Hacker groups associated with the North Korean government have made decentralized finance (DeFi) teams and users a primary target for exploit attempts. On September 3, the Federal Bureau of Investigation (FBI) published a warning to the DeFi community, claiming that the Democratic People’s Republic of Korea (DPRK/North Korea) is “aggressively targeting the crypto industry with well-disguised social engineering attacks. The FBI’s announcement draws attention to the tactics employed by these malicious actors, including their extensive pre-operational research, in which “the actors scout prospective victims by reviewing social media activity, particularly on professional networking or employment-related platforms.” Analytics firm Chainalysis tied North Korean hackers to $1 billion of crypto heists in 2023 alone, and despite the total fiat value of the hacks falling by 41%, 2023 resulted in more exploits, with 20 hacks in 2023 compared to 15 in 2022. Notorious North Korean hackers such as the Lazarus Group and Andariel have drained billions of dollars through elaborate schemes over the last decade, including the $100 million Harmony Bridge hack, $81 million from the Central Bank of Bangladesh, $81 million from EasyFi, $55 million from bZx, and sensitive information held by U.S. government agencies and other defense and technology organizations. Targeting DeFi Most of the North Korean hacks within DeFi stem from social engineering attacks, including sophisticated phishing attempts and planting malicious developers within DeFi teams More recently, Munchables, a game built on Ethereum Layer 2 Blast, fell victim to what is presumed to be a North Korean developer hack. Analysts and developers said that the contract was designed with a vulnerability that would allow the malicious developer to seize control of up to 1 million ETH, and that the hole was concealed by a contract upgrade. The Munchables hacker drained $63 million dollars from the protocol before being persuaded to return the funds with no ransom required Lazarus Group The Lazarus Group, in particular, has done significant damage to the DeFi community. The cyber-terrorism unit is presumed to have been active since 2009 and alleged to work directly for the DPRK. In addition to DeFi-based hacks, the group has also infiltrated large central banks and is notorious for its attempted hack of nearly $1 billion from the Central Bank of Bangladesh in February 2016. Computer security company Kaspersky published a report on the “Lazarus Formula.” The firm states that the group’s modus operandi begins with a single system breach through attacks on vulnerable codebases or watering hole attacks, which feature exploits planted on benign websites. When one of the target’s employees visits the site, their computer becomes infected with malware. After that, the group can deploy backdoors throughout the target’s internal security system based on extensive research conducted on the network. This allows them to infiltrate additional security measures, such as backup servers or domain controllers, and quietly take over the system before actually stealing the funds With the Bangladesh Bank hack, Lazarus Group used the SWIFT Network, an international payments messaging service widely used by banks worldwide to facilitate wire transfers, in its attempt to steal $851 million. A report from onchain sleuth ZachXBT connects the Lazarus Group, also referred to as Bluenoroff, to 25 DeFi hacks worth over $210 million between 2020 and 2023. Notable examples are EasyFi, Bondly, bZx and mngr.io. The exploits often leveraged phishing emails to gain access to a protocol’s private keys, with stolen funds being laundered through mixers such as Tornado Cash or ChipMixer. Through analytics firms such as TRM, analysts connected a web of wallets intertwined with each other, that are all involved in similar hacks and exploits. On August 15, ZachXBT expanded on the DPRK hackers’ infiltration process. He claimed the group would obtain fake IDs and build up decent resumes and GitHub repositories, then refer each other for roles across different teams. Through these efforts, a single entity is “receiving $300K - $500k (per) month from working at 25+ projects at once by using fake identities.”