In the TV series Mr. Robot, the anonymous “fsociety” is a small but agile group of vigilante hackers, armed with nothing but their computers and a vast knowledge of cybersecurity vulnerabilities. Their aim is to literally delete debt, by hacking into a conglomerate’s financial data.

Of course, the real-life inspiration for “fsociety” is far more sinister than the fictional group. For 16 years, the Lazarus Group has raked in a total of $3.4 billion in stolen cash and crypto, and they are quite slippery.

What is the Lazarus Group?

The Lazarus Group is responsible for a few high-profile digital thefts. There is overwhelming evidence suggesting that they are sponsored by the North Korean regime, but their exact locations remain unknown. Thus, they are extremely difficult to locate and apprehend.

Their latest heist this month (September 2023) resulted in $41 million in stolen crypto from the casino Stake.com. The Hong-Kong-based centralised crypto exchange CoinEx suffered a loss of $70 million, no less than 2 weeks later.

The cybercriminal has also been responsible for industry-disrupting attacks in 2017, such as finding vulnerabilities in older Windows operating systems that were run by many healthcare institutions at the time. They are responsible for infecting critical systems with the famous WannaCry virus.

Back to the crypto world, the Lazarus Group is also responsible for funnelling $600 million in crypto off the Ronin Bridge. Almost a year had passed, and only $5.9 million could be recovered from the attack, on the other side of the planet, quite surprisingly, by the Norwegian police.

Many more acts of injustice were committed by the Lazarus Group, but these are among the worst.

What are the attackers targeting?

Blockchain analyst Elliptic studied the behaviour of the Lazarus Group and their attack patterns. Comparing last year’s attacks to this year’s, they’ve suggested that the hackers are shifting their focus from decentralised services to centralised ones, such as centralised exchanges.

They explained that their targeting of DeFi protocols coincided with the DeFi ‘boom’ or ‘DeFi summer’ of 2021. Back then, many developers hastily developed DeFi protocols to capture the hype — but some protocols were made to fail on purpose (as part of a rug pull scam). Of the few legitimate projects, cross-chain bridges were especially new technology, and it was common for hackers to successfully exploit a poorly-written smart contract and drain the supposedly locked tokens.

With many security improvements having been implemented on decentralised services, attackers find it more difficult to find vulnerabilities (with the exception of Atomic Wallet, which was allegedly breached by the Lazarus Group a few months ago).

As cybersecurity becomes reinforced on many DeFi platforms, centralised services still have one gaping vulnerability — employees. Decentralised exchanges, for example, often hire a small number of experts, but their centralised counterparts require additional employees to support customers and comply with local regulations.

Cybersecurity company AAG IT published an extensive report on cybercrime statistics in 2023. According to the report “the human element remains a critical vulnerability for both businesses and individuals.” As much as 82% of breaches were caused by social engineering.

Social engineering, in fact, requires fewer technical skills, much less so compared to the skill of manipulating the psychology of cyberattack victims. Phishing is a very common technique used by the Lazarus Group to gather sensitive information and gain unauthorised access to funds.

You don’t need to install more security apps

How do you protect yourself (and your crypto) against hackers like the Lazarus Group? The answer is not, “install more security apps”.

Your devices and commonly used apps, such as web browsers, have already been equipped with software with sufficient capability to detect and prevent malware. That is, provided that they continuously update the software.

A computer’s security system doesn’t work the same way as the human body does. The human body can benefit from having more antibodies and supplements (given the right dosage). However, installing more security apps on top of the default security system could do more harm than good.

Firstly, an add-on security system could interfere with the bare minimum security protocols of your devices and apps. Secondly, many malware-injecting software actually pose as so-called security apps.

It’s unfortunate that many security apps (even legitimate ones) market themselves through fear-mongering and making people doubt their default system’s capabilities. This often gives the general public the perception that the default security system is not enough.

Like what we’ve learned from the Lazarus Group, technical security is not something we should be focusing on as much, because there is a gaping security hole that needs to be dealt with immediately — our own behaviour.

I use the term “trivial” here not to undermine the threat of social engineering. Rather, the techniques and protocols mentioned here are so easy to implement that little technical skills are needed.

1. Go to the official website, and check the URL

Famous pro-crypto TV personality and billionaire Mark Cuban recently had nearly $900,000 of crypto stolen. Further investigation reveals that he did not interact with a vulnerable smart contract, because his crypto was drained directly from his wallet. Apparently, he had downloaded a fake MetaMask app, which allowed attackers to gain his private key.

If you plan to use a software wallet, please download it through the official website. Check the URL and make sure that the domain name is correct. For example, download MetaMask through met amask.io, and not metamask.com.

Even if the app is downloaded through the App Store, you should go to the official website first, as it will lead you to the correct app download page.

2. Know when it’s too good to be true

Ethereum founder Vitalik Buterin’s Twitter account was hacked, resulting in his 5 million followers viewing a false post with a malicious link. Unfortunately, nearly $700,000 was stolen from unsuspecting followers who believed that they were buying valuable NFTs.

The hackers were clever in that they crafted a message that didn’t raise much eyebrows at first. If the message had been to claim to win “double crypto” by sending crypto to a wallet address, this attempt would have failed.

However, Vitalik’s followers did not think twice about his supposed promotion for an NFT project. This is, of course, difficult to confirm at first. However, there are signs that a project could be a scam. For example, if the post urges the user to send crypto to a wallet address before a very short deadline, there’s a good chance that this is an attempt at rug pull.

People should stop viewing crypto as a way to get free money. Any real company or honest public figure would craft their message extremely carefully so as to avoid people blindly sending crypto to an address. The promise of receiving free money, crypto, or NFT, is simply too good to be true.

3. Confirm the real identity

Fake job postings and emails sent from higher-ups are opportunities for scammers to gain access to sensitive information, given freely by employees. Companies should implement a strict protocol for data requests, and leaders should reassure their subordinates that it’s okay to be sceptical about a request.

Implement a culture where requesting sensitive data is not a time-sensitive task, and assign gatekeepers to help make sure that a request is authentic.

4. Have a safe word

A safe word isn’t only useful among family members. It’s also a no-tech solution for confirming the identity of someone with high authority, such as a CEO. A safe word can be implemented in companies where employees work remotely.

A safe word doesn’t have to be a word per se. It could be a fact or a story that can be shared among a limited circle of people. The important thing is that the safe word (or story) has to be shared on a secure video call.

Most video call platforms use secure end-to-end encryption, which means not even the Lazarus Group could decode any message that is being intercepted between communication lines.

5. Use a cold wallet

Going back to crypto, and learning from the unfortunate incident experienced by Mark Cuban, we should also use a cold wallet to store an amount of crypto that we deem is significant.

A cold wallet is manufactured at a physical place following high standards of security. The manufacturer also uses clever ways to prevent tampering, for example by using tamper-free stickers on the wallet connection port and various places around the package.

That way, you can be sure that the wallet you’re about to use is a genuine product of the wallet manufacturer that you trust.

The key takeaways

Contrary to popular belief, cyber security breaches occur because of the fallibility of people, not software. The way to defend from cyber attackers like the Lazarus Group can be as trivial as downloading the correct wallet app, and implementing a strict procedure before sharing anything online.

I hope this has been useful for you. Please share this with someone who will find this useful.

Trivial ways you can protect yourself from crypto hackers

What is the Lazarus Group?

What are the attackers targeting?

You don’t need to install more security apps