“Cold wallets are not safe either… Manipulating the interface like a normal transfer”
North Korea’s Reconnaissance General Bureau behind Lazarus… Beware of suspicious transaction apps and attachments
The North Korean hacking group that stole 2 trillion won (1.46 billion dollars, as of the time of the damage) worth of Ethereum from Bybit, the world’s third-largest virtual asset exchange, used a method of forging signatures. The
hacking group Lazarus, under the North Korean Reconnaissance General Bureau, is believed to be behind the attack.
The damage occurred in an offline wallet (cold wallet) that was considered safe, which was a huge shock. It is important for individuals to carefully check transaction (transaction record) signatures, but it is also urgent to strengthen the multi-signature (multi-sig) system
.According to the security industry on the 25th, the fund theft occurred during the process of moving funds from a cold wallet to an online wallet (warm wallet).
Bybit announced through X (formerly Twitter) that “the transaction address appeared normal, but in reality, the signature interface was forged. The internal logic of the smart transaction was changed.”
As the multi-sig system and URL of Safe used by Byte were manipulated, participants failed to notice the hidden code modification in the transaction. It was also pointed out that they were accustomed to the daily process and did not properly check the signature.
On-chain (blockchain data history) analyst ZachXBT analyzed that the incident was related to Lazarus by tracking the hacker’s test performance (transaction) and wallet address. Blockchain research firm TRM Labs also reported that the hacker’s address overlaps significantly with past North Korean hacking.
In fact, according to a TRM Labs report, one-third of the virtual asset theft worldwide last year is estimated to have been caused by North Korean hackers. According to the Korea Development Institute (KDI), North Korea is stealing cryptocurrency for the purpose of laundering money and securing funds for its activities.
Park Se-jun, CEO of Theori, a famous white hacker, said, “It is not possible to conclude that this is North Korea’s work because the attacker used an address related to North Korea to disrupt tracking,” but added, “This incident raised awareness of the lax Web 3.0 and infrastructure security.”
He continued, “Even the approval process involving multiple people can be exploited by hackers, so multi-signature cold wallets are not completely safe,” and urged, “You must carefully check the details when signing a transaction.”
The North Korean Reconnaissance General Bureau also has hacking organizations such as Citrin Slit and Andariel.
In addition to manipulating transaction interfaces, they attempt phishing by distributing fake cryptocurrency platforms and job application forms. They also induce users to download cryptocurrency wallets or transaction applications (apps) containing malware.
This is why you should be careful of suspicious compressed files and URLs attached to emails.
Last year, Citrine Slit also carried out a remote code execution (RCE) attack by taking advantage of a zero-day vulnerability that Google Chrome had not yet patched. Microsoft (MS), which analyzed the attack, analyzed that the purpose was to steal cryptocurrency.
MS said, “Citrine Slit infects the target with a self-developed Trojan malware called ‘Apple Zeus’ and then collects information necessary for accessing and controlling virtual assets,” and urged, “Users should update to the latest version of Chrome.”
Good articles to read together
- North Korean Hacking Group Steals 2 Trillion Won in Ethereum… Technique: ‘Signature Forgery’
- Bitcoin plummets to 130 million won… What’s the cause?
- 3 stocks chosen by US investment media as the ‘second Palantir’
- New York Stock Exchange Consumer Confidence Index Shock
- New York Stock Exchange and Bitcoin “Entering Extreme Fear Zone”