North Korean Hackers Behind DeBridge Finance Attack: Co-Founder

Alex Smirnov, co-founder and project lead at DeBridge Finance, took to Twitter on Friday to report that his company was the target of an attempted cyberattack by the infamous North Korean Lazarus Group.

DeBridge provides a cross-chain interoperability and liquidity protocol for transferring data and assets between blockchains.

The attack came via a spoofed email received by several DeBridge team members that contained a PDF file named “New Salary Adjustments,” which appeared to come from Smirnov.

Email spoofing is a form of attack where a malicious email is manipulated to seem as if it originated from a trusted source, in this case, from the firm’s co-founder.

“We have strict internal security policies and continuously work on improving them as well as educating the team about possible attack vectors,” Smirnov wrote.

Even so, Smirnov explained, one person downloaded and opened the file, which triggered an attack on the firm’s internal systems. This prompted an investigation into the attack’s origin, how the hackers intended the attack to work, and any potential consequences.

“Fast analysis showed that received code collects A LOT of information about the PC and exports it to [the attacker’s command center]: username, OS info, CPU info, network adapters, and running processes,” Smirnov said.

Smirnov compared what DeBridge saw with another Twitter post by another user that showed similar characteristics and pointed to the North Korean hacker group.

Smirnov warned his followers to never open email attachments without verifying the sender’s full email address and to have an internal protocol for how their team shares attachments.

The Lazarus Group has allegedly been behind several high-profile crypto hacks, including the $622 million Axie Infinity Ronin Ethereum sidechain hack in March and the Harmony Horizon Bridge hack in June.

¨These types of attacks are fairly common,” notes David Schwed, chief operating officer of blockchain security firm Halborn. “They rely on the inquisitive nature of people by naming the files something that would pique their interest, such as salary information.

“We are seeing more and more of these types of attacks specifically targeting blockchain companies given the heightened stakes due to the immutability of blockchain transactions,” Schwed added.