Lazarus, a well-known hacking group believed to have ties to the North Korean regime, is reportedly using the privacy-centric messaging app Telegram to steal cryptocurrency.

According to Kaspersky’s cybersecurity researchers, evidence suggests Lazarus has been changing its attack methodology by taking “more careful steps” and employing “improved tactics and procedures” to steal Telegram users’ cryptocurrency.

Telegram is one of the most popular messaging platforms in the cryptocurrency community, so much so it’s even launching its own cryptocurrency, Gram, on its own TON blockchain. Lazarus’ attack vector is centered on fake cryptocurrency trading platforms, used to lure in victims.

Kaspersky’s researchers revealed Lazarus has been setting up fake cryptocurrency trading firms with websites that have links to social media platforms, including fake Telegram trading groups. In one instance, a Windows user was infected with malicious files via Telegram, and not via the fake crypto trading platform itself.

The researchers added they found various fake crypto exchanges, and that they believe these were created using free web templates. While Kaspersky only found these groups now, at least one was created back in December 2018.

The malware used on victims gives the North Korean hacking group control of the compromised device. Lazarus is known for going after financial institutions, and in recent years targeting cryptocurrency businesses. Identified victims from Poland, the UK, Russia, and China confirmed they were cryptocurrency businesses.

As CryptoGlobe reported, in March 2019 Kaspersky warned Lazarus’ targets were still businesses dealing with cryptocurrencies, warning extra caution was necessary when “dealing with new third parties or installing software.”

A UN reported from August 2019 revealed it was believed Lazarus managed to net the North Korean government was much as $2 billion through attacks on cryptocurrency exchanges and other financial institutions. South Korea’s largest crypto exchange Bithumb, which was hacked two times in the past, is believed to have been one of their targets.

Featured image via