WazirX hacked: North Korean hackers behind $235 million theft from Indian investors, report reveals

WazirX was hacked earlier this month leading to a loss of $235 million in various crypto assets. Consequently, the company had to freeze transactions due to breach. Following the hack, the company released a bounty program to find the trail behind the lost crypto. A cybersecurity company Cyfirma has finally identified that a North Korean hacker group was behind the theft. The stolen include $96.7 million in Shiba Inu, $52.6 million in Ether, $11 million in Matic and $7.6 million in Pepe.

The North Korean hacker group known as Lazarus has been said to be responsible for this breach. The report claims that the Lazarus Group is linked to North Korea's intelligence agency, the Reconnaissance General Bureau (RGB). This group has two subgroups, APT38 and BlueNoroff, which specifically target financial institutions and cryptocurrency exchanges worldwide.

History of Lazarus group's activities

APT38 focuses on financial crimes, attacking banks and cryptocurrency exchanges. They use techniques like custom malware, spear-phishing, and exploiting software vulnerabilities.
BlueNoroff targets financial institutions and cryptocurrency exchanges, often setting up fake companies to gain trust and infiltrate systems.

Previous high-profile attacks

Bithumb (South Korea): Suffered multiple hacks in 2017 and 2018, resulting in millions of dollars in stolen cryptocurrency.

Coincheck (Japan): In January 2018, over $530 million worth of NEM tokens were stolen in a hack with methods consistent with Lazarus tactics.

Youbit (South Korea): Declared bankruptcy in December 2017 after a hack attributed to Lazarus, losing 17 per cent of its assets.

How Lazarus group executes attacks

Lazarus Group uses several methods to hack into cryptocurrency exchanges like WazirX. They often start with phishing attacks, sending targeted emails to employees that contain malicious attachments or links. When these are opened, malware is installed on the victim's computer, compromising the system.

The group also employs social engineering tactics to trick employees into revealing sensitive information. They might impersonate trusted individuals or create fake profiles and companies to gain trust and access.

Another method they use is exploiting software vulnerabilities. They look for weaknesses in the software used by crypto exchanges, including web applications, servers, and employee workstations. Once they find a vulnerability, they use it to gain unauthorized access.

Once inside the network, Lazarus deploys malware like remote access Trojans (RATs) and keyloggers. This malware helps them maintain persistent access and monitor activities to capture valuable information such as passwords and private keys.

After gaining initial access, they move within the network to gain higher levels of access and control, often targeting the servers that manage cryptocurrency wallets. Finally, they transfer the stolen cryptocurrency to wallets they control. To hide the origin of the stolen funds, they launder them using various methods, including mixing services, converting to different cryptocurrencies, and making multiple transactions across different exchanges.

Kumar Ritesh, CEO of Cyfirma, mentioned that these attacks have been happening for years across various countries, primarily to fund North Korea's weapons programs and evade international sanctions. He said, "Heists have been ongoing for several years, with notable attacks occurring since at least 2017. The frequency of these attacks can vary, but they often occur in waves. The primary motivation is to generate revenue for the North Korean regime. The stolen cryptocurrency is used to fund the country's weapons programs and to evade international sanctions.”