The Lazarus Group, a notorious hacking organization closely linked to the North Korean government, has long focused on attacking the cryptocurrency and NFT sectors. Recently, the group has significantly shifted its focus to members of the cryptocurrency and NFT community on the LinkedIn platform, dramatically increasing cybersecurity risks. Users involved should be more vigilant.
The Hacking Background of the Lazarus Group Revealed
Since being exposed in 2017, the Lazarus Group has been active in the cryptocurrency sector, launching multiple attacks on exchanges and related companies. The organization has numerous members, reportedly directly trained by the North Korean government, and has been involved in cyberattacks on companies including Phemex, WazirX, and Stake.
Earlier this year, the Lazarus Group was confirmed to be involved in a data breach at the Bybit exchange, resulting in the theft of over $1.5 billion in crypto assets. The attack began on February 21, 2025, when hackers infiltrated a supplier of Bybit and secretly altered the wallet address of a transfer involving 401,000 Ethereum. Subsequently, the security team launched an urgent tracking effort to prevent the hackers from cashing out the stolen coins.
In this attack, hackers induced an employee of Safe Wallet to run malicious code on their computer, gaining initial intrusion permissions. Afterwards, a more sophisticated group of hackers intervened, further infiltrating Safe Wallet's AWS account, tampering with the wallet's frontend code, and ultimately stealing funds from the cold wallet.
New Battlefield for the Lazarus Group: NFT Users on LinkedIn
Recently, the Lazarus Group has begun secretly targeting individuals in the NFT and cryptocurrency sectors on LinkedIn, posing as "NFT markets" or Web3 projects seeking collaboration. Last month, an employee at BitMEX received a similar invitation through LinkedIn and promptly reported it to the company's security team out of caution.
The investigation revealed that the attackers attempted to induce the victim to run a Next.js/React project containing malicious code, thereby gaining control of the system. The security team confirmed that this action was related to North Korea's Lazarus hacking group. Such tactics show that the organization's attack strategies are continuously evolving, increasingly targeting professionals and internal corporate staff, using social engineering for covert infiltration.
Security Reminder for the NFT and Crypto Community
As the Lazarus Group targets professionals in the NFT and cryptocurrency sectors, industry experts advise users to remain highly vigilant, not to trust "collaboration invitations" or unknown links on the internet, especially on professional social networking platforms like LinkedIn. Strengthening multi-factor authentication, updating security measures, and promptly reporting suspicious activities are key to protecting assets.
The continued activity of the Lazarus Group indicates that cyberattacks and scams will remain a severe challenge in the cryptocurrency sector. Users and institutions must collectively enhance their security awareness to guard against hackers' combined technical and social engineering attacks.
