Lazarus Group Sends $750,000 to Tornado Cash, Deploys New Malware Targeting Developers

The Lazarus Group, a North Korean-affiliated hacking collective known for its high-profile hacks and cryptocurrency laundering schemes, has been making waves in the cybersecurity world once again. According to blockchain security firm CertiK, the group recently sent 400 ETH (worth approximately $750,000) to Tornado Cash, a mixing service used to anonymize transactions on the Ethereum network.

The Lazarus Group's activities have been under scrutiny for months, following a string of high-profile hacks that resulted in the theft of millions of dollars' worth of cryptocurrency assets. In February, the group was responsible for a massive Bybit exchange hack that netted them $1.4 billion in stolen crypto assets. They have also been linked to the $29 million Phemex exchange hack in January and the $600 million Ronin network hack in 2022.

But what's even more concerning is the Lazarus Group's latest move: deploying new malware targeting developers. Researchers at cybersecurity firm Socket discovered that the group has created six new malicious packages designed to infiltrate developer environments, steal credentials, extract cryptocurrency data, and install backdoors. The malware, dubbed "BeaverTail," uses typosquatting tactics or methods used to deceive developers to embed itself in packages that mimic legitimate libraries.

The attack targets files in Google Chrome, Brave, and Firefox browsers, as well as keychain data on macOS, specifically targeting developers who might unknowingly install the malicious packages. While attributing this attack definitively to the Lazarus Group remains challenging, the researchers noted that the tactics, techniques, and procedures observed in this npm attack closely align with the group's known operations.

The Node Package Manager (NPM) ecosystem is a large collection of JavaScript packages and libraries, making it an attractive target for the Lazarus Group. By embedding malware in these packages, the group can gain access to sensitive information and compromise the security of developer environments.

In recent months, North Korean hackers have stolen over $1.3 billion worth of cryptocurrency assets in 47 incidents, more than doubling thefts in 2023, according to Chainalysis data. The Lazarus Group's latest move is just the latest example of their ongoing campaign to launder crypto assets and steal sensitive information from developers.

As the cybersecurity landscape continues to evolve, it's essential for developers and users to stay vigilant and take proactive measures to protect themselves from these types of attacks. By staying informed and using best practices, we can reduce the risk of falling victim to malware like BeaverTail and the Lazarus Group's nefarious activities.