lazarus

The report "2025 Cyber Threat Trends and 2026 Security Outlook" released by AhnLab shows that the North Korean-backed hacker group Lazarus has been named the most frequently in the past 12 months, primarily using "spear phishing" to carry out attacks, often disguising themselves as seminar invitations, interview requests, and other emails to lure targets into opening attachments. The report states that Lazarus is considered the main suspect in several major attacks, including the Bybit hacking incident on February 21 this year (resulting in a loss of $1.4 billion) and the recent $30 million vulnerability attack on the South Korean exchange Upbit.AhnLab indicates that to enhance security, companies need to establish a multi-layered defense system, including regular security audits, timely patch updates, and strengthening employee education. The company also recommends that individual users employ multi-factor authentication, handle unknown links and attachments with caution, avoid excessive exposure of personal information, and only download content from official channels. AhnLab points out that with the widespread use of AI applications, attackers will find it easier to generate indistinguishable phishing emails, spoofed pages, and deepfake content, and related threats may further complicate in the future. (Cointelegraph)

Regarding Upbit's incident of approximately 44.5 billion KRW (about 36 million USD) in cryptocurrency being stolen, CryptoQuant CEO Ki Young Ju stated today that the attack method disclosed by Upbit is "almost impossible for an ordinary hacker to accomplish."Upbit previously mentioned that the attackers might have "inferred the private keys" by analyzing the patterns of user wallet addresses. Ki Young Ju bluntly remarked that the difficulty of such attack techniques is extremely high, and if this is true, "I suspect that no hacker organization other than North Korea's Lazarus could achieve this."

According to Yonhap News Agency, South Korean virtual asset exchange Upbit has suffered a hacker attack, resulting in the theft of virtual assets worth 44.5 billion won. Currently, the North Korean reconnaissance agency's hacker organization Lazarus Group is highly suspected to be behind this incident.Local time, Yonhap News Agency learned from the information and communication technology (ICT) industry and relevant South Korean government departments that, given the significant suspicion surrounding the hacker organization Lazarus Group under the North Korean reconnaissance agency, authorities are conducting on-site inspections of Upbit. This hacker organization was previously implicated in the theft of 58 billion won worth of Ethereum from Upbit in 2019. A government official stated, "This attack is unlikely to have targeted the server; it is more probable that the administrator account was stolen, or that the attacker disguised themselves as an administrator to transfer funds." He also mentioned, "Based on the information currently available, the hackers used this method six years ago, so it is speculated that the same method was employed this time."

ChainCatcher news, EurekaTrading founder Kuan Sun tweeted a review of how he nearly lost $13 million due to a phishing attack: On September 2, 2025, approximately $13 million in assets in his wallet were almost stolen by the Lazarus hacker group. The security team acted urgently and ultimately recovered the funds.The incident was triggered by what appeared to be a normal Zoom meeting invitation, which was actually a carefully arranged phishing trap. The hackers exploited "acquaintance" relationships, deepfake videos, and a forged Rabby plugin to tailor the attack against the victim, Venus. Under the mistaken belief in the fake plugin, the victim executed a withdraw, putting the assets at risk of being transferred along with liabilities. PeckShield, SlowMist, Venus, and multiple security teams responded quickly, pausing the protocol and investigating risks, ultimately preventing the theft of funds. Hardware wallets are not foolproof; there are still risks of plugin and frontend hijacking; Zoom links, upgrade pop-ups, and acquaintance relationships can all serve as entry points for attacks.

ChainCatcher news, according to The Telegraph, the UK-registered cryptocurrency platform Lykke has been forced to cease operations and liquidate in March this year after being hacked and losing approximately £17 million (about $22.8 million) in Bitcoin and Ethereum. The UK Treasury's OFSI reported that the hackers are from North Korea's Lazarus group, and the funds were used for military and nuclear projects. Lykke founder Richard Olsen has been declared bankrupt, and the case is still under investigation.

