North Korean hackers set sights on cryptocurrency companies

North Korean hackers have unleashed a fresh malware variant dubbed “Durian” to target cryptocurrency companies in South Korea. Cybersecurity firm Kaspersky reported on May 9 that the North Korean hacking group Kimsuky used this malware in focused attacks on at least two cryptocurrency firms. These attacks exploited legitimate security software exclusively used by South Korean crypto companies. The undisclosed Durian malware acts as an installer, deploying various spyware tools such as a backdoor known as “AppleSeed,” a customized proxy tool called LazyLoad, and genuine programs like Chrome Remote Desktop.

Kaspersky stated that Durian boasts a comprehensive backdoor functionality, allowing for the execution of delivered commands, downloading additional files, and exfiltrating files. Additionally, the cybersecurity firm found that LazyLoad was also used by Andariel, a sub-organization within the infamous North Korean hacking consortium, Lazarus group, suggesting a “tenuous” connection between Kimsuky and the more notorious hacking organization. Lazarus, which emerged in 2009, has become one of the most infamous cryptocurrency hacker groups.

On April 29, independent blockchain investigator ZachXBT revealed that the Lazarus group successfully laundered over $200 million in illicit cryptocurrency between 2020 and 2023. In May, a report released by the United Nations Security Council highlighted North Korea’s increasing involvement in cyberattacks, which now account for nearly half of its foreign currency earnings. While investigations are ongoing, the Lazarus Group is suspected of stealing more than $3 billion in cryptocurrency assets over a span of six years, with the peak occurring in 2023.

In 2023, Lazarus was accused of stealing over 17% (slightly over $300 million) of all stolen funds. According to an analysis by Immunefi released on December 28, attacks and exploits resulted in the loss of over $1.8 billion in cryptocurrency in 2023. The notorious Lazarus group is known to extensively employ crypto mixers in their operations to obfuscate the origin of stolen funds. As concerns regarding money laundering through privacy protocols persist, Railgun, a popular protocol, has denied allegations of being utilized by North Korean hackers or sanctioned individuals.

These claims emerged following an FBI statement in January 2023, suggesting that North Korea’s Lazarus Group laundered over $60 million in Ethereum through Railgun following a cyberattack in June 2022. Speculations arose that Railgun was becoming a favored alternative for such operations following U.S. sanctions on the popular crypto mixer, Tornado Cash.

For more information, read: Is Lazarus Group the biggest threat to crypto in this bull market?