Lazarus Group Targets Crypto Wallets via Chrome Zero-Day Exploit

The North Korean Lazarus Group exploited a zero-day vulnerability in Google Chrome using a fake blockchain game to install spyware.

Lazarus Group

A series of recent revelations has highlighted the evolving tactics of the North Korean Lazarus Group, a notorious hacking collective responsible for some of the largest cryptocurrency thefts in history. The group has been linked to sophisticated schemes involving a fake blockchain-based game that exploited a vulnerability in Google Chrome, as well as laundering millions of dollars in stolen crypto through a China-based over-the-counter trader. 

Chrome

North Korean Lazarus Group Exploits Chrome Zero-Day Vulnerability with Fake Blockchain Game to Steal Wallet Credentials

In a sophisticated cyberattack, the notorious North Korean hacking group Lazarus has been found using a fake blockchain-based game to exploit a zero-day vulnerability in Google’s Chrome browser. The attack aimed to install spyware on unsuspecting users' devices, allowing hackers to steal cryptocurrency wallet credentials. Security researchers from Kaspersky Labs detected the exploit in May and quickly reported it to Google, which responded by patching the vulnerability.

The hackers lured victims with a play-to-earn multiplayer online battle arena game called DeTankZone, also known as DeTankWar. The game featured non-fungible tokens (NFTs) used as tanks in global competitions, offering the kind of excitement and rewards that attract the cryptocurrency and gaming communities. It was fully functional and actively promoted on social platforms such as LinkedIn and X.

What made this attack particularly dangerous was that users did not need to download the game to become infected. Merely visiting the website was enough for the malicious code to install spyware on their devices. Lazarus modeled the fake game on an existing decentralized finance (DeFi) game called DeFiTankLand, which likely added credibility to the fraudulent platform and helped it gain traction among potential victims.

The Lazarus Group employed a multi-stage malware attack using a combination of a known malware called Manuscrypt and a newly discovered “type confusion bug in the V8 JavaScript engine” of Chrome. The exploit took advantage of a zero-day vulnerability, which refers to a previously unknown security flaw that is actively exploited before a patch can be developed. This was the seventh such zero-day vulnerability discovered in Chrome in 2024, indicating a growing trend of cybercriminals targeting popular browsers to launch sophisticated attacks.

Boris Larin, a principal security expert at Kaspersky Labs, noted, “The significant effort invested in this campaign suggests they had ambitious plans, and the actual impact could be much broader, potentially affecting users and businesses worldwide.” 

Interestingly, Microsoft’s security team first detected suspicious activity related to the fake game as early as February. However, by the time Kaspersky Labs began its own analysis, the hackers had removed the exploit from the website, making it more challenging to study the attack in depth. Nevertheless, Kaspersky informed Google about the vulnerability, which led to the company patching Chrome within 12 days.

The hackers' quick removal of the exploit may indicate that they were aware of the increased scrutiny. Despite Kaspersky’s inability to fully analyze the exploit initially, the early warning and subsequent collaboration between security companies and Google helped prevent further damage. The patch effectively closed the vulnerability, thwarting any attempts to reuse it.

Lazarus Group, often associated with the North Korean regime, has a history of targeting cryptocurrency-related entities and exploiting cutting-edge technology to gain financial advantages for the country's sanctioned government.

One of the most notorious incidents attributed to Lazarus occurred in 2022, when the group was accused by the United States Treasury Department of orchestrating the attack on the Ronin Bridge, a platform used for transferring assets between blockchains. The breach resulted in the theft of over $600 million worth of cryptocurrency, marking one of the largest heists in the history of digital assets.

The ongoing focus on cryptocurrency can be seen as part of a broader strategy by North Korea to evade economic sanctions. According to cybersecurity firm Recorded Future, North Korean hacking groups collectively stole more than $3 billion worth of cryptocurrency between 2017 and 2023. The stolen funds are believed to be used for various state-sponsored activities, including financing the country's nuclear weapons program.

Chrome’s Zero-Day Vulnerabilities: A Growing Trend

The recent attack by the Lazarus Group was not an isolated case. Earlier in 2024, another North Korean hacking group exploited a different zero-day vulnerability in Chrome to target cryptocurrency holders. The frequency of these zero-day attacks in Chrome shines the spotlight on a critical security concern, as these vulnerabilities leave even the most updated systems vulnerable to exploitation.

Zero-day vulnerabilities are especially dangerous because they are unknown to the vendor at the time of exploitation, leaving no existing patches to protect users. The time it takes for a company like Google to develop and distribute a patch is a critical window during which attackers can cause significant harm. In the case of the Lazarus Group's latest exploit, it took Google 12 days to patch the affected software, leaving users exposed during that period.

The Lazarus Group’s use of a blockchain-based game to distribute malware represents a new frontier in crypto-related cybercrime. By combining the excitement of play-to-earn gaming with the promise of earning NFTs, the hackers were able to target a highly engaged audience, many of whom may have had little experience in identifying security threats. 

The fact that users could be infected simply by visiting the fake game’s website highlights the need for increased vigilance when interacting with blockchain-based projects and games. As cryptocurrency and gaming continue to converge, such sophisticated social engineering tactics may become more common.

The Lazarus Group’s recent campaign serves as a stark reminder of the evolving threats posed by state-sponsored hackers. Organizations and individuals involved in the cryptocurrency and gaming sectors must be proactive in safeguarding their systems against such attacks. This includes regularly updating software, using security tools to detect potential exploits, and promoting awareness about the risks associated with zero-day vulnerabilities.

