Lazarus, also known as HIDDEN COBRA, a purportedly North Korean group of attackers, was reported by Alien Vault experts to be responsible for the recent hack of the largest South Korean cryptocurrency trading platform. Bithumb’s files created in Hangul Word Processor, a document editor popular among locals, contained malicious code to download Manuscrypt malware.
According to the South Korean reports, the breach started earlier in May when malware samples were sent to cryptocurrency companies in a form of fake CVs. Although the hack seems very much unusual in terms of Lazarus previous attacks, the Group is a likely suspect. Together with South Korean researchers, Alien Vault experts suggest cybercriminals were targeting credentials, in addition to delivering malware. That’s why so many phishing domains in the run-up to the event were registered.
The South Korean Ministry of Science and Technology (MIC) says it has been investigating the security levels of twenty-one trading platforms between January and March of this year and has confirmed that most of them had security vulnerabilities. Namely, the insufficient network isolation, absence of monitoring systems for abnormal or suspicious activities, inadequate cryptographic key, and password security management.
Bithumb is South Korea’s number one cryptocurrency exchange based on trading of Ethereum. It is the most trusted digital asset market within the country alongside UPbit, Coinone, and Korbit, but it was hacked for the third time in 12 months. Even though the company launched a complimentary 10 000 ETH giveaway campaign for its users right after the attack, mainstream media outlets in South Korea already claimed hackers could breach into local cryptocurrency exchanges with ease. According to local security experts, the attackers only need to allocate sufficient resources to it.
In the case of Bithumb, Alien Vault analysts believe that, among other things, the Lazarus Group was aided by knowledge from previous hacks against banks. It should be reminded that the attempted theft of $1bln dollars from the Bank of Bangladesh, attacks against ATM networks as well as WannaCry and Sony Pictures breaches are all linked with HIDDEN COBRA.
Taking into account the gains available, it’s highly unlikely that the thefts from Lazarus won’t stop anytime soon.
Bithumb, the South Korean cryptocurrency exchange, now ranked as the six biggest trading venue in the world, urgently asked their customers not to deposit any funds into their hot wallets on the night of June, 20, and still asks users to refrain from making any deposits until a further announcement is released. In this announcement, the trading platform lays out that the hack resulted in 11 cryptocurrencies stolen, with 2,016 Bitcoin and 2,219 Ethereum taken.