Hassan Shittu

Last updated:

| 3 min read

Lazarus Group Targets LinkedIn Users, Impersonates Fenbushi Capital Executive: SlowMist

In a relentless pursuit of cyber infiltration, the notorious Lazarus Group, allegedly backed by North Korea, has added a new weapon to its arsenal, which is now targeting LinkedIn users.

Reports surfaced today, April 29, revealing a sophisticated phishing operation orchestrated by the group, posing as a senior executive from Fenbushi Capital, a prominent Chinese blockchain asset management firm. 

SlowMist, a cybersecurity firm, illuminated this alarming development by exposing the group’s elaborate scheme to lure unsuspecting users into crypto phishing scams.

Lazarus Strategy Exposed

Last week, SlowMist revealed that Lazarus Group has been targeting LinkedIn users within the crypto industry as part of a crypto hacking scheme. The hackers create fake profiles on LinkedIn and contact HR personnel and hiring managers in blockchain-related organizations.

They then send links containing malware disguised as code to showcase their coding abilities, aiming to exploit the victim’s data. SlowMist identified a periodic function named “stealEverything.”  This function is designed to extract as much data as possible and upload it to a server controlled by the attackers.

According to today’s update, SlowMist’s Chief Information Security Officer said the Lazarus Group’s latest tactic involves creating fake LinkedIn profiles. One profile masquerades as “Nevil Bolson,” purportedly a founding partner at Fenbushi Capital. 

The profile picture used by the impostor was sourced from Remington Ong, a legitimate partner at Fenbushi Capital. This further adds a layer of authenticity to the deception.

They use fake profiles to initiate private conversations with potential targets on LinkedIn, often under the pretext of discussing investment opportunities or arranging meetings. 

Once trust is established, the hackers introduce malicious links disguised as meeting invitations or event pages, which, when clicked, trigger phishing attacks aimed at compromising sensitive information or crypto assets.

SlowMist’s investigation into the Lazarus Group’s activities revealed a pattern of targeting prominent DeFi projects, leveraging the guise of investment company members to gain the trust of their victims. 

By meticulously comparing IP addresses and analyzing the attack strategy, SlowMist conclusively identified “Nevil Bolson” as part of Lazarus, reaffirming the group’s nefarious intentions.

Furthermore, the scale of crypto-related cybercrime perpetrated by groups like Lazarus is staggering. According to blockchain analytics firm Chainalysis, $1.7 billion worth of funds was stolen from the crypto space across 231 hacks in 2023 alone.

Lazarus Group Keeps Threatening Crypto Security

While Lazarus Group’s latest tactics on LinkedIn have garnered attention, their hacking spree extends beyond social media platforms. Recent reports indicate that the group has been involved in numerous exploitation attacks in the past few days. Early this year, the group orchestrated a significant move, transferring $12 million in Ether using Tornado Cash, a popular coin mixer. 

Furthermore, Lazarus Group’s activities have had tangible effects on specific cryptocurrencies, for example, RAIL. Railgun (RAIL), the native token of another coin mixer, has experienced a decline in price following Lazarus’ illicit activities on the platform. 

In the wake of allegations linking Railgun, a privacy protocol, to the sanctioned North Korean Lazarus Group’s illicit activities, Railgun has vehemently denied any association with the hacker collective.

The controversy stemmed from an analysis published by Elliptic, which suggested that the Lazarus Group had used Railgun to launder over $60 million worth of stolen Ethereum in June 2022. According to the report, the group shifted its laundering operations to Railgun following US sanctions imposed on Tornado Cash.

Elliptic’s research further indicated that a significant portion of the funds passing through Railgun, estimated at around 70%, were linked to the Harmony hack. This influx of Ethereum compromised Railgun’s effectiveness as a privacy protocol.

Reports suggest that 40% of North Korea’s weapons of mass destruction are funded through illicit cyber means, with Lazarus Group having stolen over $3 billion worth of digital assets globally to date.

The U.S. and its allies view North Korea’s state-sponsored malware initiatives as a threat to national security. Last year, the U.S. sanctioned the crypto mixer Sinbad, known as a “key money-laundering tool,” for the regime’s digital asset exploitation efforts.