Lazarus Infiltrated Asian Crypto Exchanges, Track Leads To North Korea

Track Leads To North Korea

The hacker group Lazarus succeeded according to the security researchers of Kaspersky Lab in a new coup. They built an inconspicuous malware into a specially developed client for the trading of cryptocurrencies. The cybercriminals have spared no expense and effort. They had the traders and the acquisition of the wallets of infiltrated crypto exchanges in mind.

The attack, called “AppleJeus” by Kaspersky Lab, is aimed directly at traders and online trading sites for cryptocurrencies. Here, the members of Lazarus managed to penetrate into the infrastructure of an unnamed crypto exchange in Asia. Lazarus has created a fully functional trading program for Windows and Mac OS X specifically for this purpose. Also, a version for Linux distributions was planned, as Kaspersky took from the company website of the manufacturer. The cover company Celas LLC was apparently founded by the Lazarus members for the exclusive purpose of disguising the true nature of their trading program.

Lazarus: Own Cover Company Founded for Trojans?

The client for Mac OS X was even provided with a valid software certificate from Apple. Otherwise, for security reasons, the Crypto-Exchange employee would have had to change their Mac’s settings in order to install programs from unverified developers. He was advised by e-mail to download the trading software. The client “Celas Trade Pro” works in conjunction with various crypto-exchanges. Corresponding with Bitfinex, Bitstamp, Bitmarket, BTC China,, Indacoin, OKCoin, WEX, and YObit. The cybercriminals had provided enough programming interfaces and numerous functions in their software.

When the detection software of the network hit the crypto exchange, the malicious code was found in the updater of the trading client. Lazarus used the backdoor loader Fallchill, which was used earlier.

Crypto Exchanges & Traders Are Worthwhile Goals

According to Kaspersky, Celas LLC’s website should not show any abnormalities from the outside. The pages and are currently not available. They seemed trustworthy even to the security experts. Very noticeable, however, is the effort made by the criminals. In most cases, malware is only programmed for Windows as the most common operating system. Therefore, Trojans distributed cross-platform are a real exception. Creating a cover company to create your own goals, creating a serious-looking website, and the working program itself is a labor-intensive process. But if you look at the goal of the action, it explains itself.

In addition, the case shows that you as a user of a Linux distribution or Mac OS X may never feel completely safe. But the owners of a wallet or a credit card have too much to lose. Anyone interested in the background: A detailed technical analysis is available at Qihoo 360  and

Conspicuously, the alleged attackers had incorporated a header that allowed the acceptance of the North Korean language. An indication that nourishes the suspicion that the attack originated from the North Korean soil. In view of the background of the Lazarus group a thoroughly explosive detail.


Lazarus is said to have attacked several South Korean crypto exchanges like Bithump, YouBit, and Coinlink. The group is also known by the name “Hidden Cobra”. The first attacks that could be clearly attributed to them happened in 2009. In 2014, the group demonstrated their ingenious attack scenarios in the hack of Sony Pictures.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.