The first quarter of 2025 from a cybersecurity perspective: New world record set in crypto theft and HR departments under pressure
North Korean hackers have been targeting cryptocurrencies for several years. The digital currency is easy to move and launder, relatively anonymous and can be used to pay for various services on the darknet. Back in the late 2010s, the Lazarus Group, North Korea's sharpest cyber sword, was able to take several million US dollars from a South Korean crypto exchange. Lazarus has also held the world record for "crypto stealing" since 2022. In March of that year, the hackers stole 620 million US dollars in cryptocurrencies from the Ronin Network, which was used by the video game "Axie Infinity".
Now Lazarus breaks its own record. At the end of February 2025, ether worth more than one billion US dollars was successfully exfiltrated. The vulnerability that led to the success was in Safe's free crypto wallet technology. Bybit used the Safe tool despite several alternative solutions for the enterprise sector that offer enhanced security measures.
Lazarus had previously compromised Safe. Using connections from Safe to Bybit, the hackers were able to transmit spoofed, i.e. falsely displayed, information to a Bybit manager during a route transfer. The manager made the transfer in the belief that everything was above board and handed over control of a valuable account to the hackers. The theft was discovered just 30 minutes after the transaction was authorized, but the Ether currency had already been irretrievably drained. Executives of the crypto exchange assured users that their currency was safe, but within a few hours half of all Bybit wallets had been emptied.
The improvement that has now been promised and the plan to change vendors therefore comes too late for Bybit and can serve as a warning to other fast-growing companies to adapt their infrastructure with increasing risk.
HR in the focus of phishing operations
However, the first quarter of 2025 not only brought sensational crypto thefts, but also confirmed to security researchers that some trends are here to stay. Phishers have discovered 2024 job postings and LinkedIn for themselves.
On the social media platform, developers in particular are contacted by fake recruiters and lured with fictitious job offers. The conversation is often moved to messenger apps, e.g. WhatsApp, after initial trust has been established. A malicious file is then sent to the unsuspecting victim and end devices are infected. Attackers have a variety of targets in mind. On the one hand, there is the hope that the target has a poorly secured crypto wallet connected to the end device. On the other hand, when infecting developers, it is hoped that there will be an opportunity for supply chain compromise via malware insertion in development projects, possibly even in projects of the target's current employer. Malicious code in publicly accessible GitHub repositories can lead to the passive spread of malware - just as the initial phishers intended.
But individual developers are not the only targets of attacks. Hacker groups have also targeted job advertisements for software engineering positions. Here, attempts are made to distribute malware in attachments of supposed job applications to HR personnel - preferably to shared mailboxes (e.g. "applications[at]company.com"). In their latest report, the phishing experts at KnowBe4 found that engineering and finance positions are particularly affected by phishing attempts. Application emails are well suited for phishing, as they often contain several file attachments in various forms (PDF, ZIP archive, Word documents, etc.) without appearing suspicious and are often sent to shared mailboxes, which are sometimes used less carefully by staff - especially for positions with several hundred applications.
It is therefore particularly important to train HR departments as a critical target for phishing operations. Phishing targets the "human" weak point and hardening this target through increased awareness measures is of the utmost importance.
If you are looking for support with awareness training, please do not hesitate to contact us at mail@complion.de.
Author: Tobias Philipsen