Lazarus Group Cybersecurity Threats

Second hack in six months of the same crypto project - increasingly common for thieves to try this re-hacking approach 😬… CoinsPaid has experienced its second security breach in six months, according to Web3 security firm Cyvers. According to Cyver’s team on X (formerly Twitter), the attacker swapped around 97 million CPD tokens worth approximately $368,000 for ETH, then moved the funds to externally owned accounts (EOAs) and crypto exchanges MEXC, WhiteBit, and ChangeNOW. CoinGecko’s data shows CPD trading at $0.0006 at the time of writing, down 39.5% in 24 hours. CoinsPaid is an Estonian payment processor for digital assets and claims to have processed over 19 billion euros in crypto transactions. The company has not yet commented on the attack. The platform suffered another security breach in July 2023, resulting in more than $37 million stolen. According to CoinsPaid, hackers used a fake job interview to trick one of its employees. The worker allegedly responded to a job offer and downloaded a malicious code, allowing the bad actors to steal information and provide them with access to CoinsPaid’s infrastructure. In a post-mortem report of the hack, CoinsPaid blamed the North Korean state-backed Lazarus Group for the incident, noting that the group had attempted to infiltrate the platform several times since March 2023 but switched to “highly sophisticated and vigorous social engineering techniques” after multiple failures - targeting employees rather than the company itself. The Lazarus Group is believed to be behind several crypto hacks in 2023. Blockchain intelligence firm TRM Labs reported the group stole at least $600 million in crypto last year. #cryptocurrency #financialcrime #financialcrimecompliance #hack #crypto #northkorea #lazarus #estonia https://lnkd.in/eq3C2Eab

🚨 Moments ago, in the wake of a recent court decision upholding last August’s designation of Tornado Cash, the U.S. Department of the Treasury’s OFAC added Tornado Cash founder Roman Semenov to its sanctions list. The sanctions designation was conducted in coordination with the U.S. Department of Justice (DOJ), which unsealed an indictment against Semenov and a second co-founder of Tornado Cash, Roman Storm, who was arrested today by the Federal Bureau of Investigation and the Internal Revenue Service, Criminal Investigation. The DOJ charged Semenov and Storm with conspiracy to commit money laundering, conspiracy to operate an unlicensed money transmitting business, and conspiracy to commit sanctions violations. According to a release by Treasury, OFAC sanctioned Semenov “for his role in providing material support to Tornado Cash and to the Lazarus Group, a state-sponsored hacking group that is an instrumentality of the Democratic People’s Republic of Korea (DPRK or North Korea).” According to OFAC, “Tornado Cash has been used to launder funds for criminal actors since its creation in 2019, including to obfuscate hundreds of millions of dollars in virtual currency stolen by Lazarus Group hackers.” Treasury’s press release goes into detail on Lazarus Group and Semenov’s role in the development of Tornado Cash. 📑 Treasury release: https://lnkd.in/dHWTYeEQ 📑 DOJ release: https://lnkd.in/d4bJ72PS

One of North Korea’s most prominent cyberespionage groups has been using two new remote access trojans (RATs) in attack campaigns this year, researchers warn. One of the operations targeted internet backbone infrastructure and healthcare organizations from Europe and the United States. “Lazarus Group remains highly active, with this being their third documented campaign in less than a year,” researchers from Cisco Talos said in a new report. “In September 2022, Talos published details of a Lazarus Group campaign targeting energy providers in the United States, Canada, and Japan. This campaign, enabled by the successful exploitation of the Log4j vulnerability, heavily employed a previously unknown implant we called ‘MagicRAT,’ along with known malware families VSingle, YamaBot, and TigerRAT, all of which were previously attributed to the threat actor by Japanese and Korean government agencies.” https://lnkd.in/gHuB33HN