Blockchain and cryptocurrencies are changing the world but people’s nature is not a subject to blockchain revolution (love it or not) — some people are still making harm to others intentionally, and for them, blockchain is just another opportunity to rob or scam someone.

Lazarus

The Chinese company 360 Security claims that these days the North Korean hacker group Lazarus becomes more and more active. The hackers already robbed three crypto exchanges not long ago (DragonEx, Etbox, and BiKi) and, according to 360 Security, they keep on targeting the other cryptocurrency exchanges.

360 Security reports that on March 24 a big cryptocurrency exchange DragonEx was hacked by the Lazarus group (alternatively known as ATP-C-26). The damage made by trespassers is estimated at $7.09 million. The attack was carried out via a specialized software called “Worldbit-bot”.

The Lazarus Scheme

According to the investigation made by the 360 Advanced Threat Response Team, Lazarus created two domains in October 2018 in order to carry out the attack. The domains were wb-invest.net and wb-bot.org. The next step was to set the malicious cryptocurrency trading software (that wasn’t actually functioning this way) called Worldbit-bot using the open-source “Qt Bitcoin Trader”. Worldbit-bot was infected with the virus. Lazarus created their software the way to look like a quite normal automatic cryptocurrency trading platform which was working without any troubles for the next 6 months utilizing wb-invest.net and wb-bot.org domains.

The trespassers were directing the internal staff members to the crypto exchanges in order to spread the malicious software. The phishing attacks were ongoing in January and March this year.

The investigation of DragonEx hacking conducted by JohnWick Security (China) revealed that the DragonEx customer service managers were interacting with an installation package wbbot.dmg of the unknown source. This package was used to steal the private keys for DragonEx wallets from the staff data.

Precedent

The scheme associated with WorldBit-bot has a lot in common with the case investigation by 360 Security last August when hackers were using a fake platform “Celas Trade Pro”. In that case, the customers of Bitfinex, Bitstamp, Bitmarket, OKCoin, BTCChina, GOC.io, Indacoin, WEX and Y0bit were vulnerable to the attack. You can see the phases of attack below:

Step 1: collecting and encrypting the process info

Step 2: collecting system info

Step 3: executing malicious codes, decrypting it for file execution

How Do We Avoid Such Troubles?

In case if you don’t know for sure if the platform is decent, you should keep in mind the following tips:

1. Amazingly high exchange earnings is not a sign of a legit platform.

2. Suspicious wallet addresses can be enough to stop using the suspicious platform.

3. It’s not OK when you are forced to log in many times while withdrawing your coins.

4. When you see that the exchange is busy with gigantic transfers you should think of leaving it.

It’s important to take care of your security because Lazarus and probably similar hacker groups too are not going to stop. Lazarus is active for over 10 years, and lately, they have switched from the hacking of banks to cryptocurrency platforms and individuals. The reason is quite clear: Bitcoin exchanges can be an easy target because many people take security for granted. But we shouldn’t be so carefree.