Lazarus Group Suspected in Orbit Chain Hack: Blockchain Analysts Uncover Common Tactics in High-Profile Attacks

January 4, 2024 BACK TO NEWS

In a recent revelation, blockchain analysts from Match Systems have uncovered striking similarities in the tactics used by the hackers behind the Orbit Chain attack and those in several other high-profile cyber-attacks. This has led to suspicions that a sophisticated cybercrime organization, potentially the notorious Lazarus Group, may be orchestrating these hacks.

Orbit Chain Attack and Common Tactics

The Orbit Chain hack targeted Orbit Bridge, a cross-chain bridging service affiliated with the South Korean-based multi-asset Orbit Chain. In this attack, hackers exploited the platform's cross-chain bridging service, Orbit Bridge, making off with a staggering $82 million as the new year approached.

Match Systems' analysis indicates that the hackers utilized Tornado Cash, a popular crypto mixer, to obscure the trail leading back to the original sources of the funds. The analysts were able to 'de-mix' the funds using specialized software, examining characteristics and patterns before and after the Tornado.cash mixer, including transaction volumes, dates/times, and other specialized methods.

The analysis revealed a group of addresses, one of which utilized the SWFT protocol to transfer funds to other addresses. Interestingly, this protocol was also employed in attacks on DFX Finance, Deribit, and AscendEX. Furthermore, following the Orbit attack, a portion of the funds sent through SWFT moved through various chains, eventually accumulating in a Tron wallet, and then being transferred to an exchange for cashing out.

Another common factor identified by the analysts was the use of Avalanche Bridge and Sinbad in the Orbit attack, mirroring tools and patterns associated with the Lazarus group.

Lazarus Group's Extensive Track Record

The Lazarus Group, allegedly affiliated with North Korea, has been a significant player in cybercrime. According to Immunefi, between 2021 and 2023, the group stole a staggering $1,903,600,000 across the Web3 ecosystem. In 2023 alone, Lazarus was responsible for $308.6 million in theft, accounting for 17% of total losses for the year.

Immunefi's recent report on the Lazarus Group highlighted their escalating sophistication, with expertise in exploiting infrastructure vulnerabilities, smart contract weaknesses, and meticulous social engineering operations. The group's actions, including high-profile attacks on Atomic Wallet, CoinEx, Alphapo, Stake, CoinsPaid, and the massive Ronin Network attack, underscore their emergence as a significant threat to web3.

As the investigation unfolds, concerns are rising about the potential impact of Lazarus Group's continued activities, emphasizing the need for heightened cybersecurity measures in the evolving landscape of digital assets and decentralized technologies.