How the North Korean hackers behind WannaCry got away with a stunning crypto-heist
27 Jan 2020

Cyberattacks waged against cryptocurrency exchanges are now common, but the theft of just over $7 million from the Singapore-based exchange DragonEx last March stands out for at least three reasons.

First there is the extremely elaborate phishing scheme the attackers used to get in, which involved not only fake websites but also fake crypto-trading bots. Then there’s slick way they laundered the crypto-cash they stole. Last but not least: they appear to have been working for Kim Jong-un.

The heist, new details of which were recently published by blockchain analytics firm Chainalysis, shows how good today’s digital bank robbers have become. And if this and other reports are correct in fingering North Korean hackers as the perpetrators, it looks to be part of a larger survival strategy by Kim’s regime, which has been cut off from the global financial system by international economic sanctions meant to curtail its nuclear weapons program.

DragonEx was not the first crypto exchange to be victimized by this particular hacker band, which some security analysts call the Lazarus Group. The group has been targeting the industry since at least 2017, as part of a broader campaign focused on financial institutions. In August, a group of independent experts reported to the United Nations that North Korea has generated an estimated $2 billion for its missile program by using “widespread and increasingly sophisticated” cyberattacks to steal from banks and cryptocurrency exchanges. The regime’s use of cryptocurrency to evade sanctions is behind a recent warning from the same group of UN experts not to attend an upcoming blockchain conference in Pyongyang.

The Lazarus Group is widely believed to have been behind several headline-grabbing hacks, including the breach of Sony Pictures in 2014 and the WannaCry ransomware hack in 2017, which affected hundreds of thousands of computers in 150 countries. But it was its theft of $81 million from the central bank of Bangladesh in 2016 that foreshadowed its eventual targeting of crypto exchanges. According to the FBI, the attackers spent more than a year doing reconnaissance before gaining access to the bank’s computer system via an elaborate phishing campaign.

Plagued by lax security, the cryptocurrency ecosystem was an “an easy target” for North Korean hackers, who already had experience going after financial institutions, says Priscilla Moriuchi, head of nation-state research at Recorded Future, a cybersecurity company. “They are far more capable than they get credit for, especially on the financial crime side,” Moriuchi says.

To compromise DragonEx, Lazarus created a fake company that advertised an automated cryptocurrency trading bot called Worldbit-bot, says Chainalysis. The invented company had a website, and its made-up employees even had social-media presences. When they pitched a free trial of the trading software to DragonEx employees, someone bit, downloading malware to a computer that held the private keys for the exchange’s wallets.

In research published earlier this month, Kaspersky Labs describes another of the Lazarus Group’s recent schemes, which also apparently targeted cryptocurrency businesses. In this case, the attackers created fake companies and then enticed targets to download malware using the popular messaging app Telegram.

By Mike Orcutt, MIT Technology Review, 24 January 2020

Read more at MIT Technology Review

RiskScreen: Eliminating Financial Crime with Smart Technology

You can claim CPD minutes for this content, by signing up to our CPD Wallet

FREE CPD Wallet