Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Lazarus Group attack. Show all posts

Lazarus Group Suspected in $11M Crypto Heist Targeting Taiwan’s BitoPro Exchange

 

Taiwanese cryptocurrency platform BitoPro has blamed North Korea’s Lazarus Group for a cyberattack that resulted in $11 million in stolen digital assets. The breach occurred on May 8, 2025, during an upgrade to the exchange’s hot wallet system. 

According to BitoPro, the tactics and methods used by the hackers closely resemble those seen in other global incidents tied to the Lazarus Group, including high-profile thefts via SWIFT banking systems and other major crypto platforms. BitoPro serves a primarily Taiwanese customer base, offering fiat transactions in TWD alongside various cryptocurrencies. 

The exchange currently supports over 800,000 users and processes approximately $30 million in daily trades. The attack exploited vulnerabilities during a system update, enabling the unauthorized withdrawal of funds from a legacy hot wallet spread across several blockchain networks, including Ethereum, Tron, Solana, and Polygon. The stolen cryptocurrency was then quickly laundered through decentralized exchanges and mixers such as Tornado Cash, Wasabi Wallet, and ThorChain, making recovery and tracing more difficult. 

Despite the attack taking place in early May, BitoPro only publicly acknowledged the breach on June 2. At that time, the exchange assured users that daily operations remained unaffected and that the compromised hot wallet had been replenished from its reserve funds. Following a thorough investigation, the exchange confirmed that no internal staff were involved. 

However, the attackers used social engineering tactics to infect a cloud administrator’s device with malware. This allowed them to steal AWS session tokens, bypass multi-factor authentication, and gain unauthorized access to BitoPro’s cloud infrastructure. From there, they were able to insert scripts directly into the hot wallet system and carry out the theft while mimicking legitimate activity to avoid early detection. 

After discovering the breach, BitoPro deactivated the affected wallet system and rotated its cryptographic keys, though the damage had already been done. The company reported the incident to authorities and brought in a third-party cybersecurity firm to conduct an independent review, which concluded on June 11. 

The Lazarus Group has a long history of targeting cryptocurrency and decentralized finance platforms. This attack on BitoPro adds to their growing list of cyber heists, including the recent $1.5 billion digital asset theft from the Bybit exchange.

North Korea’s Lazarus Group Launches Global Supply Chain Attack Targeting Developers

 

North Korea’s notorious hacking collective, Lazarus Group, has orchestrated a large-scale supply chain attack, compromising hundreds of victims worldwide, according to cybersecurity researchers. The operation, named Phantom Circuit, remains active as of this month.

The group injected malicious backdoors into cloned versions of legitimate open-source software and developer tools, primarily targeting professionals in the cryptocurrency industry. These tampered projects were then distributed via platforms like GitLab, leading unsuspecting developers to download and execute the compromised code, effectively exposing their systems.

According to SecurityScorecard, which uncovered and analyzed the attack, the campaign has unfolded in multiple waves:
  • November 2024: 181 developers, mostly in the European tech sector, were targeted.
  • December 2024: The attack expanded to 1,225 victims, including 284 in India and 21 in Brazil.
  • January 2025: An additional 233 individuals were affected, with 110 in India’s technology sector alone.
The stolen data includes credentials, authentication tokens, passwords, and system information, posing severe security risks for organizations and individuals alike.

The hackers leveraged open-source repositories, particularly forking existing projects to insert malicious code. SecurityScorecard’s senior VP of research and threat intelligence, Ryan Sherstobitoff, noted:

"These are examples of code repos they host on GitLab, for example, which is a clone of legit software and they embed into Node.js obfuscated backdoor. The scary thing is that these developers will clone this code from git directly onto corporate laptops, we have seen this directly with two devs already. Basically, they can do it for almost any package."

Among the compromised repositories were:
  • Codementor
  • CoinProperty
  • Web3 E-Store
  • A Python-based password manager
  • Other cryptocurrency-related applications, authentication tools, and Web3 technologies
Once a developer unknowingly downloads the infected repository, the malware installs a backdoor, granting Lazarus Group remote access to the compromised device. The attackers then exfiltrate sensitive data and route it to North Korean command-and-control (C2) servers. This method of embedding malware into legitimate-looking software marks a tactical shift for Lazarus Group.

"This approach allows widespread impact and long-term access while evading detection," Sherstobitoff explained.

SecurityScorecard also linked this campaign to an earlier fake job offer scam, Operation 99, through which the group’s C2 servers, active since September 2024, were identified. These same servers were later repurposed for Phantom Circuit, facilitating malware deployment and data theft.

Despite these discoveries, key questions remain regarding how stolen data is processed and the infrastructure supporting these attacks. The investigation is ongoing