North Korean hackers are using legitimate-looking LinkedIn and Telegram profiles in order to target the cryptocurrency wallets of macOS users, cybersecurity experts at Chainalysis have warned.
A report shown to Forbes ahead of publication on Tuesday revealed previously unknown details on a cryptocurrency exchange attack carried out by the Lazarus Group, a unit that the U.S. government and many cybersecurity researchers have identified as being North Korea-sponsored. It’s the same group blamed for the massive Sony Pictures breach in 2014 and the WannaCry ransomware epidemic of 2017.
Singapore-based cryptocurrency exchange DragonEx lost $7 million in a March 2019 breach after being targeted persistently by the hackers, according to a Chainalysis researcher, who asked not to be named. The hackers started by creating a fake business—WFCWallet—along with an official-looking website and LinkedIn profiles.
WFCWallet did provide software—but it was an infected version of a legitimate Bitcoin trading platform. Once installed in a system, the tool would open up a backdoor on an infected Apple Mac through which they could siphon off private keys to people’s cryptocurrency accounts. The software also had a keylogging feature to potentially filch more data, like user passwords.
The attackers then contacted an unnamed senior executive at the DragonEx exchange over Telegram, asking if she would like to do business with them and if she’d like to download the malicious WFCWallet. Though the executive initially seemed unenthusiastic about the offer of partnership, the hackers persisted over weeks and, for unknown reasons, a DragonEx employee ended up downloading the compromised software onto their Mac. That Mac happened to contain the private keys for customer accounts in what the Chainalysis source said was a weakness on DragonEx’s end. (After the attack, DragonEx said it was going to improve security.)
From there, users’ various cryptocurrency accounts full of Bitcoin, Ripple and Litecoin were stolen, before being laundered through various accounts as the attackers sought to cover their tracks.
North Korea’s use of front companies in cryptocurrency campaigns was first spotted in 2018 and throughout 2019. But the DragonEx breach showed just how persistent and effective those fake businesses can be.
Chainalysis, which was recruited by DragonEx to help it investigate the attack, said it was one of the most elaborate phishing campaigns it had ever witnessed, saying it was “on another level of sophistication.”
“It reveals the time and resources Lazarus has at its disposal, as well as the deep knowledge of the cryptocurrency ecosystem necessary to successfully impersonate legitimate participants,” the company wrote.
DragonEx hadn’t responded to requests for comment at the time of publication.
Earlier this month, researchers from Kaspersky Lab said the Lazarus Group had started delivering their malware directly over Telegram, rather than trying to divert targets to software downloads online.
More hacks, less money
The Chainalysis report also noted that 2019 saw more major cryptocurrency exchange hacks than any year before, with the 11 attacks netting $283 million. But the overall amount stolen in 2019 dipped, following the huge $534 million breach at Coincheck in 2018.
North Korean hackers remain heavily focused on stealing money to support the state’s weapons manufacturing. As the U.S. Treasury noted last year in announcing sanctions on North Korean hackers, Lazarus was one group “perpetrating cyber attacks to support illicit weapon and missile programs.” According to the U.S., Lazarus was formed by the North Korean government as early as 2007 and was part of the state’s Reconnaissance General Bureau.
Despite Lazarus’ apparent hunger for virtual money, in 2019, 50% of funds stolen by the group sat unspent in the hackers’ original wallet, Chainalysis said. It’s likely the U.S. government will know if, and when, North Korea tries to access those stolen funds given that Chainalysis has signed several deals with U.S. government agencies, mostly recently a $380,000 contract with the FBI for cryptocurrency tracing tools.