Report: North Korean Hackers Created Realistic Trading Bot to Steal Money

Published at: Feb. 5, 2020

The North Korean hacking team Lazarus Group targeted several crypto exchanges last year, Chainalysis reports. One of the attacks involved the creation of a fake, but realistic trading bot website that was offered to employees of DragonEx exchange.

In March 2019 the hackers stole approximately $7 million in various cryptocurrencies from Singapore-based DragonEx exchange. Though a relatively small sum, the hackers went to great lengths to obtain it.

The group used a sophisticated phishing attack where they created a realistic website and social media presence for a fake company named WFC Proof. The supposed company had created Worldbit-bot, a trading bot that was then offered to DragonEx employees.

Screenshot of the fake website. Source: Chainalysis

Though the software allegedly resembled an actual trading bot, it contained malware that could hijack the computer it infected. Eventually the software was installed on a machine that contained the private keys to DragonEx’s hot wallet, allowing the hackers to steal the funds.

The attack is notable for its highly specific target and execution. The hackers appear to be very well versed in cryptocurrencies, even placing an ironic warning on its website to not let anyone access personal private keys.

Quick cash out

The group was previously known for parking the stolen money for up to 18 months and cashing it out once the coast seemed clear.

In 2019 they changed their behavior, choosing to exchange the money as soon as possible. In order to do this, Lazarus began using CoinJoin-enabled wallets to mix their coins.

The hackers cashed out the majority of the money in the 60 days following the attack, as opposed to almost a full year for 2018 attacks.

Tags
Related Posts
North Korea Stole $2 Billion in Cryptocurrency From Exchanges, Says UN
North Korea has netted around $2 billion by hacking banks and cryptocurrency exchanges, according to the United Nations. UN: Hacked crypto funds weapons of mass destruction In a confidential report acquired by mainstream media outlets including Reuters on Aug. 5, the U.N. Security Council North Korea sanctions committee said that hackers formed an essential part of government funding. “Democratic People’s Republic of Korea cyber actors, many operating under the direction of the Reconnaissance General Bureau, raise money for its WMD (weapons of mass destruction) programs, with total proceeds to date estimated at up to two billion US dollars,” Reuters quoted …
Cryptocurrency Exchange / Aug. 6, 2019
Report: Record-Breaking Coincheck Hack Perpetrated by Virus Tied to Russian Hackers
The personal computers of employees at hacked Japanese crypto exchange Coincheck have allegedly been found to have been infected by a virus associated with a hacker group of Russian origin. The allegation was reported by Cointelegraph Japan on June 16. As Cointelegraph has reported, in January 2018, Coincheck suffered an industry record-breaking hack when $534 million worth of NEM was stolen from its wallets. Cointelegraph Japan cites a report from Japanese media agency Asahi Shimbun, which claims that fresh research has cast doubt on prior assumptions that the high-profile hack had been perpetrated by attackers with a North Korean connection. …
Cryptocurrency Exchange / June 17, 2019
UpBit Exchange Phishing Email Scam Came From North Korea, Source Claims
Hackers from North Korea were behind a phishing scam targeting users of South Korean cryptocurrency exchange UpBit, Korean-language cryptocurrency news outlet CoinDesk Korea reported on May 29. According to findings by local cybersecurity firm East Security, the scam came in the form of an email sent to UpBit users requesting account information. The pretence was a fake giveaway, with the emails also containing a file called “Event Winner Personal Information Collection and Usage Agreement.hwp,” which would run malicious code when opened. UpBit had alerted traders a day before, warning anyone receiving an email from the address “[email protected]” to discard it. …
Cryptocurrency Exchange / May 31, 2019
Bitcoin Stolen in Binance Hack Moved to Seven Addresses
Proceedings from yesterday’s hack of cryptocurrency exchange Binance have been moved to seven addresses, crypto news outlet The Block reports on May 9. The breach resulted in about 7,074 bitcoins (BTC) — worth nearly $42.8 million at press time — being stolen from the exchange’s hot wallet. The transaction had 44 outputs, 21 of which were native Segregated Witness addresses, and those addresses received 99.97% of the funds. According to The Block, the funds from those 44 addresses have been reportedly since moved to seven addresses, six of which hold 1,060.6 BTC, while one holds 707.1 BTC. Previously, anti-money laundering …
Cryptocurrency Exchange / May 9, 2019
Mining Giant Bitmain Sues Unknown Hacker for Alleged Theft of $5.5 Million in Crypto
China-based Bitcoin (BTC) mining giant Bitmain has sued an anonymous hacker for the alleged theft of cryptocurrency worth $5.5 million from Bitmain’s account on Binance in April, according to a lawsuit filed with the U.S. District Court for the Western District of Washington at Seattle on Nov. 7. As stated in the court document, an unknown hacker, referred to as “John Doe” in the case, managed to take over Bitmain’s Binance account and used stored Bitcoin to manipulate the price of altcoin Decentraland (MANA) and then steal the profits. Bitmain says in the court document that the amount of the …
Bitcoin / Nov. 10, 2018