North Korean Lazarus Group targeting Blockchain Companies

The North Korean (DPRK) state-sponsored hacking group known as Lazarus continues to target blockchain and cryptocurrency organisations. Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the US Treasury department warned of “malicious” cyber threats from state-sponsored threat actors. The main one being Lazarus. Their goal is simple: to find vulnerabilities within crypto technology firms, exchange firms, and gaming companies to generate and launder funds.

The latest hack is Axie infinity-linked Ronin Bridge.  It has been alleged that the Lazarus Group has taken more than $600m in theft of cryptocurrency from Ronin Bridge. The US Treasury’s sanctions office has blacklisted an alleged Lazarus-held crypto wallet (“Ronin Bridge Exploiter”).

How did it happen?

According to reports the theft came as a result of an attacker hacking the “validator nodes” of the Ronin Bridge. Funds within the blockchain can be moved if five out of nine validators approve it. The Lazarus Group managed to get hold of five of the private cryptographic keys belonging to the validators.

The Lazarus Group uses social engineering in order to trick employees of a targeted organisation to download and run malicious software, in this case, a cryptocurrency app for Windows and macOS systems.  Once downloaded, the Lazarus Group will steal information and private keys and execute their payload to begin stealing the cryptocurrency.

DPRK Funding

While the DPRK is largely cut off from the rest of the world, through their own polices and global sanctions placed against them, their leader Kim Jong-un and its elite still manage to enjoy lives full of luxuries and continue to build up their missile programme. Besides money laundering, illegal drug manufacturing, counterfeiting of good, and some legitimate exports, mainly to China, the main bulk of earnings for the DPRK is through hacking. As of 2019, a United Nations Report found that North Korea had made more than $2b from hacking alone.

Lazarus Group aka Hidden Cobra, APT38

Lazarus aka Hidden Cobra is an advanced persistent threat group (APT) that is linked to North Korea. They are alleged to be part of the Reconnaissance General Bureau which is a North Korean intelligence agency that manages the state’s clandestine operations.  The Lazarus Group is highly sophisticated, trained, and highly motivated.


Lazarus (Group) aka APT38, HIDEEN COBRA


  • Disruption.
  • Theft.
  • Misdirection.

Targeted Industries:

  • Banks.
  • SWIFT.
  • Defence industries.
  • Software Businesses.
  • Cryptocurrencies/Blockchain/Exchange industries.
  • Manufacturing Industries.
  • Pharmaceutical Companies.


  • Temporary or permanent loss of sensitive or proprietary information.
  • Disruption to regular operations.
  • Financial losses incurred to restore systems and files.
  • Potential harm to an organisation’s reputation.

Full IOCs can be found here

ITC- Recommendations: 

  • Do not share private key information with anyone.
  • Be vigilant when clicking on links via email and or social media – validate the sender.
  • Patch applications and operating system.
  • Use application whitelisting.
  • Restrict administrative privileges.
  • Segment networks.
  • Educate employees regarding social engineering.

If in doubt watch out……there maybe a hacker about.



  2. Chainalysis on Twitter: “THREAD: Updates to OFAC’s SDN designation for Lazarus Group confirm that the North Korean cybercriminal group was behind the March hack of Ronin Bridge, in which over $600 million worth of ETH and USDC was stolen.” / Twitter
  3. TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies – HS Today