On 14th January (local time), three countries, the United States, Japan and South Korea, issued a joint statement warning the global blockchain and cryptocurrency industries of targeted attacks by North Korean government supported hackers. In the statement, the largest crypto exchange of India, WazirX, was mentioned, attributing a $235 million hack on the platform to North Korean hackers. The joint statement has linked the breach to the state-sponsored hacking organisation Lazarus Group based in North Korea.
WazirX, which faced severe scrutiny following the breach last year and is currently working with the authorities to recover the funds to pay back the investors, said in a statement that it will not leave any stone unturned to get back its stolen assets.
Nischal Shetty, Founder and CEO of WazirX, took to X and wrote, “Joint statement from the United States, Japan, and South Korea addressing the alarming cyberattacks by DPRK cyber actors, including the WazirX hack. This is a critical moment. We urge swift international action and support to recover the stolen assets. Rest assured, we will leave no stone unturned in our pursuit of justice.”
Joint statement from the United States, Japan, and South Korea addressing the alarming cyberattacks by DPRK cyber actors, including the WazirX hack.
— Nischal (Shardeum) 🔼 (@NischalShetty) January 14, 2025
This is a critical moment. We urge swift international action and support to recover the stolen assets.
Rest assured, we will… pic.twitter.com/J6brxEfzty
Joint statement warns of cyber threats
The three nations have warned the global blockchain and cryptocurrency industries of targeted attacks by North Korea. The statement read, “The Democratic People’s Republic of Korea’s (DPRK) cyber programme threatens our three countries and the broader international community and, in particular, poses a significant threat to the integrity and stability of the international financial system.”
It further outlined the collective efforts of the governments of the three nations to prevent such thefts, recover stolen funds, and deny North Korea illicit revenue. The statement has emphasised that these funds are believed to support North Korea’s weapons of mass destruction and ballistic missile programmes.
Widespread cyber-thefts attributed to North Korea
The statement highlighted multiple cyber thefts attributed to North Korea in 2024 alone. It included $308 million from Japan’s DMM Bitcoin, $50 million from South Korea’s Upbit, and $16.13 million from Bahrain-based Rain Management. WazirX, which suffered a breach of nearly 45% of its crypto holdings in July 2024 due to a compromised multisig wallet, was also listed among the victims.
Furthermore, the statement noted a $50-million theft targeting Radiant Capital, further highlighting North Korea’s involvement in a series of high-profile cyberattacks on virtual assets.
Details of the cases mentioned in the joint statement
In December 2024, Federal Bureau of Investigation (FBI), Japan’s National Police Agency (NPA), and the Department of Defense Cyber Crime Center (DC3) linked North Korean cyber actors to the theft of $308 million from Bitcoin, an incident that took place in May 2024. The attack was attributed to the TraderTraitor Group. It involved sophisticated social engineering. In March 2024, a North Korean operative posing as a recruiter on LinkedIn lured a Ginco employee into executing malicious Python code. By mid-May, the attackers exploited session cookies to impersonate the compromised employee, gaining access to Ginco’s systems. They later manipulated a legitimate DMM transaction, stealing 4,502.9 BTC. The stolen funds were transferred to wallets controlled by TraderTraitor.
In November 2024, South Korea’s National Police Agency (NPA) identified North Korea as the perpetrator behind a 2019 heist involving 342,000 Ethereum, valued at approximately $435 million at the time. This marked the first instance of South Korean authorities linking a cryptocurrency attack to North Korea. The investigation revealed the involvement of North Korean IP addresses, distinctive virtual asset flow patterns, and specific linguistic traces in communication, all pointing to North Korean actors. Collaborating with the FBI over four years, authorities determined that more than half of the stolen assets had been converted to Bitcoin at discounted rates via suspected North Korean exchange platforms, while the remainder was laundered across 51 foreign exchanges. In October 2024, South Korea successfully reclaimed 4.8 Bitcoin from a Swiss cryptocurrency exchange after demonstrating its connection to the stolen funds. The NPA has pledged to strengthen cybersecurity measures to prevent future attacks.
