It has been over 50 days since the biggest crypto hack of India- the WazirX exchange hack- that resulted in theft of over Rs 2000 crores of user funds. As per technical analysts, the cyber attack had footprints of the infamous “Lazarus Group”- a state sponsored cybercrime organization of North Korea- that has several similar cyber hacks to their credit.
However, not much progress has been made by local enforcement agencies and crypto sleuths in the hack case given North Korea operates as a hostile hermit kingdom and Indian authorities have a rather apathetic attitude towards crypto markets. In midst of all this, the unknown WazirX hackers have been laundering the stolen money through Tornado cash mixer.
In this exclusive article, we attempt to piece together the sequence of events post the WazirX hack on July 18 and shed light on possible suspects of the Lazarus Group behind the hack. The suspects discussed in this report are one of the most wanted men in the world, as declared by the FBI.
What is Lazarus Group?
The Lazarus Group, also known by other names such as ‘Guardians of Peace’, ‘Hidden Cobra’, ‘Diamond Sleet’ and ‘414 Liaison Office’ is a cybercrime group associated with Reconnaissance General Bureau (RGB)- the state intelligence agency of Democratic People’s Republic of Korea (DPRK)- akin to CIA of U.S. and KGB of Russia.
Lazarus Group first gained attention after they allegedly hacked Sony Pictures in 2014 and leaked large amounts of data including unreleased movies, songs and scripts.
The Lazarus Group was earlier involved in ransomware, DDOS attacks and malicious phishing attempts made to steal data or shut down sophisticated computer servers of rival nations such as South Korea and US. However, since 2017, the group has targeted cryptocurrency exchanges, stealing huge amounts of crypto funds, that often resulted in insolvency of the targeted exchange.
According to data from the United Nations Security Council (UNSC) and DeFiLlama, over 70% of the cryptocurrency lost to North Korean-linked hacks since 2020 was taken through private key exploits. This makes Lazarus Group one of the most dangerous Advanced Persistent Threat (APT) actors globally. The data indicates that North Korea has been responsible for over $2.4 billion in crypto thefts since 2020.
How Lazarus Group is Involved in the WazirX Hack
A few days after the July 18 WazirX hack, various independent crypto sleuths like ZachXBT and cybersecurity firm Cyfirma have pointed fingers towards Lazarus Group given the modus operandi of the attack.
As per the experts, the nature of the attack, including the use of phishing techniques, complex multisig manipulations, and stolen money laundering through cash mixer tool Tornado Cash, is consistent with the Lazarus Group’s previous hacks. Blockchain researchers, including ZachXBT, have noted that the WazirX hack shares similarities with past Lazarus Group operations, such as the Harmony Horizon hack and Atomic Wallet hack.
Blockchain security experts like Mudit Gupta and ZachXBT found that the attackers had begun testing their methods at least eight days before the attack, indicating a well-planned and methodical approach typical of the Lazarus Group.
Nischal Shetty, CEO of WazirX, has also given crucial statement regarding the attack of this magnitude and its unprecedented nature. As per Shetty, “no one has seen such a sophisticated attack ever on a centralized exchange. It’s not a fly-by-night operator or hacker, it’s really a state actor who has carried out this attack with extreme sophistication. I am not justifying the situation, but if it could happen to us despite the industry’s best practices, it could happen to anyone.”
FBI Most Wanted Hackers Behind WazirX hack?
While it is difficult to take one name behind the WazirX hack, we have zeroed on three suspects who are the front face of the Lazarus group and could be behind this massive attack on WazirX.
1. Kim Il
Kim Il is a state-sponsored hacker from North Korea, reportedly involved in one of the most expensive cybercrime conspiracies in history. These cyber intrusions allegedly led by him have caused damage to computer systems and have resulted in the theft of both traditional and virtual currencies from numerous victims.
Kim Il is accused of being part of a broader criminal conspiracy by hackers associated with North Korea’s Reconnaissance General Bureau (RGB). This includes several North Korean hacking groups, including those referred to by private cybersecurity researchers as the “Lazarus Group” and Advanced Persistent Threat 38 (APT38).
2. JON CHANG HYOK
Jon Chang Hyok is another alleged North Korean state-sponsored hacker linked to some of the most notorious and damaging cyberattacks in recent history. Like Park Jin Hyok, Jon is associated with the Lazarus Group, a hacking group believed to be sponsored by North Korea’s Reconnaissance General Bureau (RGB). He has been accused of developing and deploying malicious software targeting cryptocurrency exchanges and other companies.
He is responsible for clandestine operations, including cyber warfare for North Korea. He has been charged with conspiracy to commit wire fraud, bank fraud, and computer fraud (intrusions) by the United States District Court, Central District of California. A federal arrest warrant was issued for him on December 8, 2020, for his alleged role in these conspiracies.
3. PARK JIN HYOK
Park Jin Hyok is a North Korean computer programmer. He is most notably associated with the Lazarus Group, a hacking group believed to be sponsored by North Korea’s Reconnaissance General Bureau (RGB), which is its primary intelligence agency.
He has been charged with conspiracy to commit wire fraud, bank fraud, and computer fraud (intrusions) by the United States District Court, Central District of California.
This cyberattack resulted in the theft and public release of confidential data from Sony Pictures Entertainment, including unreleased films and private communications. It was allegedly carried out in retaliation for the film “The Interview,” a comedy depicting an assassination attempt on North Korean leader Kim Jong-un.
Conclusion
A lot has happened in the past 50 days- the WazirX users have realized that the exchange’s ownership is under dispute between its parent company Zettai and Binance. None of them are willing to take responsibility for the exchange now that the users are demanding return of funds. Meanwhile, Zettai has approached the Singapore High Court with a moratorium application seeking six months breathing space while they come up with a restructuring plan for users, who are expected to lose 43% of their funds to these hackers.
In the light of these recent developments, it remains to be seen whether multiple investigative agencies probing the WazirX hack, could bring more conclusive proofs to indict the Lazarus Group.
Also Read: WazirX users now seek justice from PM Modi who is in Singapore
