The infamous hacking collective Lazarus Group, widely believed to work for the North Korean government, is believed to have been behind the hack of cryptocurrency exchange DragonEx.

As CryptoGlobe reported, DragonEx was hacked in March 2019, announced via Telegram that hackers managed to steal cryptocurrency belonging to both the cryptocurrency exchange and its users. The exchange quickly released all of the cryptocurrency wallets the funds, worth over $7 million at the time, moved to.

A new report released by blockchain analysis firm Chainalysis details that the Lazarus Group was likely behind the attack, in what could be one more cryptocurrency exchange hack helping fund the North Korean government. As reported, North Korean hackers have been hitting cryptocurrency trading platforms and financial institutions to fund North Korea’s weapons programs.

The report details Lazarus used advanced tactics to hack the cryptocurrency exchange. It reportedly created a fake company and a fake cryptocurrency trading bot to phish DragonEx employees and gain access to the cryptocurrency. The fake company had fake employees who had fake, legitimate-looking social media profiles.

Lazarus pitched the fake cryptocurrency trading bot to the exchange, prompting them to try out the bot, dubbed Worldbit-bot. The file DragonEx employees had to download had malware that gave the hackers access to their devices. They then quickly moved the cryptocurrency to wallets they controlled.

The report reads:

While the DragonEx hack was relatively small, it was notable for the lengths Lazarus Group went in order to infiltrate the exchange’s systems in a sophisticated phishing attack

Chainalysis’ report details that to cash out, Lazarus revamped its method. While the first heists it pulled saw it hold the funds for 12 to 18 months in wallets to then move them to exchanges that didn’t enforce know-your-customer (KYC) checks, the growing number of platforms checking users’ identifies forced them to change tactics.

Now, Lazarus uses a variety of methods, including moving the funds to intermediaries and using privacy-centric wallets using the CoinJoin protocol, to conceal where the funds came from. The group also started moving quickly, as nearly all of the funds moved to “liquidation services” within two months.

The Lazarus Group is well-known for targeting cryptocurrency users and businesses. A report form October 2018 claimed it had stolen over $570 million worth of cryptocurrency,  and recently cybersecurity firm Kaspersky warned they were using Telegram to steal from users.

Featured image via