Five recent crypto attacks with links to North Korea

A few days later, it was found that the miscreants behind the Euler attack sent $100 million worth of ETH to an address previously flagged for its ties to North Korea.  "100 ETH stolen in Monday's #Euler Finance hack have moved to an address associated with a previous hack carried out by #NorthKorea-linked actors," said blockchain security firm, Chainalysis. However, they also stated that this could be a move to mislead any recovery efforts. "This may mean the Euler hack is the work of #DPRK too, or could be misdirection by hackers," the Chainalysis tweet went on to state.

Toward the end of Jan this year, the FBI also confirmed that North Korean hackers were behind the $100 Harmony Bridge attack, which occurred in June 2022. On Jan 13, more than 6 months after the theft, hackers behind the exploit laundered $63.4 million of the stolen funds using RAILGUN. For the unacquainted, RAILGUN is an Ethereum-based privacy protocol that allows users to hide the nature of their crypto transactions and remove identifying information.

However, despite their efforts to obscure transactions, the FBI was able to track the funds. According to on-chain records, the ill-gotten funds landed on two crypto exchanges, Binance and Huobi. A short while later, Changpeng Zhao, CEO and co-founder of Binance, confirmed that the laundered funds had been frozen and seized on both exchanges.

However, the biggest crypto hack tied to North Korea is the Ronin Bridge exploit from March 2022. The miscreants behind this hack got away with 173,600 ETH, worth around $600 million at the time, and 25.5 million USDC.

A couple of weeks later, on April 14, the U.S. Treasury updated its Specially Designated Nationals and Blocked Persons (SDN) list to include an Ethereum wallet that has allegedly been used by the Lazarus Group, a prominent North Korean hacking outfit. This wallet address was used during the Ronin Bridge exploit. At the time, the wallet was found to contain 148,000 ETH, perhaps from the exploit. The team behind the Ronin Bridge also confirmed that the wallet was tied to the exploit.

In August 2022, DeFi protocol, deBridge Finance, reported an attempted phishing attack. The company co-founder, Alex Smirnov, took to Twitter to announce the attack. According to his tweets, the hacking group orchestrated a phishing campaign wherein they sent an infected PDF through an email titled "New Salary Adjustments." One employee ended up downloading the file, which then went about extracting information from their PC.

Fortunately, the scam was discovered in time and any losses were averted. However, through later investigations, Smirnov concluded that the attack was the work of the infamous Lazarus Group.

More recently in Dec 2022, the blockchain security firm, SlowMist reported that North Korean hackers were utilising nearly 700 phishing domains to target nonfungible token (NFT) investors. These domains would impersonate popular NFT marketplaces like OpenSea, Rarible, etc. They would offer malicious minting features that tricked investors into connecting their wallets to the fake website. Of course, once a user did so, the hackers would have control of the assets stored in the wallet.

According to the data uncovered by SlowMist, one of these phishing domains was able to extract more than 1,000 NFTs along with over 300 ETH from several different victims. The ETH alone was worth $367,000 at the time. In all, SlowMist found 2 IPs that were behind 692 such domains. What’s scarier is that this was only the "tip of the iceberg" according to SlowMist.

These 5 incidents prove that North Korea has been behind a large chunk of the crypto hacks in the last few months. There are also multiple reports that North Korea used these funds to further its nuclear missile capabilities. "This is money that can support North Korea and their nuclear weapons programme," said U.S. First State Attorney Marianne Bender in a statement. To avoid falling victim to such scams and attacks, it is advisable to your store crypto in a cold wallet. Further, always cross-check the legitimacy of any links/e-mails that require "urgent action" or ask you to connect/provide details of your crypto wallet.