Receiving spacious apartments and enjoying military exemption privileges... The reality of 'Lazarus' who made North Korean crypto millionaires

The reason behind North Korea's Bitcoin holdings rising to third place in the world is the mysterious hacker group Lazarus. Defined by the U.S. Department of Justice as a "hacker group linked to North Korean military organizations," Lazarus has been conducting large-scale cash or cryptocurrency-related hacking crimes on the global stage since the mid-2010s. Although their exact identity remains shrouded in mystery, they are believed to be a world-class cybercrime organization composed of North Korea's elite hackers.

Wanted poster by the United States Federal Bureau of Investigation (FBI) in 2018 for North Korean hacker Park Jin-hyuk. Photo by FBI

The group name Lazarus first appeared in a 2014 cyber threat report by a global security company alliance. While investigating the Sony Pictures hacking incident, they detected a hacker group linked to North Korea called "Group A" and named them Lazarus.

Since then, Lazarus has distinguished itself by committing various financial crimes worldwide. Their notorious ransomware "WannaCry" infiltrated networks of public facilities such as hospitals, locking systems and demanding payment in cryptocurrency. It is estimated that Lazarus amassed about $3 billion (approximately 4.4 trillion KRW) in Bitcoin from 2017 to 2023 through such methods.

Last month, they committed a hacking crime at the cryptocurrency exchange Bybit, stealing $1.5 billion (approximately 2.2 trillion KRW), the largest single loss ever recorded. Following the Bybit incident, North Korea's BTC holdings jumped to third place globally. The crypto exchange Binance currently estimates North Korea's Bitcoin holdings at 13,562 BTC (about 1.7 trillion KRW), surpassing El Salvador, which adopted BTC as legal tender.

Lazarus also possesses the ability to infiltrate global payment systems with stringent security frameworks. In 2016, Lazarus sent disguised emails containing malware to employees of Bangladesh's state-owned bank, infiltrating the system. They waited about a year until the surveillance system was at its weakest, then swiftly stole $1 billion (approximately 1.47 trillion KRW). Fortunately, the system was blocked when $81 million (about 119 billion KRW) was being transferred, preventing greater damage.

Pixabay

Unlike cryptocurrencies, which have various money laundering channels due to their anonymous nature, interbank transfers are difficult to evade surveillance. Every transfer triggers a security message through the Society for Worldwide Interbank Financial Telecommunication (SWIFT). At the time of the incident, Lazarus did not tamper with SWIFT but instead conveyed fake instructions to bank employees to steal $1 billion. They also remotely turned off fax machines that recorded SWIFT codes to confuse the bank's computer system.

Hacking is not only about technical methods that infiltrate and paralyze networks. There is also "social engineering" hacking, which deceives or persuades those operating the actual systems to create vulnerabilities. Lazarus is characterized by attempting meticulous social engineering hacking based on a broad understanding of security systems.

British security consulting firm NCC Group released a report in 2022 summarizing Lazarus's decade-long activities, defining Lazarus as "a team composed of top elites with highly skilled operational capabilities, subordinate operators handling actual tasks, and occasionally other hackers acting on their behalf." They emphasized, "While Russia also has top-level hacker teams, Lazarus is distinguished by their lack of fear of arrest."

Bybit Site Suffers $1.5 Billion Hacking Damage in Lazarus Attack. Yonhap News

How did North Korea create a hacker team evaluated as "world-class" in the security industry? There is a clue in North Korean hacker "Park Jin-hyuk," wanted by the FBI. Park Jin-hyuk is the first identified Lazarus-affiliated hacker, caught by the FBI after exchanging information via Google Gmail. According to the FBI, Park Jin-hyuk is one of the planners of Lazarus's hacking operations and is estimated to have been born between 1981 and 1984. He is also a prodigy who majored in computer science at Kim Chaek University of Technology.

North Korea has long been nurturing IT talent. Kim Il-sung University and Kim Chaek University of Technology, the twin pillars of technical talent development, established computer science departments in 1999 to intensively cultivate programming talent.

Both universities are believed to possess skills in networking and hacking comparable to advanced countries. For example, in 2023, the U.S. IT company HackerEarth held an online hacking competition with 1,700 students worldwide participating, and the top five places were swept by students from Kim Chaek University of Technology and Kim Il-sung University. NCC explained, "North Korea selects hackers from the age of 11, and they enjoy privileges such as spacious apartments or military service exemptions. Elite hackers learn how to fight by accessing computers and the internet in countries like China before serving the nation."

Due to North Korea's poor economic conditions, hacker groups like Lazarus are likely to continue thriving. NCC stated, "Hacking in North Korea is an industry to secure government finances," and "North Korean hackers are encouraged to act in the interests of the Kim Jong-un regime."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.