North Korea’s Lazarus Group Hacks Software Developers to Attack Solana & Exodus Wallets

• Lazarus Group is targeting Solana and Exodus wallet users.
• The hacking group is responsible for the Bybit hack and related high-profile crypto thefts.

Lazarus Group, a group of hackers working for the North Korean government regime, is back in the news. This time, new research from Socket found the group had planted six malicious packages in npm, targeting software developers and cryptocurrency users.

Lazarus Group Linked to Software Attack

According to the report from Socket Research, the six malicious packages linked to Lazarus collectively were downloaded over 330 times. These packages were designed to steal login credentials, deploy backdoors, and extract sensitive data from Solana-related crypto wallets or Exodus.

The research pointed out that the techniques and tactics observed in this npm attack closely align with Lazarus’s known operations. In the recent attack, the malware specifically targets browser profiles, scanning files from Chrome, Brave, Firefox, and keychain data on macOS.

The six malicious packages are is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. The researchers claimed Lazarus used typosquatting, tricking developers with misspelled names into installing them. 

For instance, the is-buffer-validator closely resembles the widely used is-buffer module authored by Socket CEO Feross Aboukhadijeh. The legitimate is-buffer package has 33 million weekly downloads and over 134 million total downloads, highlighting its widespread adoption.

Additionally, Lazarus previously infiltrated networks using supply chain attacks via GitHub, PyPI, and npm. This has contributed to major hacks like the $1.4 billion Bybit exchange heist. As we covered in our latest report, Lazarus stole 401,346 ETH from Bybit, amounting to $1.4 billion. 

The hack stemmed from a masked transaction targeting the exchange’s Ethereum multisig cold wallet. Bybit’s CEO, Ben Zhou, explained that Bybit’s cold wallet executed a transfer to its hot wallet, which initially appeared legitimate. 

However, the attackers masked the transaction, displaying the correct address and a seemingly authentic @safe URL, deceiving all signers. Zhou said that around 20% of the stolen funds had become untraceable due to hackers’ use of mixing services.

Crypto Users Still Losing Money to Hacks

The recent Lazarus attack highlights the crypto sector’s increasing vulnerability, with even cybersecurity experts at risk from these complex schemes. 

In a recent study we reported on, the FBI said North Korean hackers are targeting the crypto industry with well-disguised social engineering attacks. The agency warned that bad players are focusing on employees of DeFi firms, especially those linked with spot Bitcoin ETF issuers. 

These events remind the market to change systems to more recent, safer versions. As outlined in our recent blog post, hackers exploited a vulnerability in Fusion v1’s outdated smart contract, draining over $5 million in assets.

Before this attack, law enforcement authorities in Thailand arrested four Russian nationals on suspicion of participating in a worldwide cyberattack using Phobos ransomware. Across the globe, almost 1,000 victims, including 17 Swiss businesses, are reported to have fallen victim to the scam. Collectively, they have lost around $16 million in Bitcoin (BTC).