces
2017-04-03 Kaspersky: Lazarus Under The Hood PDF final
2017-05-30 GroupIB: Lazarus Arisen
2017-08-01 US Army: North Korean Cyber Support
2018-01-01 CRS R44912
2018-03-01 Fireeye: APT37 The Overlooked North Korean Actor
2018-06-08 ⭐ USA v PARK JIN HYOK
2018-10-01 North Korea CEEW
2019-01-01 How DPRK Created Most Effective Cyber Forces
2019-01-29 ATA SFR SSCI
2020-01-01 Recorded Future: Internet
2020-02-01 North Korea Cyber Operations
2020-02-05 USA v FTB
2020-02-19 Lexfo The Lazarus Constellation
2020-03-02 ⭐ USA v 113 Virtual Currency Accounts - YINYIN Complaint CV-20606
2020-06-01 CryptoCore Group
2020-06-25 USA v Abbas - Complaint
2020-07-01 ATP7 100 2
2020-08-27 ⭐ USA v 280 Virual Currency Accounts - Complaint CV-2396
2020-11-17 USA v Ghaleb Alaumary CR-00576.1
2020-11-17 USA v Ghaleb Alaumary CR-00576.5
2020-12-08 ⭐ USA v JON CHANG HYOK PARK JIN HYOK CR-00614
2021-01-01 North Korea Military Power
2021-03-01 North Korea IB
2021-04-09 ATA 2021 Unclassified Report
2021-09-02 North Korean Cyberattacks
2022-05-16 OFAC: DPRK IT Workers Advisory
2022-12-01 WithSecure: Lazarus No Pineapple Threat Intelligence Report 2023
2022-12-31 DPRK Overseas IT Workers
2023-03-04 Mandiant: APT43 Report
2023-04-18 ⭐ USA v SIM HYON SOP et al Indictment CR-00129
2023-04-18 ⭐ USA v SIM HYON SOP Indictment CR-00128
2023-06-05 SEC v Binance
2023-06-22 Recorded Future: NK Cyber Strategy
2023-10-18 ⭐ USA v DPRK IT Workers 1134350
2023-10-18 USA v DPRK IT Workers 12 Domain Names
2023-10-18 USA v DPRK IT Workers 397674
2023-10-18 USA v DPRK IT Workers 5 Domain Names
2023-11-01 NCSC: 3CX IOCs
2023-11-01 USA v Binance
2023-11-20 FinCEN v Binance Consent Order
2023-11-23 Kim Jong Un's New Maybach
2023-11-30 Recorded Future: Crypto Country
2024-05-16 US v DPRK IT Workers (Chapman et al)

