North Korean hackers stole $400 million in cryptocurrency in 2021

North Korean hackers stole nearly $400 million worth of cryptocurrencies by hacking into seven companies in 2021, according to blockchain analysts at Chainalysis. A year earlier, the amount of stolen funds was estimated at $300 million.

Ethereum (ETH) accounted for 58% of the stolen funds, while Bitcoin (BTC) accounted for only 20% of the stolen funds, according to the study.

The attackers laundered and cashed out most of the funds using special mixer services, as well as Asian crypto-fiat exchangers. But the hackers did not cash out all the stolen funds. Thus, Chainalysis experts discovered a cryptocurrency worth more than $170 million, which was stolen by hackers from 49 cryptocurrency exchanges between 2017 and 2021. And the attackers have clearly put that money aside for long-term storage.

All of the aforementioned attacks are attributed by analysts to the Lazarus hack group, although this name hides several separate North Korean groups at once. Typically, North Korean hackers operate in specific areas, including politically oriented cyber espionage, spying on dissidents, economic espionage, and theft.

It is the Lazarus division that is most often associated with hacking banks and cryptocurrency projects. The group is being tracked by US authorities as BlueNoroff, and the US Treasury Department calls these hackers a money-making machine for North Korea and its nuclear and ballistic programs.

Let me remind you that we wrote that the US authorities indicated two more members of the Lazarus group, and also that the Lazarus Group used ThreatNeedle malware against defense companies.

A recent Kaspersky Lab report published this week states that after years of investigation, BlueNoroff has been linked to multiple attacks targeting crypto companies in Russia, Poland, Slovenia, Ukraine, the Czech Republic, China, India, the US, Hong Kong, Singapore, UAE and Vietnam.

The campaign, which Kaspersky Lab monitors under the name SnatchCrypto, has been active since 2017 and uses malicious documents that are sent by hackers via email or LinkedIn to individuals working in cryptocurrency companies. As soon as the victim views such a file, their system is infected with a backdoor that allows attackers to take control of the machine.

The group’s other campaigns were less sophisticated and used regular LNK (Windows shortcut) files, but the end result was the same: BlueNoroff accessed the victim’s device.

The researchers write that in separate incidents, BlueNoroff went so far as to develop a malicious version of the Metamask extension for Chrome, which hackers installed locally on the victim’s device, replacing the extension with the real one.

The extension has been modified to detect when a victim initiates a transaction and then intercept the parameters of that transaction and send most of the funds to the BlueNoroff account.

It sounds simple, but in fact, this requires careful analysis of the Metamask extension for Chrome, which is more than 6 MB of JavaScript code (about 170,000 lines). The injection is very difficult to detect manually if you are not too familiar with the Metamask codebase. However, extension modifications still leave a mark.the researchers say.
Experts note that during the attack, it was necessary to enable “Developer Mode” in the Chrome extensions section, and the source of the fake Metamask changed from the Play Store to a local address.

Let me remind you that we also wrote about the CryptoCore hacker group have stolen $200 million linked to North Korea.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button