Who is the Mysterious Entity Behind Backdoor Cryptocurrency Hacks on Investment Firms?

Key Takeaways:

  • The crypto industry has once again become target of an elaborate hack
  • Microsoft Security Intelligence broke details about the hack that involved Telegram groups of crypto exchanges
  • According to cyber security firm Volexity, the attacker, DEV-0139, is from the notorious North Korean Lazarus group of hackers
The cryptocurrency industry has suffered another attack by the North Korean Lazarus Group.
The cryptocurrency industry has suffered another attack by the North Korean Lazarus Group. Image by Gerd Altmann 

YEREVAN (CoinChapter.com) — Microsoft Security Intelligence has uncovered a new attack on cryptocurrency investment companies. According to a recent press release, the hacker, dubbed DEV-0139, used the messaging app Telegram to find and target new victims. 

As per the detailed report, the hacker joined several Telegram groups in October containing high-profile clients of crypto startups. They then identified a target among the group members and opened a direct line of communication with them by posing as an employee of a crypto exchange.

The cryptocurrency industry has suffered another attack by the North Korean Lazarus Group. Who is the DEV-0139 hacker?
Microsoft Security Intelligence analyzed the latest hack attacks on the crypto industry

After gaining their trust, the hacker invited the victim to another group where they pretended to ask for their feedback on the fee structures of exchanges. The fact that the hacker was well-informed about the market helped them come across as genuine employees, thus making it easier to scam investors.

DEV-0139 then sent a malicious Excel file named OKX Binance & Huobi VIP fee comparision.xls. These files allegedly contained several tables about fee structures among cryptocurrency exchange companies. 

Once the user downloaded and opened these files, it triggered a series of activities, including dropping more files on the system. As a result, the attacker eventually gained remote access to the infected system through a second Excel sheet that ran in the background.

The hacker used the compromised system to establish a backdoor communication with his Command-and-control servers (C2C) server.

Microsoft’s security division explained the details of the new hack through a detailed diagram.

Microsoft Security Intelligence analyzed the latest hack attacks on the crypto industry. Who is the DEV-0139 hacker?

Recommended: Another DeFi Hack! Solana’s Solend Suffers $1.26M Exploit

North Korean Lazarus Group behind the DEV-0139 hack? 

According to cyber security firm Volexity, the style of the recent attacks confirms that North Korea’s state-sponsored Lazarus Group has done it. Upon closer examination, the organization concluded that the techniques used by the two are similar. 

The United States Government has already sanctioned the group. Earlier this year, Lazarus conducted a cyber espionage campaign targeting U.S., Canadian, and Japanese energy providers. 

It is also suspected that the group was behind the attacks on the Sony Network back in 2014. Following the hack, the network shut down completely the next day as the hackers had leaked confidential data from the studio.  

“Over the last few months, Volexity has observed new activity tied to a North Korean threat actor it tracks that is widely referred to as the Lazarus Group. This activity notably involves a campaign likely targeting cryptocurrency users and organizations with a variant of the AppleJeus malware by way of malicious Microsoft Office documents,” 

the security firm announced. 

Changpeng Zhao, the CEO of the cryptocurrency exchange Binance, also posted about the incident. He further urged people to be cautious not to download compromised files. 

The Binance CEO has also warned users against downloading files from Telegram. 

The cryptocurrency industry suffers new attack. Who is the DEV-0139 hacker?
The Binance CEO has also warned users against downloading files from Telegram.

As CoinChapter earlier reported, the crypto industry is riddled with hacks. The Decentralized Finance (DeFi) industry has been the target of many cyber attacks. 

Worried about crypto hacks? Click here to read our extensive report on how to keep your tokens safe from hackers.

Leave a Comment

Related Articles

Our Partners

SwapCoin.com RapidCoin.com ChangeNOW.com Paybis.com WestcoastNFT.com