North Korea's Lazarus Group Strikes Again: Cryptocurrency Exchange Heist Unveiled

The North Korean Lazarus Group, a state-sponsored advanced persistent threat (APT) actor, has been identified as the perpetrator behind the recent Bybit cryptocurrency exchange theft incident. SlowMist, a leading blockchain security firm, confirmed this through forensic analysis and link tracking, revealing the group's attack methods and tactics.

The Lazarus Group employed a remote code execution (RCE) technique using pyyaml to deploy malicious code, enabling them to control target computers and servers. This method effectively bypassed most antivirus software scans. SlowMist, in collaboration with industry partners, obtained multiple similar malicious samples, indicating a coordinated effort to infiltrate the infrastructure of cryptocurrency exchanges.

The primary objective of the Lazarus Group was to gain control of exchange wallets and illegally transfer large amounts of cryptocurrency. SlowMist's analysis of the attack methods and tactics employed by the group includes social engineering, vulnerability exploitation, privilege escalation, internal network penetration, and fund transfers. The firm has also provided defense suggestions against APT attacks, aiming to help industry institutions enhance their security capabilities and mitigate potential threats.