In September 2024, the FBI warned about North Korea’s aggressive social engineering campaigns targeting employees in cryptocurrency, decentralised finance (DeFi), and related industries. Using sophisticated tactics, North Korean actors impersonated recruiters or technology firms, leveraging fake identities and personal details to lure victims. They often initiated prolonged conversations to build trust and deliver malware, aiming to access cryptocurrency assets. Indicators included requests for code execution, unsolicited links, and suspicious investment offers. The FBI advised stringent identity verification, network safeguards, and prompt reporting of suspected incidents to mitigate risks.
In May 2022, the US Government issued an advisory warning about North Korean IT workers infiltrating international freelance and digital payment platforms. These workers reportedly generate revenue for North Korea’s weapons programs by misrepresenting their identities, often posing as foreign or US-based developers. They exploit platforms to secure IT contracts and use privileged access for malicious purposes. The advisory outlined red flag indicators, such as inconsistent profiles, cryptocurrency payments, and frequent logins from varying IP addresses, urging companies to conduct thorough identity verification and background checks to avoid inadvertent hiring.
Similar alerts, advisories and warnings were issued in October 2024, August 2024, May 2024, October 2023, and November 2022.
Measures to counter DPRK’s cyber activities
The United States, Japan, and South Korea reaffirmed their commitment to countering North Korea’s malicious cyber activities. They pledged to enhance collaboration through trilateral working groups, impose sanctions on DPRK cyber actors, and strengthen cybersecurity measures across the Indo-Pacific region. The statement read, “The United States, Japan, and the Republic of Korea reaffirm their commitment to combatting cyber threats posed by the DPRK and enhancing their coordination through the trilateral working groups.”
What is Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group active since at least 2009. It is infamous for high-profile attacks, including the 2014 Sony Pictures Entertainment hack, part of Operation Blockbuster. The group’s activities involve sophisticated malware linked to campaigns like Operation Flame, Operation Troy, DarkSeoul, and Ten Days of Rain. Lazarus Group also used the KillDisk tool in a 2017 attack on a Central American casino. The term often broadly encompasses North Korean cyber activities, although some organisations distinguish subgroups like Bluenoroff, APT37, and APT38.
The Sony Pictures hack in November 2014 was a high-profile cyberattack attributed to a group calling itself the Guardians of Peace which was linked to North Korea. The attackers infiltrated Sony’s corporate network, stealing terabytes of private data, erasing originals, and issuing threats to release the stolen information unless their demands were met. Sony’s operations were disrupted for days, forcing employees to resort to manual methods like using whiteboards.
Over the following months, the hackers leaked unreleased films, private conversations, and sensitive employee data to journalists. The attack escalated when the hackers targeted The Interview, a comedy about journalists plotting to assassinate North Korean leader Kim Jong Un. Threats referencing 9/11 were made, pressuring Sony to halt the film’s release. This led then-President Barack Obama to issue a statement, warning that shelving the film due to terrorists’ demands would set a dangerous precedent.
The same Lazarus Group was also reported to be behind a massive operation to steal 1 billion dollars from the Central bank in Bangladesh. They had exploited the vulnerabilities in the global inter-bank payment system, combined with the weekends and holidays across New york, Bangladesh and Manila to divert the stolen funds to obscure accounts and entities carefully planted across the world. The Group managed to siphon away $81 million before a spelling error in one of the transfer requests halted the operation. The seed for the heist was planted in a similar way, an innocuous email of a job seeker sending his resume to bank employees, carefully concealing malware.
Much has been said and written about the Lazarus Group. It is believed that talented students who do well in maths are picked up as young as 12-years-old in North Korea, and are then sent to the capital city of Pyongyang to be trained as hackers. An individual named Park Jin-hyok alias Park Kwang Jin, a former computer programer who worked in the Chinese port city of Dalian, is said to be the leader of the group. He faces multiple criminal charges and around 20 years in prison if the FBI ever manages to find him.
The heist had almost become successful, because the hackers were so careful that there was no way to stop the money transactions from Bangladesh Central bank’s reserve in new York to a set up account in Manila’s RCBC Bank. It was only a minor coincidence that stopped the transaction. The address of the RCBC Bank in Manila had the word ‘Jupiter Street. Jupiter was also the name of a sanctioned Italian ship that was red flagged by the Federal Reserve Bank in New York. So the system in New York had halted most of the money transfer requests, saving almost $950 million for the government of Bangladesh. The $81 million that was already lost was never recovered, except for a few million through various lawsuits.