Five recent crypto attacks with links to North Korea

by Arthur · March 20, 2023

Most recently, the Euler protocol was hit by a $200 million hack on March 13. Hackers used a flash loan attack to extract more tokens from the DeFi protocol. In total, the hackers made off with $137.1 million in stETH, $34.1 million in USDC, $18.9 million in WBTC, and $8.8 million in DAI.

Crypto hacks and attacks peaked in 2022. Over $3.8 billion was stolen from web3 platforms last year, the highest one-year loot recorded to date. Shockingly, more than $1.2 billion of these bad funds were linked to hackers sponsored by North Korea, according to findings by the National Intelligence Service (NIS), which is South Korea’s main spy agency.

Most recently, the Euler protocol was hit by a $200 million hack on March 13. Hackers used a flash loan attack to extract more tokens from the DeFi protocol. In total, the hackers made off with $137.1 million in stETH, $34.1 million in USDC, $18.9 million in WBTC, and $8.8 million in DAI.

After the attack, the crooks began funneling their ill-gotten gains through a mixing service called Tornado Cash. This was done to cover up the money trail. Tornado Cash is a decentralized coin mixer that was recently sanctioned by the US government following reports that North Korean hackers were using it to funnel stolen crypto funds.

A few days later, it was found that the villains behind the Euler attack sent $100 million worth of ETH to an address previously flagged for their ties to North Korea. “100 ETH stolen in Monday’s #Euler Finance hack have moved to an address linked to a previous hack by #North Korea-linked actors,” blockchain security firm Chainalysis said. However, they also stated that this could be a move to mislead any recovery efforts. “This could mean the Euler hack is also the work of #DPRK or could be misdirection by hackers,” the Chainalysis tweet said.

Towards the end of January this year, the FBI also confirmed that North Korean hackers were behind the $100 Harmony Bridge attack, which occurred in June 2022. On January 13, more than 6 months after the theft, hackers behind the exploit laundered $63.4 million of the stolen funds using the RAILGUN. For those unfamiliar, RAILGUN is an Ethereum-based privacy protocol that allows users to hide the nature of crypto transactions and remove identifying information.

Despite their efforts to conceal transactions, the FBI was able to trace the funds. According to on-chain records, the ill-gotten funds landed on two crypto exchanges, Binance and Huobi. A short time later, Changpeng Zhao, CEO and co-founder of Binance, confirmed that the laundered funds had been frozen and seized at both exchanges.

However, the biggest crypto hack linked to North Korea is the Ronin Bridge exploit from March 2022. The crazies behind this hack got away with 173,600 ETH, worth around $600 million at the time, and 25.5 million USDC.

A couple of weeks later, on April 14, the US Treasury updated its list of Specially Designated Nationals and Blocked Persons (SDN) to include an Ethereum wallet allegedly used by the Lazarus Group, a prominent North Korean hacking outfit. This wallet address was used during the Ronin Bridge exploit. At the time, the wallet was found to contain 148,000 ETH, perhaps from the exploit. The team behind the Ronin bridge also confirmed that the wallet was linked to the exploit.

In August 2022, the DeFi protocol, deBridge Finance, reported an attempted phishing attack. The company’s co-founder, Alex Smirnov, took to Twitter to announce the attack. According to his tweets, the hacker group orchestrated a phishing campaign in which they sent an infected PDF via an email titled “New Salary Adjustments.” An employee ended up downloading the file, who then proceeded to extract information from his PC.

Fortunately, the fraud was detected in time and any losses were averted. However, through later investigations, Smirnov concluded that the attack was the work of the notorious Lazarus group.

As recently as December 2022, blockchain security firm SlowMist reported that North Korean hackers used nearly 700 phishing domains to target non-fungible token (NFT) investors. These domains would impersonate popular NFT marketplaces such as OpenSea, Rarible, etc. They would offer malicious coining features that tricked investors into connecting their wallets to the fake website. Of course, once a user did that, the hackers would have control over the assets stored in the wallet.

According to the data uncovered by SlowMist, one of these phishing domains was able to extract more than 1,000 NFTs along with over 300 ETH from several different victims. ETH alone was worth $367,000 at the time. In total, SlowMist found 2 IPs behind 692 such domains. What’s scarier is that this was only the “tip of the iceberg” according to SlowMist.

These 5 incidents prove that North Korea has been behind a large part of the crypto hacks in recent months. There are also several reports that North Korea used these funds to advance its nuclear missile capabilities. – This is money that can support North Korea and its nuclear weapons program, said the US’s first attorney general, Marianne Bender, in a statement. To avoid falling victim to such scams and attacks, it is advisable to store crypto in a cold wallet. Furthermore, always cross-check the legitimacy of any links/emails that require “urgent action” or ask you to connect/provide details of your crypto wallet.