The FBI is blaming a $100 million cryptocurrency heist last June on the Lazarus Group, a team associated with the North Korean government that is known for stealing cryptocurrency to help support that country's military and weapons programs.
On Tuesday, the FBI released a statement identifying the Lazarus Group, also known as APT38, as the culprit for the June 24 attack on the Harmony Horizon bridge that resulted in the loss of $100 million worth of Ethereum. The Harmony Horizon bridge is a connection between various cryptocurrency systems, specifically Harmony and Ethereum, Bitcoin, and Binance Chain. In June, the attackers were able to gain access to the bridge and seize the Ethereum.
โThe Harmony team has identified a theft that occurred this morning on the Horizon Bridge in the amount of approx. $100 million. We have started working with national authorities and forensic specialists to identify the culprit and recover the stolen funds,โ Harmony said. saying at the time of the incident.
The FBI, along with the Department of Justice's National Crypto Enforcement Team and multiple US attorney's offices have been investigating the Harmony heist and on Tuesday said the Lazarus Group was responsible for the attack and had used its hacking tool. malware known as TraderTraitor as part of the operation
โOn Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder more than $60 million in ethereum (ETH) stolen during the June 2022 heist. A portion of this ethereum stolen was subsequently sent to various virtual asset service providers and converted into bitcoin (BTC),โ the FBI said in a statement. declaration.
"On Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder more than $60 million in ethereum (ETH) stolen during the June 2022 heist."
The Lazarus Group has been in business for many years and is closely associated with the North Korean government and generally operates in support of government interests. The group's best-known operation was an attack on Bangladesh Bank in 2016 that netted it $81 million, and Lazarus has continued to target banks and crypto exchanges in subsequent years.
TraderTraitor is actually a group of tools that the Lazarus Group uses in many of its intrusions into cryptocurrency companies, exchanges, and other targets. Those operations often start when attackers send phishing emails to employees of a targeted company, trying to lure them into downloading a file that includes the malware.
"The messages often mimic a recruitment effort and offer high-paying jobs to lure recipients into downloading malware-laced cryptocurrency apps, which the US government refers to as 'TraderTraitor,'" CISA said in a statement. release. advisory in April.
โThe term TraderTraitor describes a series of malicious applications written with cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious apps are derived from a variety of open source projects and pretend to be cryptocurrency trading or price prediction tools. TraderTraitor's campaigns present websites with a modern design that advertises the supposed features of the apps.โ
The Lazarus Group has used TraderTraitor in a number of intrusions and has had quite a bit of success with it. They have also used other tools, including a older macOS backdoor called AppleJeus.
โThe Lazarus Group used AppleJeus trojanized cryptocurrency apps that targeted individuals and businesses, including cryptocurrency exchanges and financial services companies, through the dissemination of cryptocurrency trading apps that were modified to include malware that facilitates cryptocurrency theft. . These actors are likely to continue to exploit vulnerabilities in cryptocurrency technology companies, gaming companies, and exchanges to generate and launder funds to support the North Korean regime,โ the CISA notice reads.
The FBI said it worked with some of the exchanges to which the Lazarus Group moved the Bitcoin from the Harmony hack to freeze those assets.
