There's More to North Korea's Hacking Ops Than Just Lazarus Group: Paradigm

In February, North Korean hackers broke headlines with what is now regarded as the largest single hack in crypto history.

The Lazarus Group stole at least $1.4 billion from Bybit and later funneled those funds to crypto mixers.

"Someone had pulled off the biggest hack in [crypto] history, and we had a front-row seat," Samczsun, Research Partner at Paradigm, recalled in a blog post.

The researcher said they witnessed the theft in real-time and collaborated with Bybit to confirm the unauthorized access.

Samczsun was working with SEAL 911, an emergency response unit affiliated with the Security Alliance, a nonprofit organization dedicated to securing decentralized systems.

But these attacks aren't all just about the Lazarus Group. There's more to North Korea's cyber offensives than previously thought.

There's a misconception about how to "classify and name” the group's operations.

While the term "Lazarus Group" is "colloquially acceptable," discussing how the DPRK (Democratic People's Republic of Korea) runs its cyber operations on the offensive needs more rigor, Samczsun claimed.

Lazarus Group has become the preferred term by the media when describing DPRK cyberactivity. Cybersecurity researchers "created more precise designations" to show which ones are working on specific activities, they added.

A hacking bureau

The DPRK's hacking ecosystem operates under the Reconnaissance General Bureau (RGB), which houses several distinct groups: AppleJeus, APT38, DangerousPassword, and TraderTraito

These groups operate with specific targeting methodologies and technical capabilities.

TraderTraitor, identified as the most sophisticated DPRK actor targeting the crypto industry, focuses on exchanges with large reserves and employs advanced techniques, successfully compromising Axie Infinity through fake job offers and manipulating WazirX.

AppleJeus specializes in complex supply chain attacks, including the 2023 3CX hack that potentially affected 12 million users.

Dangerous Password, meanwhile, conducts lower-end social engineering through phishing emails and malicious messaging on platforms like Telegram.

Another subgroup, APT38, spun out of Lazarus in 2016 and focused on financial crimes. It first targeted traditional banks before shifting attention to crypto platforms.

In 2018, the OFAC first mentioned "North Korean IT workers," which in 2023 were identified by researchers as "Contagious Interview" and "Wagemole," operating through schemes where the threat actors either pose as recruiters or attempt to get hired by target companies.

There's still hope

While the DPRK has shown its ability to deploy zero-day attacks, there have been "no recorded or known incidents" of it deploying directly against the crypto industry, Samczsun said.

The researcher urged crypto companies to implement basic security practices such as least privilege access, two-factor authentication, and device segregation. If preventive measures fail, connecting with security groups like SEAL 911 and the FBI's DPRK unit would also be helpful.

"DPRK hackers are an ever-growing threat against our industry, and we can't defeat an enemy that we don't know or understand," Samczsun wrote.

Edited by Sebastian Sinclair