Cybercriminals with apparent ties to North Korea that hit e-commerce shops in 2019 and 2020 to steal payment card data also tested functionality for stealing cryptocurrency, according to the cybersecurity firm Group-IB.
Group-IB’s latest report builds on findings revealed in July 2020 by Dutch security firm Sansec, which reported that malicious infrastructure and, in many cases, the malware was being used for Magecart-style attack campaigns that had previously been attributed to the Lazarus Group.
Lazarus – aka Hidden Cobra, Dark Seoul, Guardians of Peace, APT38, Bluenoroff, and a host of other names – refers to a group of hackers with apparent ties to the Pyongyang-based government officially known as the Democratic People’s Republic of Korea, led by Kim Jong-Un.
Researchers at Group-IB stated that after reviewing the attack campaign discovered by Sansec, it also found signs suggesting that attackers had been experimenting not just with stealing payment card data but also cryptocurrency.
The attackers appear to have stolen relatively little cryptocurrency via the sites’ customers: just $9,000 worth of Ethereum and $8,400 worth of bitcoins, Group-IB reports.
Group-IB says those stolen funds appeared to have been routed to bitcoin cryptocurrency wallets allegedly owned by CoinPayments.net, “a payment gateway that allows users to conduct transactions involving bitcoin, Ethereum, Litecoin, and other cryptocurrencies.”
Lazarus may have used the site to launder the stolen funds by moving them to other cryptocurrency exchanges or wallets.
The cybersecurity firm notes that CoinPayment’s “know your customer” policy could help identify the individuals who initiated the transactions. The service’s user agreement stipulates that individuals attest that they are not operating in or on behalf of anyone in a prohibited jurisdiction, which includes North Korea.