This is Whistle’s 14th article about why and how Bull Market should guard against state-level hacking groups.
Interview | Beichen
Guest | Steven
The Federal Reserve's March meeting statement and press conference speech released last night excited the entire financial market. Of course, the real interest rate cut has not yet come, but it is confirmed that monetary policy will be gradually relaxed this year - liquidity will flow from the banking system to the risk market.
At this time, there are only 30 days left for the Bitcoin halving, and the Bitcoin ETF has opened a channel for liquidity to flow from the traditional financial market into the crypto market. Therefore, it is foreseeable that the bull market in the crypto market has already started, and investors are faced with just making more or making less. Few problems.
But the "harsh Whistle" is here to make a piercing whistle - national hacker organizations are eyeing the assets in the crypto market. As entrepreneurs and investors, you must protect your wallet!
In this issue, we invite our old friend Steven, who is a communications technology expert who has long been concerned about the security field, to reveal to us how the public enemy of the encryption market—the national hacker organization Lazarus in the mysterious Eastern country—operates, and how we can resist it.
1. Beichen: What is a national-level APT?
Steven: APT stands for Advanced Persistent Threat (Advanced Persistent Threat). In the field of network security, hacker organizations with illegal economic purposes are generally called APT. Legitimate hacker organizations specialize in discovering threats and reporting them to make money. These are called white hats, not APTs.
In our daily lives, we often come into contact with APT indirectly through black and gray products such as telecommunications fraud. For example, the leaked personal information is often compiled by APT using crawlers or stolen directly from other databases, but this can only be regarded as a small shrimp in APT. Larger APTs such as Golden Eye Dog mainly attack gambling websites, and some target gaming websites.
The highest level APT is the national-level APT, which often attacks others for political purposes. However, most political hacker organizations in most countries cannot be called APTs because they are very loose and they basically launch attacks at the request of someone.
2. Beichen: So only national-level hacker organizations that are well-organized and motivated by political purposes are national-level APTs?
Steven: It can only be said that the vast majority of national-level APTs have no financial demands and mainly perform espionage missions for political and military purposes. The more powerful ones are Equation Group and Project Sauron, which are affiliated with the US National Security Agency. They mainly launch advanced attacks against Russia, China and other countries to steal sensitive information. Russia is also relatively strong, such as the Fantasy Bear, which is affiliated with the Military Intelligence Directorate of the Russian General Staff, and the Comfort Bear, which is the Russian Foreign Intelligence Service.
The most frequent national-level APT attacks in my country are Poison Ivy, BITTER, SideWinder, Ocean Lotus and Lazarus. Poison Ivy is an APT with an official background in Taiwan, Philodendron and Rattlesnake are from India, and Ocean Lotus is from Vietnam. They often have clear political purposes, so it is easy to expose the organization behind them. Only Lazarus is launched for economic purposes. Attack, it belongs to a mysterious country in the East, and deserves the vigilance of everyone in the crypto industry.
3. Beichen: So what is the difference between Lazaru and other national APTs?
Steven: Lazarus is the cyber warfare unit of the General Reconnaissance Bureau of a mysterious country in the East, and many members of the organization received higher education or training in China, so they are very familiar with China's network environment. The United States has accused the organization of having an activity center in China. In fact, this is unlikely. It is impossible for us to allow an intelligence organization from another country to be active in China, not to mention that its size is probably more than 8,000 people.
4. Beichen: What achievements has Lazaru had?
Steven: Lazarus’s claim to fame was invading Sony Pictures in 2014. At that time, a movie spoofing their leader was about to be released, so a large amount of Sony Pictures' unreleased film materials, business emails, and employee privacy were leaked. In the end, Sony Pictures announced that it had canceled the release of the movie.
Lazarus later carried out more and more frequent attacks, such as stealing the foreign exchange reserves of the Central Bank of Bangladesh, invading Indian nuclear power plants, and attacking cryptocurrency exchanges multiple times. The most well-known one is ransomware that uses Bitcoin to pay ransom.
5. Beichen: It stands to reason that as long as the assets of the central bank are still in the SWIFT system, they will be frozen. How did Lazarus withdraw the money?
Steven: This is not the first time Lazarus has attacked the central bank system. They have tried to steal central banks and commercial banks in many other countries before, but they were unsuccessful. In 2016, he attacked the Central Bank of Bangladesh and stole US$101 million in foreign reserves, of which US$20 million went to Sri Lanka and US$81 million to casinos in the Philippines, but most of it was eventually recovered by the United States after being discovered.
6. Beichen: For Lazarus, this money is almost zero cost.
Steven: It’s not zero cost. After all, it’s stealing money from a country’s central bank. They planned it for a long time and used fake accounts, financial intermediaries, casinos, and other collaborative crime participants.
7. Beichen: So how to determine that these attacks come from Lazarus?
Steven: High-level security companies and relevant government intelligence agencies can tell that it is Lazarus, because there are usually traces of network activities, not to mention their behavior pattern is relatively clear: high level of attack, well-organized, and most of the attacks are for stealing. Mainly funds.