UN Security Council Reports

Date Document
2017-03-01 UN Security Council: 2016 Year End Report
2018-03-01 UN Security Council: 2017 Year End Report
2019-03-01 UN Security Council: 2018 Year End Report
2019-09-01 UN Security Council: 2019 Midterm Report
2020-03-01 UN Security Council: 2019 Year End Report
2020-09-01 UN Security Council: 2020 Midterm Report
2021-03-01 UN Security Council: 2020 Year End Report
2021-09-01 UN Security Council: 2021 Midterm Report
2022-03-01 UN Security Council: 2021 Year End Report
2022-09-01 UN Security Council: 2022 Midterm Report
2023-03-01 UN Security Council: 2022 Year End Report
2023-09-01 UN Security Council: 2023 Midterm Report
2024-03-01 UN Security Council: 2023 Year End Report
  • Also covered by OXT Research (corrections to some of this below)
Identifier Entity Date / Defendant Property
Exchange 1 Gate.io Hack (10k BTC, $230m total) April 21, 2018
Exchange 2 Youbit Hack ("17% Assets") April 22nd, 2017
Exchange 3 Upbit Hack (342,000 ETH) November 27, 2019
Exchange 4 Coinrail Hack ($40m) Summer 2018
VCE 1 HitBTC/Changelly DP 63-64
VCE 2 KuCoin DP 112
VCE 3 Bittrex DP 50-52
VCE 4 Yobit DP 92-111
VCE 5 Huobi DP 65-70
VCE 6 CoinCola DP 55-62
VCE 7 Paxful DP 83-84
VCE 8 LocalBitcoin DP 71-80
VCE 9 P2Pb2b DP 113
VCE 10 Binance DP 44-49
VCE 11 Poloniex DP 85-90
VCE 12 Unknown DP 53-54
Identifier Entity Quote
Exchange 2 Upbit (Victim) On November 27, 2019 342,000 ETH was stolen from Exchange 2.
Exchange 3 CoinTiger (Victim) On July 1, 2019, 400m PTT Tokens were stolen
Exchange 4 HitBTC (Laundry) All deposit activity for Target Actor 1’s account at Exchange 4 occurred on or about July 1, 2019, the same day as the theft from Exchange 3. The PXG and IHT deposits (17,829,785 PXG @ 2019-07-01 8:42 + 137,793 IHT @ 2019-07-01 13:22) came directly from the theft at Exchange 3.
Exchange 5 BiKi (Laundry) 1BHnp77MqZGGFaCGQ9J4GhLstPUeBshVcc also received approximately 15 BTC from accounts at Exchange 3 (CoinTiger), Exchange 5 (BiKi), and Exchange 6 (Huobi)
Exchange 6 Huobi (Laundry) The 4,342,294.43 Yee (“YEE”), 171,145.04 All Sports Coin (“SOC”), 71,237.03 StatusNetworks (“SNT”), and 23,300.29 Cortex Coin (“CTXC”) stolen from CoinTiger were deposited to an account at Exchange 6 on or about July 2, 2019 at 10:29, 22:32, 10:42, and 07:13 respectively. - 0x1016b7835d409692e02ed2035e053fbfb4602982
Exchange 7 KuCoin (Laundry) 0x2dbc0f6b71e341c7eca01c5287eb57af3038a9c5 also received approximately 41,702 USDT from an account at Exchange 7” via 14 transactions between August 12, 2019 and August 14, 2019. - e.g. txn 0xa690bf67b9347ac0ca155a473df26d91b20a62acc63546863dae0b1418c11782
Exchange 8 Switchain (Laundry) 0x2dbc0f6b71e341c7eca01c5287eb57af3038a9c5 sent the USDT to Exchange 8, converted to BTC, and withdrawn to 1BHnp77MqZGGFaCGQ9J4GhLstPUeBshVcc. On or about December 20, 2019, Exchange 8 received approximately 8.65658 ETH that was converted to 0.15012721 BTC e.g. txn bf4f4c33fb1613524ad72cd082adb42d1816b1aef8907ce30b73bf9b78078c94
Exchange 9 Changelly? (Laundry) In December 2019, Target Actor 1 attempted to convert ETH to BTC through a cryptocurrency trading platform “Exchange 9” which was designed to enable the transfer of one form of cryptocurrency in exchange for another. The stolen REP in 0x2DBC0f6B71e341C7Eca01c5287Eb57AF3038A9c5 was then sent to Exchange 9, converted to BTC, and also withdrawn to cluster 1BHnp. The funds associated with Order ID 6918d31f-097c-4afe-8d06-054dd38a34ac are currently frozen at Exchange 9, pursuant to their own internal policies.
Exchange 10 Algo Capital (Victim) U.S. Algorand crypto company hacked on September 25, 2019 - Defendant Property 25–130
Exchange 11 Binance (Laundry) The photos submitted to Exchange 11 were likely stolen during the 2018 hack of a U.S.-based CEX where IDT Victim 1 was a customer.
Exchange 12 Unknown Algo Capital's Binance Account also sent approximately 2.0285 BTC to an account at Exchange 12.
  • Chosun Expo
  • Sony Pictures Entertainmnet
  • Mammoth Screen
  • AMC Pictures
  • WannaCry
  • Lockheed Martin
  • Bangladesh Bank
  • Philippine Bank
Entity Description
Sony Pictures Sony Pictures Entertainment Inc.
AMC Theatres
Mammoth Screen A United Kingdom television production company
African Bank A bank headquartered in a country in Africa
Bangladesh Bank The central bank of Bangladesh, was headquartered in Dhaka, Bangladesh
Bancomext aka Banco Nacional De Comercio Exterior A Mexican state-owned bank headquartered in Mexico City, Mexico
Maltese Bank A bank headquartered in Malta
BankIslami aka BankIslami Pakistan Limited A bank headquartered in Karachi, Pakistan