ChainCatcher message, according to on-chain detective ZachXBT's monitoring, a user is suspected to have been attacked by the North Korean hacker group Lazarus Group on May 16, resulting in a loss of approximately 3.2 million dollars in assets. The stolen assets were sold on the market, and the stolen funds were subsequently cross-chained from Solana to Ethereum. On June 25, 400 ETH was deposited into Tornado Cash; on June 27, 400 ETH was deposited into Tornado Cash.

ChainCatcher message, the latest intelligence from the SlowMist security team indicates that the North Korean Lazarus hacker group is using a new type of espionage Trojan called OtterCookie to launch targeted attacks against cryptocurrency and financial professionals.The total methods include faking high-paying job interviews/investor meetings, using deepfake videos to impersonate recruiters, and disguising malware as "programming test questions" or "system update packages."The targets for theft include login credentials saved in browsers, passwords and digital certificates in the macOS Keychain, as well as cryptocurrency wallet information and private keys.SlowMist recommends being vigilant about unsolicited job/investment offers, requiring multi-factor authentication for remote interviews, avoiding running executable files from unknown sources, especially so-called "technical test questions" or "update patches," strengthening endpoint protection (EDR), deploying antivirus software, and regularly checking for abnormal processes.

ChainCatcher news, according to Cointelegraph, BitMEX thwarted a cyber attack by the North Korean Lazarus Group hackers, who targeted its employees through fake NFT partnership offers on LinkedIn. BitMEX stated that the hackers' strategy was not complex.It is reported that the Lazarus Group contacted a BitMEX employee on LinkedIn, proposing an NFT partnership, with the real goal of tricking the employee into running malicious code from a GitHub repository. After reviewing the codebase, the employee flagged suspicious code, and BitMEX's security team quickly investigated, identifying obfuscated JavaScript and tracing it back to infrastructure associated with Lazarus.

ChainCatcher news, according to Finance Feeds, the North Korean hacker group Lazarus Group has recently shifted its attack targets to individual investors, stealing over $5.2 million from a merchant through malware on May 24. The stolen funds involve multiple wallet types, including exchange wallets, multi-signature wallets, and external accounts.Blockchain analyst ZackXBT tracked that the hackers have transferred about 1,000 ETH through the mixer Tornado Cash.Security experts recommend that individual investors take protective measures: use hardware wallets to store large assets, enable two-factor authentication, regularly update software patches, be wary of suspicious links, and regularly check transaction records. This attack marks a strategic shift for the organization from targeting institutions to individual investors.

ChainCatcher news, according to Cointelegraph, Manta Network co-founder Kenny Li revealed a highly sophisticated phishing attack. The attackers used video footage of real team members during a Zoom video call, attempting to lure him into downloading malware.Li stated that the other party's camera was on during the video call and the facial footage was real, but there was no sound. The system prompted him to update Zoom and download a script file, which raised his alert. He believes this attack may have been initiated by the North Korean state-sponsored hacker group Lazarus. After being asked to verify identity via Telegram, the attackers immediately deleted all messages and blocked him.

ChainCatcher news, according to Spot On Chain monitoring, today, the Lazarus Group (North Korean hackers) sold 40.78 WBTC (approximately 3.51 million USD), making a profit of 2.51 million USD (+251%) -- which they bought two years ago.They purchased WBTC for approximately 990,000 USD at a price of about 24,521 USD in February 2023, and sold it 12 hours ago for about 86,170 USD at a price of 1,857 ETH. The hackers then distributed these Ethereum across 3 wallets.

ChainCatcher message, according to Arkham data, the North Korean hacker group Lazarus Group transferred 12.929 BTC to an unknown address 27 minutes ago. The latest data shows that the Lazarus Group's BTC holdings have decreased to 13,440, valued at approximately 1.16 billion USD.

