North Korea’s Lazarus Group escalates crypto attacks via Telegram phishing
The attackers impersonate legitimate venture capital firms on Telegram and use meeting and scheduling apps to launch sophisticated phishing attacks.
North Korea-backed hackers Lazarus Group are increasingly targeting the cryptocurrency community through widespread phishing operations on the popular messaging application Telegram, according to a Dec. 6 update from blockchain security firm SlowMist.
The group’s new modus operandi involves impersonating reputable venture capital investment figures from Archax, HashKey, and Gumi Cryptos to lure crypto teams with enticing investment proposals.
In this attack method, the hacker establishes trust with their victims through constant messages and then lures them into unknowingly running malicious scripts for phishing attacks under the guise of attending a meeting.
This corroborates a recent warning by Alexandre Masmejean, the CEO of Showtime, a crypto marketplace for creators. Earlier in the week, Masmejean said he was contacted by FBI agents who told him that Asian cybercriminals, posing as the Head of HashKey Singapore Group, were running malware on his computer.
SlowMist highlighted how the hacker group leverages Calendly’s “Add Custom Link” feature to embed malicious links within event pages for phishing attempts. These well-disguised links, seamlessly integrated into the background, often evade suspicion.
Meanwhile, the security firm further identified a specific IP, 104.168.137.21, linked to various domains impersonating other projects. They caution vigilance and preemptive measures against potential risks associated with this malicious IP.
North Korea Lazarus Group’s notorious streak
Over the past several years, the North Korean Lazarus Group has siphoned approximately $3 billion from the cryptocurrency industry. The Asian country has been accused of sponsoring these hackers to exploit crypto projects to finance its weapons program
The U.S. has traced back several crypto breaches to the North Korea-affiliated hacker-controlled wallets, such as the Ronin bridge exploit, which saw the theft of over $600 million in assets.
The scale of these thefts is substantial, with Chainalysis, a blockchain analytics firm, estimating that over $3 billion has been stolen by North Korean hackers in the past five years. This figure is further corroborated by South Korean intelligence, which reported a theft of $1.2 billion in BTC and ETH by North Korea in 2022 alone.