North Korean Hackers Now Using Telegram to Steal Crypto: Kaspersky

A cybersecurity firm has warned hacking group Lazarus is developing sophisticated new techniques to steal cryptocurrencies from victims.

AccessTimeIconJan 9, 2020 at 3:00 p.m. UTC
Updated Aug 19, 2021 at 12:10 a.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

A cybersecurity firm has warned cryptocurrency users to expect more attacks from North Korea as its hackers develop "enhanced capabilities" to deliver malware through popular messaging app Telegram.

Moscow-based Kaspersky Labs has been analyzing new attacks from the Lazarus Group, a cybercrime group with links to North Korea, to determine how its techniques have developed since the AppleJesus attack on several cryptocurrency exchanges in 2018.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • In research published Wednessday, the cybersecurity firm said there have been "significant changes to the group's attack methodology."

    One case study involved what appeared to be a software update for a fake cryptocurrency wallet that, once downloaded, began to transmit user data to hackers. Another example involved creating a backdoor for Mac software that bypassed security mechanisms without the computer ever being aware it was under attack.

    A seemingly new attack vector has been to deliver malware via files distributed on the Telegram messaging app. Researchers found computers downloaded manipulated software, which originated from the group's website, with embedded malware that would send sensitive data to hackers without the victim even being aware.

    Many of these channels were for fake cryptocurrency companies, presumably set up by the hackers themselves. One recently detected fake site was for a "smart cryptocurrency arbitrage trading platform." Kaspersky researchers found these websites were often incomplete and filled with broken links, aside from the ones that took visitors to the Telegram channel.

    operation-applejeus-sequel-6

    Kaspersky said it was able to identify "several victims" from Poland, Russia, China and the U.K., most with links to cryptocurrency businesses.

    But Lazarus itself remains a mystery. By running malware through computer memory rather than a hard disk drive, the group generally avoids detection. Although the group is widely believed to be affiliated with North Korea, the secretive regime has repeatedly denied responsibility for its attacks.

    Cybersecurity firm Group-IB estimated the group stole nearly $600 million worth of cryptocurrency in 2017 and most of 2018. Because its attacks are so successful, Kaspersky researchers are convinced the group will continue stealing cryptocurrency. "This kind of attack on cryptocurrency businesses will continue and become more sophisticated," the report reads.

    The U.S. Department for Treasury placed the Lazarus group on the U.S. sanctions list in 2019, meaning that any financial institution found dealing with it faces sanctions. This week, ethereum developer Virgil Griffith was indicted by U.S. authorities for speaking at a conference in North Korea. If found guilty, he faces up to 20 years in prison.

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.