$130 million hack: is North Korea's Lazarus Group behind it?

$130 million was stolen in a cyber attack on the crypto exchange Poloniex. The trail leads to North Korea - to the notorious hacker group Lazarus.

Last Friday, security companies sounded the alarm: there was a cyber attack conducted on the crypto exchange Poloniex. According to current estimates, $130 million worth of cryptocurrencies were stolen. Analyses now point - again - to the North Korean hacker group Lazarus. The notorious collective has now stolen several billion US dollars worth of digital assets. Money that, according to the United nuclear weapons programs of North Korea flows.

The crypto sector, mainly trading platforms that manage large amounts of money, is now considered the most lucrative target. Cryptoforensics expert Albert Quehenberger of A|Q Forensics has reconstructed the symptomatic attack for German BTC Echo. Once again, it is clear that Lazarus is one of the biggest threats to the crypto sector.

Millions in crypto assets suddenly flowed away and the first commentators on X tried to clarify the situation. A few days later, the puzzle surrounding the Poloniex attack is quietly falling together. The hack took place via a hot wallet of the crypto exchange and, according to Albert Quehenberger of A|Q Forensics, is likely "due to a leak of the private key." The cryptoforensics expert sees similarities to "a Previous hack on Stake.com". The cryptocasino platform was hit by a cyber attack in September. The damage amounted to approximately $40 million. The FBI blamed Lazarus.

Leak in its own ranks?

The question that now arises: How did the hackers get the Private key? The suspicion is obvious: There may have been a leak, an employee who inadvertently gave Lazarus access. The hacker collective is increasingly using tactics that specifically manipulate a company's employees to gain access to sensitive information. This method, known as social engineering, is as tricky as it is insidious.

"The Lazarus Group could specifically identify people within the crypto exchange who have access to key systems or information," Quehenberger outlined. The focus would be on "high-ranking employees with administrator privileges." Hackers would meticulously conduct "extensive research" to "gather information about employees' personal and professional backgrounds."

No one is safe

Social media play an increasingly important role here as a publicly accessible source of information. Added to this are phishing attacks, in which hackers infiltrate malware, tap into data and gradually work their way into vulnerabilities. Hackers are becoming more cunning in their approach, tailoring fraudulent emails to "specific interests or activities of the target," Quehenberger explains.

Once attackers are in the system, it is a matter of "expanding access rights and getting higher authorizations to access critical systems and information," says the blockchain expert. After that, things move quickly. "After a successful infiltration, the group could try to intercept cryptocurrencies, steal or manipulate transactions." About this, however, we can only speculate at this point. Poloniex has not yet commented on its approach.

What happens to the funds?

Meanwhile, Justin Sun, which bought Poloniex in 2019, is trying to avoid image damage. Some of the "assets associated with the hacker addresses" have already been "successfully identified and frozen." According to the Tron founder, the losses were "manageable." Systems have been "restored" and "relevant evidence" is now being secured. After it became public, the crypto entrepreneur offered the hackers some of the stolen money as ransom.

It remains to be seen how high the damage amount will ultimately be. And also who is behind the attack. But much speaks in Lazarus' favor. As with the Stake.com attack, "different tokens were stored at different addresses, then transferred to intermediate addresses and finally exchanged for native currency (ETH, TRX)," Quehenberger said.