According to Debridge Finance co-founder Alex Smirnov, the infamous North Korean hacking syndicate Lazarus Group subjected Debridge to an attempted cyberattack. Smirnov warned Web3 teams that the campaign is likely widespread.
Lazarus Group suspected of attacking Debridge Finance team members with malicious email
There have been a large number of attacks on decentralized finance (defi) protocols like cross-chain bridges in 2022. Although most of the hackers are unknown, it is suspected that the North Korean hacking collective Lazarus Group is behind a number of challenging feats.
In mid-April 2022, the Federal Bureau of Investigation (FBI), the US Treasury Department, and the Cybersecurity and Infrastructure Security Agency (CISA) declared Lazarus Group to pose a threat to the crypto industry and its participants. A week after the FBI warning, the US Treasury Department’s Office of Foreign Asset Control (OFAC) added three Ethereum-based addresses to the Specially Designated Nationals and Blocked Persons (SDN) list.
OFAC has alleged that the Ethereum address pool is run by members of the cybercrime syndicate Lazarus Group. Additionally, OFAC has connected Ethereum addresses reported with the Ronin Bridge exploit (the $620 million Axie Infinity hack) to the North Korean hacker group. Friday, Alex Smirnovthe co-founder of Debridge Financealerted the crypto and Web3 community to the Lazarus Group’s alleged attempt to attack the project.
“[Debridge Finance] was the subject of an attempted cyberattack, apparently by the Lazarus group. PSA for all Web3 teams, this campaign is probably widespread”, Smirnov stress in his tweet. “The attack vector was via email, with several members of our team receiving a PDF file named ‘New Salary Adjustments’ from an email address spoofing mine. We have strict internal security policies and are continually working to improve them as well as educate the team on possible attack vectors. Smirnov went on to add:
Most team members immediately reported the suspicious email, but a colleague downloaded and opened the file. This led us to investigate the attack vector to understand exactly how it was supposed to work and what the consequences would be.
Smirnov insisted that the attack would not infect macOS users, but when Windows users open the password-protected pdf, they are prompted to use the system password. “The attack vector is as follows: the user opens [the] link from email -> download and open archive -> tries to open PDF, but PDF asks for password -> user opens password.txt.lnk and infects whole system », Smirnov tweeted.
Smirnov said that according to this Twitter feed the files contained in the attack on the Debridge Finance team had the same names and were “attributed to the Lazarus group”. The leader of Debridge Finance concluded:
Never open email attachments without verifying the sender’s full email address and have an internal protocol for how your team shares attachments. Please stay SAFE and share this thread to let everyone know about potential attacks.
The Lazarus Group and hackers in general have been on a killing spree targeting defi projects and the cryptocurrency industry. Members of the crypto industry are seen as targets because a number of companies deal in finance, an assortment of assets, and investments.
What do you think of Alex Smirnov’s account of the alleged Lazarus Group email attack? Let us know your thoughts on this in the comments section below.
Image credits: Shutterstock, Pixabay, Wiki Commons
Disclaimer: This article is for informational purposes only. This is not a direct offer or the solicitation of an offer to buy or sell, or a recommendation or endorsement of any product, service or company. bitcoin.com does not provide investment, tax, legal or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.