New York Financial Services Company A financial services company headquartered in New York, New York
Polish Financial Supervision Authority The financial regulatory authority for Poland, and was based in Warsaw, Poland
Philippine Bank A bank headquartered in Makati, Philippines
Far Eastern International Bank A bank headquartered in Taipei, Taiwan
Vietnamese Bank A bank headquartered in Hanoi, Vietnam
Indodax aka Indonesian Cryptocurrency Company A cryptocurrency exchange based in Jakarta, Indonesia
South Korean Cryptocurrency Company A cryptocurrency exchange based in the Republic of Korea
NiceHash aka Slovenian Cryptocurrency Company A crypto-mining company headquartered in Ljubljana, Slovenia
Central American Online Casino 1 An online casino business headquartered in a Central American country
Central American Online Casino 2 An online casino business headquartered in a Central American country
Date Location / Bank Details
Dec 2015 Guatemala Reported loss of $16M USD
Dec 2015 Vietnam
Tien Phong Bank
Attempted theft of more than 1 million Euro ($1.1M USD) of funds through fraudulent SWIFT messages according to statement Tien Phong Bank later issued
Feb 2016 Bangladesh
Bangladesh Bank
Attempted theft of $951M USD
May 2016 South Africa / Japan
Standard Bank
Reported theft of $18M USD from Standard Bank that caused a malfunction of the system shortly before the cash was withdrawn from ATM machines at convenience stores in Tokyo and 16 prefectures across Japan with forged cards made with data stolen from credit cards issued by the bank. A reply from the Government of Japan to the Panel dated 25 July 2019 stated, “As of 9 July 2019, approximately 260 suspects, including organized crime group members, have been arrested, and the total amount of the cash illegally withdrawn from the ATMs across Japan was approximately 1.86 billion yen. The suspects used forged cards with data of roughly 3,000 pieces of customer information stolen from the Standard Bank in the Republic of South Africa, in order to withdraw cash from approximately 1,700 ATMs located in Tokyo and 16 prefectures across Japan. The case is still under investigation.”
Jul 2016 India Attempted theft of $166M USD using tactics and techniques similar to February 2016 attack on Bangladesh Bank. Funds were transferred to the Canadia Bank Plc and RHB IndoChina Bank Ltd in Cambodia, the Siam Commercial Bank in Thailand, Bank Sinopac in Taiwan Province of China, and a bank in Australia (routed by Citibank New York and JP Morgan Chase New York).
Jul 2016 Nigeria Attempted theft of $100M USD
Oct 2017 Tunisia Attempted theft of $60M USD
Oct 2017 Taiwan
Far Eastern International Bank
Attempted theft of $60M USD from Far Eastern International Bank. All but $500,000 recovered by the bank
Jan 2018 Mexico
Bancomext
Attempted theft of $110M USD from Bancomext
Jan 2018 Costa Rica Attempted theft of $19M USD. “A private financial institution experienced an alleged cyberattack in Costa Rica in January 2018. An investigation has been launched by the Offic e of the Public Prosecutor's Division on Fraud. On July 17, 2019, the Division delegated the investigation to the Ministry of Science, Technology and Telecommunication. Because the investigation is still ongoing, it is not possible for the Mission to provide the Panel with any result.”
Feb 2018 India
City Union Bank
Attempted theft of $16.8M USD from City Union Bank using techniques similar to February 2016 attack on Bangladesh Bank.
Mar 2018 Malaysia Attempted theft of $390M USD. 29 March 2018 cybersecurity incident involving attempted unauthorized fund transfers using falsified SWIFT messages
May 2018 Chile
Banco de Chile
Theft of approximately $10M USD from Banco de Chile through unauthorized transactions using SWIFT, mainly to Hong Kong. The hackers distracted bank employs from the theft by using malware to render 9000 bank owned computers inoperable.
Jun 2018 Liberia Attempted theft of $32M USD
Aug 2018 India
Cosmos Bank
Reported theft of $13M USD through attack on Cosmos Bank through simultaneous ATM withdrawals across 23 countries in five hours as well as the transfer of 139 million Rupees to a Hong Kong-based company’s account in three unauthorized SWIFT transactions. On 8 October 2018 the United States included this and other similar DPRK attacks in its alert regarding the “FASTCash Campaign
Oct 2018 Chile
Redbanc
Attack on Redbanc using malware called POWERRATANKBA. Sophisticated social engineering via LinkedIn, Skype.
Feb 2019 Malta
Bank of Valletta
