Lazarus Group Attacking Crypto

In a calculated escalation of cyber warfare, the Lazarus Group, a notorious North Korea hacking unit, has pivoted its focus to cryptocurrency projects, employing intricate phishing scams on the widely-used platform Telegram. 

SlowMist, a cybersecurity authority, meticulously monitors and dissects these attacks, unveiling the group’s sophisticated methods aimed at deceiving unsuspecting victims. 


This expose delves deep into the nuanced tactics utilized by Lazarus, shedding light on exploited vulnerabilities and offering imperative security counsel for users navigating the Web3 landscape.

Lazarus Group Strategy

Impersonation Mastery: Lazarus meticulously impersonates reputable investment institutions, establishing fake Telegram accounts under their identities. 

These accounts serve as the linchpin for approaching and targeting unsuspecting victims, demonstrating the group’s methodical approach to deception.

DeFi Team Targeting: The hacking unit strategically zeroes in on high-profile DeFi project teams, leveraging their established credibility to gain trust. 

Posing as potential investors, they initiate deceptive communication, laying the groundwork for their phishing endeavors.

Building Trust: The Craft of Cyber Infiltration

– Script Downloads: The initial gambit involves persuading project teams to download a seemingly innocuous yet malicious script. 

The ruse typically presents itself as necessary for setting up a meeting, emphasizing the importance of heightened security awareness to thwart these attempts and mitigate substantial risks associated with unknown script downloads.

Deceptive Meetings: Once trust is established, Lazarus employs two primary methods to execute their nefarious plans

Malicious Meeting Links: Invitations to join meetings hosted on suspicious domains trigger the download of a “location-modifying” script, providing the hackers remote access to pilfer funds.

Malicious Calendly Links: Infiltrating the project team’s workflow, these links, integrated into Calendly event pages, seamlessly deceive victims into downloading malware, thereby compromising their systems.

SlowMist Alert: On November 30, 2023, SlowMist issued a prescient warning, underlining the looming dangers associated with Lazarus Group’s evolving phishing strategies.

Staying Secure in the Web3 Frontier: SlowMist furnishes indispensable security recommendations for Web3 users:

Thorough Verification: Rigorous identity verification of new Telegram contacts is paramount. Caution is advised against unsolicited messages, particularly from unfamiliar sources.

Two-Factor Authentication (2FA): Elevating account security by enabling 2FA on Telegram acts as an additional bulwark against unauthorized access.

Transaction Vigilance: Diligent scrutiny of transaction details and careful verification of recipient addresses are emphasized before confirming any transfer.

Malware Mitigation: In the event of suspected malware, immediate disconnection from the internet and comprehensive virus scans are crucial. 

Changing passwords for all pertinent accounts, including those stored in web browsers, is imperative. Swiftly transferring funds from compromised digital wallets is recommended.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.