The Lazarus hacker group, affiliated with North Korea, continues its illicit activities in the cryptocurrency sector. Recently, the collective transferred 400 ETH, equivalent to about 750,000 dollars, through the mixing service Tornado Cash. This method allows for hiding the origin of the funds, making it more difficult to trace the transactions.
Lazarus launders 400 ETH on Tornado Cash
The blockchain security company CertiK detected and reported this movement just today. According to experts, the funds have a direct connection to the activities of the Lazarus group on the Bitcoin network.
Lazarus is one of the most dangerous hacking organizations in the crypto sector. The group is responsible for the attack on the Bybit exchange platform, which occurred on February 21, where $1.4 billion were stolen in digital assets.
It is not the first hit attributed to the group: in January, the connection of Lazarus to another attack, that of the exchange Phemex, emerged, in which 29 million dollars were stolen. Since the early months of 2024, the North Korean hackers have continued to launder capital and develop new tools to attack crypto platforms.
Over the years, Lazarus has been deemed responsible for some of the largest attacks in the history of criptovalute. Among these, the 600 million dollar attack on the Ronin network in 2022 stands out. According to data from the blockchain analysis company Chainalysis, in 2024 North Korean hackers stole over 1.3 billion dollars in criptovalute through 47 cyberattacks, a figure that doubles the value of thefts that occurred in 2023.
New malware to attack developers
In addition to the continuous attacks on exchanges, the Lazarus group has begun to spread new hacking tools to target developers and cryptocurrency wallets.
Cybersecurity experts from the company Socket have identified six new malicious packages designed to infiltrate development environments, steal credentials, and extract critical information about cryptocurrencies. These malicious software also allow the installation of backdoor in compromised systems, paving the way for further attacks.
The hackers have targeted the Node Package Manager (NPM), one of the most widely used libraries for JavaScript application development. To spread the malware, Lazarus uses a technique known as typosquatting, which involves creating malicious packages with names very similar to those of legitimate libraries.
One of the identified malware, called “BeaverTail”, was discovered within these counterfeit packages. Once installed, BeaverTail is capable of stealing funds from cryptocurrency wallets, with particular attention to Solana and Exodus wallets.
Even the most used web browsers, such as Google Chrome, Brave, and Firefox, fall within the attack’s range. Additionally, the malware operates on macOS systems, targeting keychain files to access login credentials and sensitive developer data.
Techniques attributable to Lazarus
The definitive attribution of these new attacks to the Lazarus group remains a challenge for cybersecurity experts. However, the methodology adopted shows similarities with the techniques used by the collective in the past.
The analysts at Socket have pointed out that the methods employed in these cyber attacks coincide with the known strategies of the Lazarus group. The combination of typosquatting, attacks on NPM packages, and targeting of developers indicates an evolution in the group’s operational methods.
Lazarus continues to destabilize the crypto ecosystem
The Lazarus group remains one of the most dangerous threats to the cryptocurrency sector. Its ability to adapt and develop increasingly sophisticated techniques represents a serious risk for exchanges, developers, and crypto users.
The cyber attacks conducted by North Korean hackers not only cause significant economic losses, but they also put the entire digital currency ecosystem at risk. With the use of laundering tools like Tornado Cash and the spread of advanced malware, Lazarus continues to evade the controls of global security authorities.
Cybersecurity experts recommend adopting effective protection measures to reduce the risk of infections and digital thefts, such as careful monitoring of software packages and the use of advanced security tools.
The Cryptonomist – Read More