Lazarus is a hacking group considered to be backed by the State of North Korea. It seems that a series of hacking attempts from 2018 to 2020 targeting digital wallets belonging to exchanges and their employees can be traced backed to Lazarus. Reports compiled by cybersecurity organization ClearSky indicate that the notorious hacking group might be behind these heists.

When ClearSky first started its investigation, it suspected that bad actors that have unleashed a spear-phishing attack on exchanges might be based in East European countries like Russia, Romania, or Ukraine. However, similar hack attempts from regions like Japan, Israel, Europe, and the United States started to raise heads. Soon, other cybersecurity agencies got involved and published their independent reports. 

The cybersecurity firm ClearSky recently took into consideration the findings from the different security organizations. In the same vein, a Finland-based crypto organization called F-secure shared its findings that bad actors contacted the employees of crypto exchanges and convinced them to download files containing malicious ware. Another report by a Japanese cybersecurity agency, JPCERT CC, indicates the employees were contacted in the same manner.

NTT Security is also a Japanese security firm that included in its investigation report that large sums were extracted from digital wallets in the same method. ClearSky examined the nature of the malicious software that the employees were prompted to download. In most of the incidents, the attributes matched with the malware developed by Lazarus. 

ClearSky Claims that Lazarus is Motivated by Financial Gains and is Moving Towards Bigger Targets

As noted by ClearSky, Lazarus hackers are not moving around randomly. The cybersecurity enterprise is 50-75 percent certain that the North Korean hacking group is responsible for all these crypto heists. According to the analysis, the bad actors have been moving from smaller fish to bigger targets inflating their bounty after every successful attack.

The cybersecurity organization also pointed out that the hackers are now targeting crypto exchanges based in Israel. Preening through the technical factors reported by F-Secure, JPCERT CC, and NTT Security, ClearSky found more or less 40 common matches based on the IoCs (Indicators of Compromise). The enterprise also found similarities with the RAT (Remote access Trojan) used in the heist.