The U.S. government is warning that Lazarus, a North Korea state-sponsored hacker group, is targeting blockchain and cryptocurrency companies.

The FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Treasury Department issued the advisory. Lazarus is targeting users in the blockchain, cryptocurrency and NFT space.

The hackers use a variety of communication platforms to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS. The cyber actors then use the applications to gain access to the victim’s computer. They propagate malware across the victim’s network environment, and steal private keys or exploit other security gaps.

These activities enable additional follow-on activities that initiate fraudulent blockchain transactions.

“North Korean state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest, acquire sensitive cryptocurrency-intellectual property and gain financial assets,” it said.

The U.S. government recommends implementing mitigations to protect critical infrastructure organizations, and financial sector organizations in blockchain and cryptocurrency.

Last week, the FBI confirmed hackers associated with the North Korean government stole more than $600 million in cryptocurrency reported on March 29.

Attackers Exploiting ‘Thirst for Information’

Hank Schless is Lookout‘s senior manager of security solutions. He said Lazarus has targeted financials for years with a past focus on institutions and online cryptocurrency exchanges.

Lookout’s Hank Schless

“Since cryptocurrency is a rather new technology, it presents an opportunity for threat actors to socially engineer targets,” he said. “Crypto investors are constantly looking for an edge in the market or what the next big currency that’s going to explode in value. Attackers can use this thirst for information to get users to download malicious apps or share login credentials for legitimate trading platforms they use.”

The attacker could then use the malicious app to exfiltrate additional data from the device it’s on, Schless said. They could also take the stolen login credentials and try them across any number of cloud apps.

To increase the likelihood of success, attackers target users across both mobile devices and cloud platforms, Schless said.

“For example, at Lookout, we discovered almost 200 malicious cryptocurrency apps on the Google Play Store,” he said. “Most of these applications advertised themselves as mining services in order to entice users to download them.”

Big Money Draws Threat Actors

Chris Morgan is Digital Shadows‘ senior cyber threat intelligence analyst. He said crypto investors are making big money, but often storing it on insecure locations. Therefore, threat actors will naturally navigate their activities towards targeting such environments.

Digital Shadows’ Chris Morgan

“For consumers, much of the fraudulent activity targeting accounts results from a lack of awareness and ignorance of the risk,” he said. “Many users are continuing to operate in an insecure fashion that can leave them susceptible to attacks. For crypto and NFT platforms, it is imperative the platform’s security maturity can minimize the considerable risk facing users. This includes robust vulnerability assessments to identify bugs and ensuring regular awareness programs for consumers in how to spot suspicious behavior.”

Ensuring that guidance is provided on safe usage will create a safer environment for users, Morgan said.

John Bambenek is Netenrich‘s principal threat hunter.

Netenrich’s John Bambaneck

“The attacks on cryptocurrency will rise and fall based on the number of novice users there,” he said. “Cryptocurrency is such a ripe space for fraud because protecting yourself is complicated and people are still learning how to do it. Your uncle who can’t stop talking about how much he’s made in Doge is also the guy who’s DVD player is flashing 12:00 in front because he can’t set the time on it.”

North Korea to Continue Attacks

North Korea and Lazarus have focused on cryptocurrency threats for years, Bambenek said. That’s because North Korea is a highly-sanctioned country. Therefore, this lets them acquire assets they can use to further their governmental objectives.

“This will continue until North Korea becomes a respectable member of the international community or the sweet meteor of death finally comes and ends all life on earth,” he said. “The latter is the more accurate scenario.”

Coalfire’s Karl Steinkamp

Karl Steinkamp is director of Coalfire. He said bad actors will target any technology and/or platform that is successful in obtaining broad user adoption.

“Application exchanges will continue to build in detective controls on their respective platforms … to help business and users mitigate risks,” he said. “As we have seen with other malware variants, users and businesses need to be aware that crypto asset malware will eventually target every platform and technology means to attempt to lure users into clicking on or downloading something malicious.”