Full Report
The governments said North Korea’s notorious Lazarus Group hackers “continue to demonstrate a pattern of malicious behavior in cyberspace by conducting numerous cybercrime campaigns to steal cryptocurrency and targeting exchanges, digital asset custodians, and individual users.”
Analysis Summary
# Threat Actor: North Korean State-Sponsored Actors (Implied Lazarus Group)
## Attribution & Identity
Attributed by Japan, South Korea, and the U.S. government to the **Democratic People's Republic of Korea (DPRK)**.
Known aliases/associated groups mentioned: **Lazarus Group**.
## Activity Summary
The actors are conducting numerous cybercrime campaigns primarily focused on cryptocurrency theft to fund unlawful weapons of mass destruction and ballistic missile programs. In 2024, they are responsible for siphoning large sums from the blockchain industry, including thefts totaling over $500 million from DMM Bitcoin ($308M) and WazirX ($235M), in addition to $116 million taken from Upbit, Rain Management, and Radiant Capital. Chainalysis reports North Korean-tied groups stole $1.34 billion across 47 incidents in 2024. UN experts are investigating cyberattacks potentially netting $3 billion over six years.
A secondary high-priority activity involves illicitly gaining employment as **IT workers** at U.S. companies to steal sensitive data, earn high salaries (up to $10,000+ per month), and facilitate extortion. Recent escalations involve these embedded workers threatening to release confidential data and intellectual property for increased cryptocurrency ransoms.
## Tactics, Techniques & Procedures
- Cryptocurrency theft targeting exchanges, digital asset custodians, and individual users.
- **Illicit Employment / Supply Chain Infiltration:** Gaining employment as IT workers at U.S. companies (often requiring laptop farms to mask location).
- **Extortion:** Threatening to leak sensitive data, source code, or company intellectual property if ransoms are not paid.
- Threatening to sell data to competitors or release it publicly.
- **Escalation:** Increased tempo and monetary demands for extortion, following law enforcement disruptions.
- Malware deployment in crypto attacks: **TraderTraitor** and **AppleJeus** (associated CVEs/TTPs not provided, but mention of AppleJeus implies exploitation of Chromium zero-day capabilities).
## Targeting
- **Sectors:** Cryptocurrency exchanges, digital asset custodians, Web3 companies, and general U.S. technology/IT firms (via hiring schemes).
- **Geography:** Targeting global cryptocurrency platforms, with IT worker infiltration specifically targeting U.S. companies.
- **Victims:** DMM Bitcoin, WazirX, Upbit, Rain Management, Radiant Capital, and various unnamed private industry companies infiltrated by fake IT workers.
## Tools & Infrastructure
- **Malware families used:** TraderTraitor, AppleJeus.
- **Infrastructure (C2, domains, IPs):** Not specified, other than the use of illicitly gained employment infrastructure (U.S. based laptop farms).
## Implications
The DPRK cyber program poses a significant threat to the integrity and stability of the international financial system via massive cryptocurrency theft. The dual focus on direct financial theft and long-term infiltration via employment schemes (often leading to extortion and IP theft) indicates a sophisticated, multi-faceted revenue generation strategy that is actively escalating due to pressure from international disruption efforts.
## Mitigations
- Blockchain companies should be particularly stringent in IT worker hiring and vetting processes, including robust background checks and internal controls to monitor suspicious behavior.
- Organizations employing remote IT workers should verify employment authenticity to prevent infiltration by actors using identity masking schemes (e.g., laptop farms).
- Implement robust data protection and incident response plans capable of handling large-scale IP theft and extortion threats related to compromised employee accounts.