Attempted theft of $14.5M USD from the Bank of Valletta (BOV) on 13 February. Before being reversed, transfers were made to banks located in the UK, the US, Czech Republic, and Hong Kong, China. “phishing” activity using the same digital fingerprint had been detected since October 2018.
Feb 2019 Spain Attempted theft of $10.8M USD. Spain’s National Cryptologic Centre (CCN), under the National Intelligence Centre stated in its 2019 Cyberthreats and Trends report that hackers associated with the DPRK government conducted the largest number of reported cyberattacks against Spain in 2018.
Mar 2019 Gambia Attempted theft of $12.2M USD
Mar 2019 Nigeria Attempted theft of $9.3M USD
Mar 2019 Kuwait Reported theft of $49M USD
Feb 2017 Bithumb #1
ROK
Theft of $7M USD in first attack on Bithumb
Apr 2017 Youbit #1
ROK
Theft of $4.8M USD in first attack on Youbit (3618 Bitcoin)
May 2017 WannaCry
Global
WannaCry attack resulted in Bitcoin laundered through Monero 144,000 USD (52 Bitcoin)
Jul 2017 Bithumb #2
ROK
Reported theft of more than $7M USD in second attack on Bithumb including: 870,000 USD in Bitcoin and $7M USD in Bitcoin and Ethereum. National Intelligence Services attributed to the DPRK.
Summer 2017 Cryptojacking
ROK
25,000 USD (70 Monero) through Monero cryptojacking / mining through illegal seizure of a Republic of Korea company server. According to a news article, an assessment by Kwak Kyoung-ju at the Republic of Korea Financial Security Institute attributed the seizure of a server at an ROK to a hacking unit called “Andariel”. Sam Kim, “North Korean Hackers Hijack Computers to Mine Cryptocurrencies” Bloomberg, 31 December 2017
May-Sep 2017 ROK ROK Police reported attacks on three cryptocurrency exchanges by DPRK actors and detailed that 25 employees at four different exchanges were targeted in 10 separate “spear phishing” attempts since July 2017
23 Sep 2017 Coinis
ROK
Theft of undisclosed amount of Bitcoin in attack on Coinis. Possibly $2.19M USD. Total of $6.99M USD reported in losses from this and the April 2017 Youbit attack combined
Dec 2017 Youbit #2
ROK
Theft of 17% of Youbit assets in second attack on Youbit. Youbit later declared bankruptcy as a result of hack.
Dec 2017 NiceHash
Slovenia
Reported theft of $70M USD from the bitcoin mining company, NiceHash, which reported “a highly professional attack with sophisticated social engineering” that resulted in approximately $63.92M USD of Bitcoin being stolen.
Jun 2018 Bithumb #3
ROK
Third attack on Bithumb. Bithumb announced in a since deleted tweet that hackers stole approximately $31 million. Proceeds were laundered through a separate crypto-currency exchange called YoBit.
Aug 2018 India Reported theft of $13M USD
Oct 2018 Bangladesh Attempted theft of 2.6M USD
Mar 2019 DragonEx
Thailand/Singapore/Hong Kong, China
Reported theft of 9M USD from DragonEx. According to the company’s Twitter and LinkedIn accounts, it is based in Singapore. The LinkedIn page states, “Registered in Singapore, Operation Department headquartered in Bangkok.” However, Singapore indicated to the Panel that it does not currently have any registration information for a company under the name of DragonEx. Singapore further stated, “We note that DragonEx’s announcement of 27 March 2019 on its Telegram channel states that the Hong Kong Cyber Security and Technology Crime Investigation Bureau is investigating the incident.” DragonEx stated in its announcement of the cyberattack that it informed the judicial administrations of Estonia, Thailand, Singapore and Hong Kong. For more information on the attack, see http://www.coinwire.com/360-security-warns-about-lazarus-hacker-group and https://www.secrss.com/articles/9511
Mar 2019 Bithumb #4
ROK
Reported theft of 20M USD in fourth attack on Bithumb (3M EOS and 20 million Ripple coins stolen worth $13.4M USD and 6M USD, respectively)
May 2019 UpBit
ROK
UpBit attacked. No losses reported.

More Random Tweets

Spreadsheets

Purpose

  • no real purpose. i like rabbitholes, i'm weird. i've follow lazarus for a long, long time

  • i had multiple irl friends back in the day who worked at sony. now i have had multiple friends, founders, builders, users who have been rekt by these same fools, grown up

  • if you read about all the hacks and phishing campaigns in crypto, youre basically reading about lazarus, even if you dont know it

  • realizing there's guys on the other side of the world watching you...who likely know your product and codebase better than some of your own team members...guys who come from such a fundamentally different place than you do with regards to experience, ideology, motivation, and desires...and want to steal all your crypto...it's a lot

  • thus, i dive into my rabbithole for comfort. 🕳️🐇

  • gl.