ChainCatcher news, Wemade's blockchain subsidiary Wemix Foundation has disclosed a loss of approximately 8.65 million WEMIX tokens (worth about 6.22 million USD) due to a hacker attack. Its CEO Kim Seok-hwan stated that the hacker is unlikely to be the North Korean organization Lazarus Group, but rather a professional who infiltrated the system by stealing the service monitoring authentication keys from the NFT platform Nile. It is reported that the hacker prepared for this attack for two months and then attempted 15 withdrawals through the creation of abnormal transactions, of which 13 were successful.Kim Seok-hwan also revealed plans to reopen all Wemix services on Friday and will upgrade security measures on the new blockchain infrastructure.

According to ChainCatcher news, after the North Korean hacker group Lazarus Group attacked Bybit, they began to exchange some of the stolen assets for Bitcoin. Data shows that the group now holds 13,562 BTC, worth approximately $1.14 billion. This has led to a continuous increase in North Korea's Bitcoin holdings, which have now surpassed those of El Salvador (6,117 BTC) and Bhutan (10,635 BTC), making it the third largest government entity in terms of Bitcoin holdings globally, only behind the United States (198,109 BTC) and the United Kingdom (61,245 BTC).

ChainCatcher news, according to Decrypt, the Socket research team has discovered in a new attack that the North Korean hacker group Lazarus is associated with six new malicious npm packages that attempt to deploy backdoors to steal user credentials.Additionally, this malware can extract cryptocurrency data and steal sensitive information from Solana and Exodus crypto wallets. The attacks primarily target files from Google Chrome, Brave, and Firefox browsers, as well as keychain data on macOS, specifically tricking developers into inadvertently installing these malicious packages.The six discovered malicious packages include: is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. They lure developers into installation through "typosquatting" (exploiting misspelled names). The APT group has created and maintained GitHub repositories for five of these packages, disguising them as legitimate open-source projects, increasing the risk of developers using the malicious code. These packages have been downloaded over 330 times. Currently, the Socket team has requested the removal of these packages and reported the related GitHub repositories and user accounts.Lazarus is a notorious North Korean hacker group, linked to the recent $1.4 billion Bybit hack, the $41 million Stake hack, the $27 million CoinEx hack, and countless other attacks in the crypto industry.

ChainCatcher news, according to Bitcoin.com News, North Korea's Lazarus group has accumulated nearly $1 billion in cryptocurrency, including $592 million in ETH, $319 million in BTC, and even $337,000 in BABYDOGE.

ChainCatcher news, "on-chain detective" ZachXBT revealed in a personal channel that an unknown victim was attacked by the North Korean hacker Lazarus Group on February 28 on Tron, resulting in a loss of approximately $3.1 million. The funds were transferred from Tron to Ethereum, and the ETH was split into ten addresses before being deposited into Tornado Cash.

ChainCatcher news, Bybit CEO Ben Zhou disclosed on social media that the platform has processed 2,167 reports since its launch.Ben Zhou stated that the Lazarus bounty platform has released a major update for version 1.1. The new version adds a hacker address analysis feature, allowing bounty hunters to view all stolen assets across chains and gain a comprehensive understanding of fund flows.The platform has also added a Discord channel for hunters to submit bounties, equipped with an automatic blacklist address checking system to avoid duplicate submissions.In addition, the update ranks the balances of hacker wallets and displays the names of bounty hunters in verified reports.

ChainCatcher news, according to Arkham data, as of now, wallets marked as Lazarus Group have transferred over $240 million in ETH through THORChain. These funds have mainly been exchanged for native BTC.In addition, THORChain's chief developer @Pluto9r announced his departure (after 4 years in office). THORChain network core validator TCB (@1984_is_today) revealed that most of THORChain's activities stem from the largest financial heist in human history, involving money laundering activities by North Korean hackers, which will become a national security issue.Previously reported, THORChain is currently facing insolvency, with savings and loan functions suspended, and plans to address a $200 million debt crisis by issuing equity tokens.