8. Beichen: So Lazarus is mainly a revenue-generating unit?
Steven: That's right. U.S. intelligence agencies estimate that Lazarus steals between $300 million and $500 million in assets each year. What's more critical is that in the past five years, more than 90% of this mysterious country's income has come from the currency circle, and they are more familiar with the Chinese.
9. Beichen: You can expand on their cases.
Steven: In 2018, US$530 million in cryptocurrency was stolen from the Japanese exchange Coincheck. This was Lazarus's work.
In 2022, approximately US$1.7 billion in cryptocurrency was stolen (US$1.1 billion of which came from DeFi protocols), and then money was laundered using currency mixers such as Tornado Cash. It is worth mentioning that the total exports of this mysterious country in 2022 are only US$159 million.
Since the second half of 2023, the frequency of Lazarus attacks in the currency circle has obviously accelerated. For example, in June, $100 million was stolen from Atomic Wallet, and on July 22, two different institutions were attacked on the same day, stealing nearly $100 million in total. On September 4, $41 million was stolen from an online crypto casino. On September 12, $54 million was stolen from the exchange Coin EX.
There are countless other small attacks, because there are still a large number of attacks targeting individual users, which are difficult to count and rarely noticed.
10. Beichen: Is it because Lazarus succeeds frequently because they know crypto better, or is it enough to use traditional attack methods?
Steven: Lazarus’ attack methods are actually more traditional hacker attacks, but the level is relatively high. The most common one is a harpoon attack, which is to send some files (such as emails) without targeting them and then embed the virus in them. Of course, they do know the currency circle very well, so they can make good use of watering hole attacks and social engineering.
A puddle attack is to attack on the path you must pass, just like a predator would hide near a water source and attack animals that come to drink. To carry out a watering hole attack in the currency circle, you first attack the project's website and embed specific code on the website. Users will be poisoned as long as they interact with it.
Strictly speaking, social engineering cannot be regarded as a technical attack, but uses daily social behavior methods and human negligence loopholes to obtain private information and access rights. Social engineering in the currency circle often involves hackers joining the project's social community (such as Telegram, Discord) for monitoring, using transaction data to screen out those who are active in transactions and have large transactions, and then privately chat with this person in a targeted manner. For example, if you send an airdrop message, the other party will be attacked once it is opened.
A more advanced attack method is to directly infiltrate the project as a code contributor and add attack code.
Projects in the currency circle are basically distributed offices. It is easy for a coder with high technical level and low salary requirements to join the team. When he has certain permissions as a developer, it is easy to steal cryptocurrency.
11. Beichen: How do they usually disguise their identities when applying for jobs?
Steven: Lazarus has a clear organizational division of labor. Some are responsible for data monitoring, some specialize in social engineering to find targets, some are dedicated to technical attacks, and some are responsible for money laundering. In short, this is a super large and powerful team dedicated to doing this, and the efficiency is very high.
12. Beichen: So how can we in the currency circle avoid asset theft?
Steven: Give some examples of Lazarus’ common attack methods in the currency circle.
One is that they use KandyKorn software to attack traders. It targets the Mac operating system. It uses a python program to disguise itself as an arbitrage robot, and then loads the attack code into the memory of the Mac operating system. The payload of the attack is hidden and loaded in the Google Cloud Service hard drive, and the loading action is very covert (virus The source code uses reflective binary loading as an obfuscation technique). This makes the two main methods of anti-virus software ineffective - code signature detection cannot detect attack code, and behavior detection cannot detect abnormal behavioral characteristics.
The other is to implant the SIGNBT payload at the source of the encrypted network communication software. After infection, it is equivalent to injecting a full-featured remote access tool into the memory, so that you can run other malware, transfer data, even terminate the process and other arbitrary commands, which is equivalent to The computer is completely controlled by the other party. No matter how well protected the private key is, you only need to sign once and it will be exposed.
Another way is to cut the code into some ordinary applications. For example, it specializes in attacking some companies and open source projects and inserting malicious code to obtain the user's entire system permissions. Whether it is Mac or Windows, iOS or Android, Lazarus has corresponding programs. Most blockchain projects use ready-made open source code, so Lazarus injects the code at the very source, making it easy to obtain the permissions of the project side.
There is also the tampering of browser extensions. Most people use the MetaMask wallet to receive airdrops or interact. When the project website itself is tampered with, it means that all wallets that have interacted with it are no longer safe.
13. Beichen: How exactly does the above attack method unfold?
Steven: Take the side chain Ronin made by Sky Mavis, the developer of Axie Infinity, as an example in 2022 when US$620 million was stolen.
First, Lazarus knew through social engineering that a Sky Mavis employee was applying for a job, so he falsely set up a Web3 job requirement, conducted a harpoon attack, and sent the offer email to the employee. When the employee opened the PDF file, his computer was infected, and then Seeks to infect other members' computers and servers throughout the Sky Mavis company.
