Again, unsurprisingly, the North Korean state-sponsored hacking group Lazarus is rumored to be behind 5 of the 6 private key exploits witnessed in Q3.
Although their exploit techniques seem familiar, North Korea’s threat to the crypto space extends beyond the Lazarus Group. They are now equipped with even more sophisticated tools, allowing them to target a broader range of victim types and sizes, making their activities more widespread and threatening than ever.
That’s what we will discuss in detail in the first part of our three-part series dedicated to the crypto hacks landscape in Q3 2024. We will also address new developments on the front of money laundering, as well as two double hack cases witnessed during this past summer.
Q3 2024 Private Key Exploits: The Summer of CEXecutions
In 2024, the biggest change the Lazarus Group brought to the crypto crime scene was its shift in target. In the early days of the crypto era, centralized exchanges were a security nightmare, making them the perfect target for criminals, as we recount extensively in our report ‘Mt. Gox Unveiled: The Real Story a Decade After the Collapse.’
Since then, much has changed, and CEXes have now taken on the allure of impregnable fortresses.
Naturally, DeFi protocols — with too often minimal security processes — become then the target of choices. Lazarus Group made its biggest coup and, conversely, operated the biggest crypto crime ever committed by exploiting the Ronin network for $624 million.
But it appears the Lazarus Group has found the holes in those impregnable fortresses and is actively breaking in.
The Two Biggest CEX Private Key Cases of Q3 2024, Courtesy of the Lazarus Group (Allegedly)
1 — WazirX Private Key Exploit: A $235 Million Heist
On July 18th, 2024, Indian centralized exchange WazirX lost $235 million from a multisig wallet. The biggest hack the summer of 2024 saw.
In the early hours of that day, Wazir saw a total of $234.9 million siphoned from its Safe multisig wallet to a new address, with each transaction’s caller being funded by the mixer Tornado Cash.
All the stolen cryptocurrencies were immediately swapped for Ethereum, a signature move of the Lazarus Group.
According to WazirX’s claims, the wallet breach happened because of discrepancies between Liminal’s interface data and actual transaction contents, allowing a hacker to gain control of the multisig wallet and steal funds despite using the Gnosis Safe multisig and a whitelisting policy.
Liminal pushed back against WazirX’s accusation, stating that the “incident originated from an external source” and that the compromised multi-signature smart contract wallet used in the attack was “created independently and later imported onto the Liminal platform.”
While the details of what really happened are still murky, cybersecurity company CYFIRMA identified the North Korean Lazarus Group as the culprit behind this exploit.
As of October 3rd, 2024, the WazirX hacker has laundered almost $230 million through Tornado Cash, most of it during the month of September, leaving barely over $5 million remaining in their main wallet.
2 — The BingX Private Key Exploit: A $52 Million Heist
On September 20th, 2024, Singapore-based CEX BingX suffered a private key exploit amounting to $52 million.
It was a two-fold attack that took place hours apart and targeted one of the exchange’s hot wallets. Cyvers suggested that the post-heist obfuscation technique closely resembled a Lazarus Group pattern.
Lazarus heist aside, the BingX team received heavy criticism for its management of the crisis — from initially hiding the heist behind a ‘temporary wallet maintenance’ notice to downplaying the loss as a ‘minor asset loss’ when it had already been revealed that more than $50 million had been siphoned. In reality, the ‘minor loss’ amounted to more than 1/8 of their funds, if Arkham’s figures are correct!
The post-heist efforts, mounted with blockchain security firms and similar partners, nevertheless succeeded in freezing around $10 million.
As for how both these private key exploits and other attacks occurred, the Lazarus Group has developed a well-oiled social engineering machine over the past few years.
North Korea, Social Engineering and Organized Targeted Operations
With their 2024 crypto heist, the Lazarus Groups has reached a mind-blowing record: they successfully thieved more than $3,7 billion over the past 3 years, essentially through social engineering techniques.
It was through a simple PDF and a fake job offer that the biggest heist in crypto history took place in 2022 when Ronin Bridge lost an astounding $624 million.
