This mysterious hacker group has a cool name: Lazarus

The Chinese translation is Lazarus, a character in the Bible. He was a good friend of Jesus. He died of illness and was resurrected by Jesus.

Don’t be fooled by the literary name, they have a stronger backing, with the support of the government of a sovereign country!

With strong background and strong professional skills, many major cases have been solved:

Let's take a closer look at a few cases involving large amounts of money:

• NiceHash

According to Reuters, in 2017, NiceHash, the world's largest cryptocurrency mining computing power market at the time, had its Bitcoin wallet attacked and about 4,700 bitcoins were stolen, worth $64 million at the time, but now worth $280 million!

By 2021, NiceHash published a blog stating that the United States has confirmed that it was North Korean hackers who stole their Bitcoin!

The Americans were efficient in handling the case, and even found out the detailed information of the three hackers who carried out the attack. According to the 2021 indictment of the U.S. District Court in Los Angeles,

The 4,700 bitcoins were stolen by Jon Chang Hyok, 31, Kim Il, 27, and Park Jin Hyok, 36, who are members of the Reconnaissance General Bureau (RGB), the military intelligence agency of the Democratic People's Republic of Korea (DPRK), which is suspected of engaging in criminal hacking activities. These military hacker groups from North Korea have multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38). Park was previously charged in an undisclosed criminal complaint in September 2018.

But these three people should be in North Korea, and the US court should not be able to catch them.

• Kucoin

The Lazarus case that is most well-known to us Chinese is probably the Kucoin theft case.

In this case, Kucoin lost nearly 300 million U.S. dollars, which was the largest cryptocurrency theft case in 2020, accounting for half of the total stolen amount for the whole year.

According to Reuters, a UN investigation showed that this case was committed by North Korean hackers!

This case scared Kucoin so much that it took a week after the incident for users to withdraw and deposit coins.

Kucoin’s CEO also made the disclosure in a very open and aboveboard manner during the live broadcast:

According to this official statement, let's sort out the whole story of the incident for everyone:

At 2:51 am Beijing time on September 26, 2020, Kucoin received an abnormal alarm, indicating an abnormal Ethereum transfer:

At 3:15 a.m., about 20 minutes after the incident, Kucoin set up a team to deal with the incident.

At 3:20 a.m., the Kucoin team urgently shut down the hot wallet server, but there were still abnormal transfers.

At 4:20 a.m., the Kucoin team transferred the assets from the hot wallet to the cold wallet, which blocked the hacker's theft.

At 5 a.m., the Kucoin team contacted all major exchanges and put the addresses involved in the hacker on the blacklists of all major exchanges.

At 10:41 a.m., Kucoin released an announcement informing users of what had happened.

Look at the speed and timely response. I guess these North Korean hackers didn’t expect Kucoin to respond so quickly.

When the North Korean hackers were still gloating over their misfortune and preparing to withdraw their money, they did not expect that most of their coins would be frozen as soon as they were transferred to other exchanges. As a result, Kucoin was able to recover most of its losses.

For Kucoin users, the only impact was that they could not withdraw their coins for a week, because most of their coins were transferred to cold wallets for safety reasons.

As for the small amount of coins that could not be recovered, Kucoin borne the losses.

In this theft incident, Kucoin performed very professionally both in terms of response speed and subsequent processing results. This is also the case with the highest recovery of losses among the many crimes committed by North Korean hackers.

• Robin

In early 2022, Axie Infinity's development team skymavis also worked on another cross-chain bridge project Robin.

Axie Infinity just announced a US$152 million financing at the end of 21, and is also preparing for a new round of financing from Binance. It can be said that it is in high spirits.

But what they didn't expect was that in the future they would be remembered not for their products, but for the theft of $620 million, the largest theft of crypto assets in history.

According to Chainalysis’ analysis, this theft was also committed by Lazarus Group!

Thanks to this shocking case, 2022 was also the most fruitful year for North Korean hackers. That year, North Korea's total export earnings were only more than 100 million US dollars, and the money earned from encryption was more than 10 billion.

Let's briefly review the case:

The Ronin cross-chain bridge is protected by 9 validator nodes and requires signatures from 5 of these 9 validators.

On Wednesday, March 23, North Korean hackers successfully took control of 5 of the nodes (including 4 validator nodes run by the development team itself and 1 validator node run by Axie DAO), and the private keys of these 5 validators were stolen.

The attacker then used the signatures of these five nodes to withdraw 173,600 ETH and 25.5 million USDC from the Ronin cross-chain bridge, which was approximately US$625 million at the time.

The coins were stolen for several days until March 29, when a user was unable to withdraw his 5,000 ETH through the Ronin bridge, which made the Ronin team realize that the funds had been drained from the cross-chain bridge last week.

Look at the response speed. It is totally different from Kucoin. Kucoin only takes a few hours to complete the whole process from being stolen to counterattack.

So this foreign team is really not as reliable as our Chinese team in terms of efficiency~

After Kucoin was frozen, North Korean hackers also made progress. Since the end of 2020, they knew that after stealing coins, they had to use a mixer before they could withdraw them.

Therefore, after various efforts, only tokens worth 30 million US dollars could be recovered.

Judging from the time, the coins stolen from Robin went to Tornado.

At that time, almost all currency mixers were used by North Korean hackers to launder money:

The Tornado team was arrested in August 2022, most likely for this reason.

Why is North Korea so keen on stealing currency?

Because according to The Diplomat magazine, the cryptocurrencies stolen by North Korea are used to support their nuclear weapons research.

Moreover, looking at the trend of North Korea's foreign exchange income in recent years, it seems that it is single-mindedly focusing on encryption and doesn't want to do any other business.

According to Chainalysis data, North Korea's encryption business is developing very smoothly. As of September 23, it has earned a total of 3.54 billion US dollars in cryptocurrency.

In 2022, when North Korea's encryption business was at its peak, it earned $1.65 billion in a single year. Almost half of the cryptocurrency on the entire Internet was stolen by North Korean hackers.