Collaborative efforts between companies like Google, Kaspersky, and Microsoft have been crucial in mitigating the impact of these sophisticated attacks. Nevertheless, the constant discovery of new zero-day vulnerabilities suggests that the cybersecurity community must remain on high alert. While the patching of Chrome's V8 engine bug may have prevented this specific attack from escalating, it is likely that Lazarus and other hacking groups will continue to seek out new targets and exploit emerging technologies.

Lazarus Group

China-Based OTC Trader Allegedly Launders Millions in Stolen Crypto for North Korean Lazarus Group

In related news, a China-based over-the-counter (OTC) cryptocurrency trader has been accused of laundering tens of millions of dollars in stolen digital assets for the notorious North Korean hacking group Lazarus. This group, known for executing some of the largest cryptocurrency heists in history, has been connected to the theft of billions in crypto over the past several years. The revelation of the trader's involvement adds a new dimension to the ongoing efforts to curb Lazarus's laundering operations, which have continued to evolve in complexity and scale.

The accused OTC trader, Yicong Wang, has reportedly been converting stolen cryptocurrencies into cash for the Lazarus Group since at least 2022, facilitating transactions through bank transfers. The allegations surfaced following an investigation by popular onchain analyst ZachXBT, who disclosed details in an Oct. 23 post on X.

The investigation was initially triggered when one of ZachXBT’s followers reported having their account frozen after completing a peer-to-peer transaction with Wang. The follower later reached out to ZachXBT, sharing information about a suspicious deal with Wang involving a significant order on Aug. 13, 2024, where approximately $1.5 million worth of Tether (USDT) was converted to Chinese Yuan (CNY) at a rate considerably below the prevailing market rate. This raised red flags about the legitimacy of Wang's operations.

ZachXBT’s investigation further revealed a wallet associated with Wang, identified as “0x501,” which had consolidated over $17 million in cryptocurrency connected to more than 25 hacks attributed to the Lazarus Group. These funds were traced back to various high-profile breaches carried out by the North Korean hackers. In November 2023, Tether froze $374,000 in USDT held by this wallet, effectively cutting off access to part of the laundered funds.

The wallet’s activities point to a concerted effort by Lazarus to launder large sums of stolen cryptocurrency through OTC traders. By converting digital assets to fiat currency using intermediaries like Wang, Lazarus has been able to obscure the origin of the funds, making it more challenging for authorities to trace the proceeds back to the original cybercrimes.

According to blockchain analytics firm Chainalysis, Lazarus has stolen more than $3 billion in cryptocurrency from 2017 to 2023, with the funds often used to support the North Korean regime’s activities, including its controversial nuclear weapons program. The group’s tactics have evolved over the years, with recent reports indicating a shift towards more sophisticated social engineering schemes.

At the beginning of September 2024, the US Federal Bureau of Investigation (FBI) issued a warning about Lazarus Group’s increasing reliance on social engineering techniques to target decentralized finance (DeFi) and cryptocurrency firms. The FBI’s alert came in response to a series of incidents where North Korean hackers employed elaborate social engineering strategies to gain access to company networks and siphon off digital assets.

The federal agency warned that the scammers had conducted extensive research on firms associated with cryptocurrency exchange-traded funds (ETFs), with a particular focus on exploiting vulnerabilities tied to these investments. Michael Pearl, Vice President of GTM Strategy at the onchain security firm Cyvers, echoed these concerns, stating in an interview, "You can be certain that somebody is already planning and thinking of how they're going to steal it," referring to the potential targeting of US spot Bitcoin ETFs.

The Lazarus Group’s illicit activities extend beyond social engineering and OTC laundering schemes. There are concerns that the group may be setting its sights on the Cosmos ecosystem. Recently, part of Cosmos’ Liquid Staking Module (LSM) might have been developed by North Korean programmers, potentially opening the door for the hackers to exploit hidden vulnerabilities.

Melody Chan, Research Lead at the nonprofit organization Redecentralise, raised alarms about this situation, highlighting the potential risk of backdoors or other hidden weaknesses in the code. "With the current issues in the LSM and the FBI’s warnings, it’s clear that thorough code audits are urgently needed," she stated, pointing out the need for immediate action to protect the integrity of the Cosmos network.

The Challenges of Curbing OTC Laundering Operations

The involvement of OTC traders like Yicong Wang in laundering stolen cryptocurrency for the Lazarus Group shows the ongoing difficulties faced by law enforcement and the cryptocurrency industry in combating money laundering. OTC trading desks, which facilitate large-scale transactions directly between parties, have become a favored method for laundering illicit funds due to the relatively low levels of scrutiny they often receive compared to traditional exchanges.

The anonymity afforded by these OTC operations poses significant challenges for investigators. Transactions are often conducted off the radar, with few records linking buyers and sellers to the illicit activity. While blockchain analytics can trace the flow of funds, the conversion of crypto assets to fiat currency through intermediaries can help obscure the money trail.

The freezing of $374,000 in USDT by Tether is a step in the right direction, but it highlights the limitations of current regulatory measures. As the Lazarus Group continues to refine its laundering techniques, there is an urgent need for enhanced regulation and collaboration across jurisdictions to detect and disrupt such activities more effectively.

The latest revelations about the Lazarus Group’s laundering activities, including its reliance on OTC traders and social engineering tactics, highlight the evolving nature of threats facing the cryptocurrency industry. Companies and investors must remain vigilant against increasingly sophisticated methods employed by hackers to exploit vulnerabilities in the digital asset space.

The growing trend of targeting decentralized finance protocols, coupled with the group’s history of large-scale hacks, points to a pressing need for stronger security measures across the industry. Organizations dealing with cryptocurrency, particularly those managing large reserves or dealing with high-value transactions, should implement rigorous security protocols and conduct regular code audits to safeguard against potential exploits.