Web3 companies are particularly vulnerable to devastating private key exploits, as a recent report from Web3 firm De.Fi reveals. According to the report, governance framework mispractice poses a threat to 75% of top tokens.
Only 16.6% of the contracts analyzed were managed by multisig wallets, which require up to five different private keys to approve any transaction. Multisig is not even a sophisticated security tool; using it is the most basic security step of any protocol to safeguard against inside jobs, social-engineered or not, scams, and hacks.
Although this report primarily concerns tokens, it accurately represents the lax approach to security practice in the entire Web3 landscape. A lack of security measures proves to be a key factor in most private key exploits through social engineering or otherwise, as only one compromised wallet is needed to compromise a whole protocol or CEX.
A private key — governance security so lax, that, for instance, FTX faced a $447 million hack in November 2022, where the attackers reportedly simply sim-swapped one individual to gain access to the private keys and wallet from which they would withdraw the funds from FTX’s coffer. Later, it would be revealed that FTX stored private keys without encryption.
The lax security practices have become the Achilles’ heel of the crypto space, and North Korea’s state-sponsored crypto hacking group, Lazarus, quickly caught on to this.
Private key exploits through social engineering have become their crypto villain signature.
1.Contagious Interview — The first social engineering technique they developed is targeting job seekers.
Dubbed “Contagious Interview” by Unit 42 researchers, the first campaign involves attackers posing as employers to trick software developers into installing malware during the interview process, potentially leading to various types of theft. This strategy has been a key element in some of the most significant heists orchestrated by the Lazarus Group, netting them billions.
The compromise of private keys by the Lazarus Group is most of the time not recognized by the victim parties, especially centralized entities, until the FBI, a security researcher, or a security company comes forward to unveil it. The specific details of how it occurred were never fully disclosed, except for one case: the CoinsPaid hack.
Similar to the Ronin case, the private key exploit was made possible through malware implemented via ingenious social engineering tactics.
On July 22nd, 2023, the Lazarus Group stole $37 million from the Estonia-based cryptocurrency payments firm CoinsPaid via LinkedIn.
According to CoinsPaid’s post-mortem report, the Lazarus Group initially attempted to breach their systems through conventional hacking methods starting in March 2023.
After months without success, they reverted to their successful tactic: the fake job offer route.
They dangled extremely appealing high-salary job offers in front of CoinsPaid’s employees, with compensation ranging from 16,000–24,000 USD a month, and waited for an employee to fall into their trap.
An inattentive? Unaware of the risk? Employee took the bait and had a fake job interview with them, during which he was asked to download software to complete a technical task.
Unfortunately, he did not conduct his job interview using his own personal computer but instead used one that provided access to CoinsPaid’s infrastructure.
The “software” was a malicious code that allowed the Lazarus Group “to gain remote control of a computer for the purpose of infiltrating and accessing CoinsPaid’s internal systems,” per CoinPaid.
After gaining access to CoinsPaid’s infrastructure, they were able to successfully open a backdoor that “allowed them to create authorised requests to withdraw funds from CoinsPaid hot wallets.”
That’s how $37 million was lost to the Lazarus Group.
This technique of finding weaknesses in people rather than code has proven to be fruitful.
So much so that concomitantly to their contagious interview approach, they launched a new kind of social engineering campaign, this time around, targeting recruiters.
2. Wagemole — The second social engineering campaign, dubbed “Wagemole,” by Unit 42, involves threat actors infiltrating organizations through unauthorized employment, with the dual aims of financial gain and espionage.
Unit 42 has discovered that North Korean moles are using fake resumes to target a wide range of U.S. companies and freelance job marketplaces, utilizing different U.S. VoIP numbers for contact.
Their resumes link to well-maintained GitHub and LinkedIn profiles, making the accounts appear legitimate through frequent updates and interactions. These fraudulent job seekers target on-site jobs but claim to be U.S.-based while temporarily abroad due to COVID, allowing them to ‘work remotely’ for many months — long enough to siphon intelligence and funds.
Their activities extend beyond the U.S., targeting global freelance markets, including Africa. Unit 42 has also identified that they use multiple accounts on various platforms and attempt to buy or borrow high-reputation accounts to conceal their true identities and win job bids.
