Is North Korea’s Hacking Threat Bigger Than Lazarus Group? Paradigm’s Shocking Revelation

Last month, North Korean hackers grabbed global attention in February for pulling off the largest known single cryptocurrency heist. The notorious Lazarus Group successfully made off with more than $1.4 billion from Bybit, subsequently moving the funds through crypto mixers to cover their trail.

Samczsun, Paradigm’s Research Partner, tracked the attack in real time. In a blog post, he described it as having a “front-row seat” to one of the biggest cyber heists in history. In cooperation with Bybit, Samczsun and his team verified unauthorized access into the exchange, pointing to the advanced methods employed by North Korean cybercriminals.

The Role of SEAL 911 in Cybersecurity

Throughout the attack, Samczsun was working alongside SEAL 911, a security response team linked to the Security Alliance, a non-profit group devoted to protecting decentralized systems. Though the Lazarus Group has long been the main North Korea cyber threat, new evidence indicates that the nation’s cyber war efforts go far beyond this single group.

A Complex and Structured Cyber Operation

One of the biggest myths regarding North Korea’s hacking campaigns is the over-classification of all cyber attacks as being part of the Lazarus Group. Cybersecurity specialists, such as Samczsun, however, contend that this is imprecise.

North Korea’s cyber warfare operations are under the control of the Reconnaissance General Bureau (RGB), which controls several hacking groups with different methodologies and targets. These include AppleJeus, APT38, DangerousPassword, and TraderTraitor, each with a focus on different types of cyber espionage and financial theft.

Specialized Hacking Units

TraderTraitor is considered the most sophisticated group that attacks the crypto sector. The unit tactfully penetrates exchanges with large reserves using extremely advanced methods. One attack involved a simulated job recruitment scheme that infected Axie Infinity and controlled WazirX.

AppleJeus is a supply chain attack specialist, which was the technique employed in the 2023 3CX breach that affected potentially 12 million users. Through attacks on software supply chains, the group has access to a vast number of systems.

DangerousPassword uses social engineering, employing phishing emails and fake messages on platforms such as Telegram to trick users and obtain sensitive data.

APT38, a branch of Lazarus, was introduced in 2016 with its emphasis on cybercrimes of a financial nature. The group initially targeted conventional banks before targeting cryptocurrency exchanges, carrying out extensive financial heists.

The Evolution of North Korean Cyber Threats

In 2018, the U.S. Office of Foreign Assets Control (OFAC) first discovered “North Korean IT workers,” subsequently classified as “Contagious Interview” and “Wagemole” in 2023. These actors present themselves as recruiters or apply for work at victim companies to enable cyberespionage and fraud.

Even with their sophisticated hacking tools, North Korean cyber actors have not been known to use zero-day attacks on the crypto space, Samczsun says. Still, the threat of future attacks is high.

Strengthening Security Measures

Samczsun urges crypto firms to enhance their security posture by implementing basic yet effective measures, including least privilege access, two-factor authentication, and device segregation. Additionally, companies should establish connections with security organizations such as SEAL 911 and the FBI’s DPRK unit for immediate support in case of an attack.