Lazarus Group, a cybercriminal organization allegedly supported by North Korea, has recently set its sights on LinkedIn users, adding a new weapon to its already extensive arsenal. Reports have emerged revealing a sophisticated phishing operation conducted by the group, where they impersonate a senior executive from Fenbushi Capital, a well-known Chinese blockchain asset management firm. SlowMist, a cybersecurity firm, has shed light on this alarming development by exposing the group’s elaborate scheme to trick unsuspecting users into falling for crypto phishing scams.
Last week, SlowMist disclosed that Lazarus Group has been specifically targeting LinkedIn users within the crypto industry as part of their larger crypto hacking scheme. The hackers create fake profiles on LinkedIn and reach out to HR personnel and hiring managers in blockchain-related organizations. They send links containing malware disguised as code to showcase their coding skills, with the intention of exploiting the victim’s data. SlowMist discovered a periodic function called “stealEverything” that is designed to extract as much data as possible and upload it to a server controlled by the attackers.
According to the latest update, SlowMist’s Chief Information Security Officer revealed that Lazarus Group’s latest tactic involves creating fake LinkedIn profiles. One of these profiles impersonates “Nevil Bolson,” who claims to be a founding partner at Fenbushi Capital. The profile picture used by the impostor is sourced from Remington Ong, a legitimate partner at Fenbushi Capital, which adds an additional layer of authenticity to the deception. The hackers use these fake profiles to initiate private conversations with potential targets on LinkedIn, often pretending to discuss investment opportunities or arrange meetings. Once trust is established, they introduce malicious links disguised as meeting invitations or event pages. When clicked, these links trigger phishing attacks aimed at compromising sensitive information or crypto assets.
SlowMist’s investigation into Lazarus Group’s activities has revealed a pattern of targeting prominent DeFi projects, leveraging the guise of members from investment companies to gain the trust of their victims. By carefully comparing IP addresses and analyzing the attack strategy, SlowMist has definitively identified “Nevil Bolson” as a member of Lazarus Group, reaffirming the malicious intentions of the group. Additionally, the scale of crypto-related cybercrime committed by groups like Lazarus is staggering. According to blockchain analytics firm Chainalysis, a total of $1.7 billion worth of funds was stolen from the crypto space through 231 hacks in 2023 alone.
While Lazarus Group’s latest tactics on LinkedIn have attracted attention, their hacking activities extend beyond social media platforms. Recent reports indicate that the group has been involved in numerous exploitation attacks in the past few days. Earlier this year, they orchestrated a significant move by transferring $12 million in Ether using Tornado Cash, a popular coin mixer. Furthermore, Lazarus Group’s activities have had tangible effects on specific cryptocurrencies, such as RAIL. The native token of another coin mixer, Railgun (RAIL), has experienced a decline in price following Lazarus’ illicit activities on the platform.
Amid allegations linking Railgun to the sanctioned North Korean Lazarus Group’s illicit activities, Railgun has vehemently denied any association with the hacker collective. This controversy stemmed from an analysis published by Elliptic, which suggested that Lazarus Group had used Railgun to launder over $60 million worth of stolen Ethereum in June 2022. According to the report, the group shifted its laundering operations to Railgun after the US imposed sanctions on Tornado Cash. Elliptic’s research also indicated that around 70% of the funds passing through Railgun were linked to the Harmony hack. This influx of Ethereum compromised Railgun’s effectiveness as a privacy protocol.
Reports suggest that 40% of North Korea’s weapons of mass destruction are funded through illicit cyber means, with Lazarus Group having stolen over $3 billion worth of digital assets globally to date. The US and its allies view North Korea’s state-sponsored malware initiatives as a threat to national security. Last year, the US sanctioned the crypto mixer Sinbad, known as a “key money-laundering tool,” for the regime’s exploitation of digital assets.