Researcher Warns of North Korea’s Developing Cryptocurrency Tactics

Paradigm security researcher Samczsun has expressed alarm that North Korea’s cyber activities stretch well beyond the infamous Lazarus Group.

These concerns arise as the cryptocurrency sector recovers from the recent Bybit hack, which is said to have involved a sophisticated breach of SafeWallet infrastructure.

This incident represented a shift from previous North Korean hacking attempts. Instead of focusing directly on Bybit, the hackers were able to infiltrate Safe{Wallet}.

This change in strategy underscores the evolving complexity of their tactics and raises significant alarms about the overall security of the cryptocurrency landscape.

Samczsun indicates that North Korean state-sponsored cybercrime is not the endeavor of a singular group but a network of various state-supported threat actors operating under different aliases.

The Structure of North Korea’s Cyber Warfare

Having researched North Korea’s cyber threats for years, Samczsun notes that labeling all North Korean cyber operations as the “Lazarus Group” simplifies a much more intricate web.

North Korea’s hacking initiatives are largely managed by the Reconnaissance General Bureau, an intelligence agency that directs several hacking units, which include not only Lazarus Group but also APT38, AppleJeus, and various other specialized teams.

Each of these factions has a unique focus. For instance, the Lazarus Group is infamous for high-stakes cyberattacks, including the 2014 Sony Pictures hack and the 2016 Bangladesh Bank heist. APT38, on the other hand, concentrates on financial crimes, such as bank fraud and cryptocurrency theft.

“APT38,” Samczsun explained, “emerged from the Lazarus Group around 2016 to focus specifically on financial crimes, targeting banks (like the Bank of Bangladesh) initially, and then turning to cryptocurrencies.”

Meanwhile, AppleJeus has aimed its efforts at cryptocurrency users, deploying malware disguised as trading applications.

These divisions operate within the same governmental framework, contributing to the funding of North Korea’s weapons programs and attempting to circumvent international sanctions.

Cryptocurrency: A Target for North Korea

North Korea has identified cryptocurrency as a significant source of funding. In contrast to traditional financial systems, crypto transactions are decentralized, making them often more challenging to trace or freeze.

Northern Korean hackers take advantage of this by compromising exchanges, deploying malware, and utilizing fake job offers to access internal systems.

For instance, the “Wagemole” operatives refer to North Korean IT workers integrating themselves into legitimate tech firms. While appearing to be regular employees, some exploit their access to pilfer funds or compromise systems.

This approach was evident in the Munchables incident, where an employee with North Korean connections drained assets from the protocol.

Another strategy involves supply chain attacks, where hackers target software providers servicing cryptocurrency companies. In one situation, AppleJeus hackers embedded malware into a widely used communication tool, impacting millions of users.

Additionally, North Korean attackers accessed a contractor working with Radiant Capital through social engineering on Telegram, according to Samczsun.

Implications for Cryptocurrency

Samczsun cautioned that North Korea’s cyber operations are progressing. The Bybit breach demonstrates that hackers are now focusing on infrastructure providers, not solely on exchanges.

This evolution means that the entire cryptocurrency ecosystem—including wallets and smart contract platforms—now faces potential risks.

For cryptocurrency users and businesses, the essential takeaway is that North Korean cyber vulnerabilities encompass more than the Lazarus Group and basic exchange hacks. The industry must adopt stronger security measures, enhance intelligence sharing, and cultivate a heightened awareness of social engineering threats.