For the Ronin project account, the multi-signature wallet requires at least 5 signatures from 9 accounts to transfer money, and the company only manages 4 of the accounts from a security perspective. However, there is a DAO community account that once authorized the company to manage but did not use it in time. The authorization was cancelled, hackers broke into it, and all the $620 million in the account was stolen. It took a week for Sky Mavis to discover this.
14. Beichen: Didn’t I say earlier that when they transfer money, there will be traces on the chain and the Internet?
Steven: First, convert all the stolen digital currencies into ETH through DEX, then collect them into multiple disposable wallets that have been created, and then run to the currency mixer (such as Tornado, Sinbad) to launder the money into the newly created Then transfer it out to dozens or hundreds of wallets.
Therefore, each attack by Lazarus is actually very workload-intensive. A large amount of information must be collected in the early stage, and then the attack code must be developed separately, the wallet address for money laundering must be prepared, and social engineering methods must be used. Maybe some particularly enthusiastic coders in the project community come out to contribute code, and they are from Lazarus.
15. Beichen: So for individuals in the currency circle, could you please summarize how to avoid it? I feel that as long as you have a lot of interactions on the chain, there is no way to avoid it.
Steven: The first is to use centralized exchanges. Although this is not in line with the spirit of encryption, it is really difficult for most people to manage their own private keys. Many people may not even be able to manage their own bank accounts well, let alone go to It is impossible to manage a private key that is impossible to remember, and now everyone often has more than one wallet address.
I think novices with poor computer skills should simply believe in centralized exchanges. After all, even if a legal centralized exchange is stolen, most of the assets can be preserved. For example, the stolen assets of Mt. Gox have been preserved until now.
Beichen: On the contrary, I made more money.
Steven: Yes, at that time, Bitcoin was only two to three thousand US dollars, and most people would not be able to hold on to it until now. It can be regarded as a blessing in disguise.
The second is to pay attention to basic operations, such as new currency airdrops. If on-chain operations must be performed for interaction, then use the iOS system as much as possible, and it is best to use a dedicated machine.
The third is not to click on unknown attachments when receiving unknown emails. Be wary of people you get close to on social platforms, and don't click on links or emails sent by strangers.
Finally, if there are indeed a lot of assets and on-chain operations are to be performed, it is best to have a hardware wallet, and the cold and hot wallets should be graded and divided into domains, and multiple hardware (PCs, mobile phones) should be prepared to isolate each other. The core Put assets in wallets with a high security level. For assets that require frequent interaction, prepare more hot wallets and only put a small amount of assets. Even if one is stolen, the loss will not hurt your bones.
16. Beichen: Hardware wallets are no longer safe now. For example, Ledger has been embedded with malicious code.
Steven: Yes, but I still recommend using a hardware wallet from a big brand. The threshold for committing evil will be much higher, and even if a loophole is discovered, it will be repaired in time.
17. Beichen: Do you have any suggestions for project parties?
Steven: The first is to strictly enforce security disciplines. You must be security aware, set up a multi-signature wallet, and conscientiously implement all security rules. This will increase the cost of attacks.
There is also the need to introduce a security team, such as code review, such as introducing a blue team (i.e. defense team), white hat hackers, and let them provide some address monitoring and security warnings. Doing so is better than not doing it, because even if it is stolen You can also find the transfer address as soon as possible (after all, money laundering still takes a certain amount of time). If you find it in time, it is still very likely to intercept the funds. Rather than discovering that the money in the wallet is missing after a week has passed, it will be difficult to recover it.
18. Beichen: How to intercept assets on the chain?
Steven: Either call the police, or look at your connections in the circle. This is why the security team is brought in, because the security team often has such connections. However, it will be difficult to encounter a national-level APT like Lazarus.
19. Beichen: Currently, the security services in the industry are mainly based on code auditing, and the willingness to pay for other services is not strong.
Steven: Code review is a very basic requirement, which can make it more difficult for small hackers to attack alone, but it is difficult to prevent national APTs like Lazarus. So I suggest you find a professional blue team. There are actually quite abundant resources for domestically skilled red teams and blue teams.
20. Beichen: Like 360?
Steven: To be honest, it is impossible for currency circle projects to hire domestic legal companies to provide security services. You can find security companies in the industry such as SlowMist and CertiK. In fact, through annual network protection operations, you can find blue teams with high scores to be the security team. The strongest ones in the security field are not the largest network security companies, but some small professional teams. You can find this from the annual red-blue competition.
21. Beichen: Let’s make a summary at the end.
Steven: The current currency circle is still a Western world, with little government control involved, so there are a large number of robbery and theft gangs and scammers. Whether it is project parties or individuals, the most important thing is that everyone should have this string in their minds and put this The fence should be higher, so that even if it encounters a large army like Lazarus, it can still prevent some of his attacks.