A security researcher from Paradigm, known as Samczsun, is expressing concerns that North Korea’s cyber activities reach well beyond the infamous Lazarus Group.
His alerts come on the heels of the recent Bybit hack, which reportedly involved a complex breach of the SafeWallet infrastructure.
This incident marked a significant shift from prior North Korean hacking efforts. Rather than directly attacking Bybit, the intruders were able to compromise Safe{Wallet}.
This change in strategy underscores the increasing sophistication of their tactics, raising serious concerns regarding the security of the larger cryptocurrency ecosystem.
According to Samczsun, the cybercrime attributed to North Korean actors is not confined to one group but is rather a web of state-sponsored threat actors working under a variety of names.
The structure of North Korea’s cyber warfare
Samczsun has dedicated years to examining North Korea’s cyber threats. He emphasizes that labeling all North Korean cyber activities as originating from the “Lazarus Group” fails to capture the complexity of their operation.
The hacking initiatives of North Korea are largely coordinated through the Reconnaissance General Bureau, the intelligence body overseeing various hacking units. These include not just the Lazarus Group but also APT38, AppleJeus, and other specialized teams.
Each group has distinct objectives. For instance, the Lazarus Group is infamous for major cyberattacks, such as the 2014 Sony Pictures incident and the 2016 Bangladesh Bank heist. APT38 is focused on financial crimes, particularly bank fraud and cryptocurrency theft.
“APT38,” wrote Samczsun, “emerged from Lazarus Group around 2016 to concentrate on financial crimes, initially targeting banks (such as the Bank of Bangladesh) and later shifting focus to cryptocurrency.”
Meanwhile, AppleJeus has aimed at cryptocurrency users with malware masquerading as trading applications.
All of these units operate under the same governmental framework, contributing to funding North Korea’s weapons programs and circumventing international sanctions.
Cryptocurrency has become a target for North Korea
North Korea has increasingly relied on cryptocurrency for revenue. The decentralized nature of crypto transactions makes them harder to trace or freeze compared to traditional finance.
North Korean hackers take advantage of this by infiltrating exchanges, distributing malware, and leveraging false job offers to access internal systems.
An example includes “Wagemole” operatives — North Korean IT professionals who penetrate legitimate tech companies. They often pose as regular employees but may misuse their access to pilfer funds or compromise systems.
This strategy was evident in the Munchables exploit, where an employee with connections to North Korea siphoned off assets from the protocol.
Another approach involves supply chain attacks, where hackers compromise software providers catering to cryptocurrency firms. One instance saw AppleJeus hackers embed malware into a widely used communication platform, impacting millions of users.
In a separate incident, North Korean attackers accessed a contractor working with Radiant Capital through social engineering tactics used on Telegram, according to Samczsun.
Implications for the cryptocurrency sector
Samczsun cautioned that North Korea’s cyber operations are advancing. The Bybit attack indicates that hackers are now targeting infrastructure providers in addition to exchanges.
This shift suggests that the entire crypto ecosystem — from wallets to smart contract platforms — may be vulnerable.
For crypto users and businesses, a crucial takeaway is that North Korean cyber threats extend beyond the Lazarus Group and simple exchange hacks. The industry requires stronger security measures, better intelligence sharing, and heightened awareness of social engineering risks.