Lazarus, the cybercriminals who steal and extort for the Beloved Leader of North Korea

Last month saw the biggest cyber heist on record.

Someone stole cryptocurrencies (etherum, the second most used after bitcoin) worth 625 million dollars (around 600 million euros) from a website related to the

video game .

The United States was quick to link the attack to the Lazarus group, North Korean cybercriminals well known to cybersecurity experts.

Blockchain consultancy

estimates that these North Korean

could have seized another $400 million in digital assets last year through various attacks targeting cryptocurrency platforms.

Many countries, such as China, Iran or the US, unofficially sponsor

teams to carry out sabotage or obtain valuable information.

The case of Pyongyang is different: it uses its group of computer experts to make money.

The Beloved and Respected Leader (that is one of the official ways of referring to Kim Jong Un) sees it as a way to survive the harsh international sanctions to which the regime is subjected.

Calling Lazarus simple digital thieves would be disparaging them.

His service record is available to very few.

The US and the UK, as well as Microsoft, attribute to them the launch in 2017 of WannaCry 2.0, the largest

in history, which has just turned five years old.

This type of computer virus hijacks infected computers and releases them after paying a ransom.

WannaCry is estimated to have affected some 300,000 computers in 150 countries, including those of the UK health system, which was paralyzed.

A year earlier, in 2016, Lazarus tried to steal $1 billion from the Bangladesh Central Bank with a sophisticated plan that included posing as bank employees and obtaining permits to move the money.

The attack was thwarted by a coding error, but not before making 81 million.

The FBI then considered it the biggest cyber heist in history.

There are also suspicions that in 2018 he stole some 530 million dollars in

digital tokens) from the Japanese cryptocurrency exchange portal Coincheck.

Make money for the Leader

All the money that Lazarus earns has the same recipient: the Kim Jong Un regime.

Lazarus is a rarity in the world of Advanced Persistent Threats (APTs), a term used for the

most capable organized groups of

Unofficially run and sponsored by governments, these teams are at the top of the

pyramid .

They are very well structured and hierarchical —they have departments and professionals with well-defined roles— and they have economic resources, which allows them to carry out complex, coordinated and fast attacks.

On paper, only the secret services of the great powers (the US, Russia or the UK) have more power than the APTs.

Due to the very nature of the internet, where it is easy to go unnoticed, cyberattacks are very difficult to attribute.

"APTs are basically tracked with clues provided by intelligence services and particularities of the code, but doing a good forensic analysis to determine authorship can take months," explains

and cybersecurity analyst Deepak Daswani.

Therefore, governments use APTs to sabotage, spy or carry out intelligence actions without provoking diplomatic incidents.

"Lazarus is a unique case," said Adam Meyers, chief intelligence officer for CrowdStrike and an APT expert.

“Other groups release

, like Russia in Ukraine through Voodoo Bear, but as a cover for other purposes, with no interest in being paid.

And if they make money it is for their own benefit, like the mafias.

Lazarus' goal is to obtain funds to sustain a regime suffocated by international sanctions," adds the Texan analyst.

Still from the video distributed in March this year by Pyongyang in which Kim Jong Un directs the launch of an intercontinental ballistic missile.朝鮮通信社 (AP)

Lazarus is in fact the code word given to

operating from North Korea.

The Meyers team distinguishes five different factions within that umbrella, with well-defined objectives and specializations, but which even share a code repository that they use to prepare their attacks.

Two of them, Stardust Cholima and Labyrinth Cholima, are exclusively dedicated to monetization.

“We believe that Stardust Cholima belongs to Office 121, one of the departments of the General Reconnaissance Office”, the name by which one of the North Korean espionage agencies is known.

“They are very focused on financial systems, cryptocurrencies and new technologies.”

The Lazarus network also performs sabotage actions, along the lines of APTs from other countries.

North Korean

groups were especially active during the months of 2020 when Big Pharma was frantically working to develop a Covid vaccine.

They tried to break into the computers of workers at AstraZeneca, which along with the University of Oxford were in the midst of developing one of the remedies.

Later they tried to steal information from Pfizer, another of the laboratories involved in the vaccine.

Interestingly, North Korea is one of the few countries in the world where the pandemic was kept at bay (until a few weeks ago), so its intentions could have been simply to torpedo the process or sell industrial secrets.

Another of his most notorious coups was not for economic purposes, but revenge.

It was developed in 2014 and was the first notice that the North Koreans were not amateurs in the digital field.

The target was Sony Entertainment, the producer of

, a film that fantasizes about the assassination of Kim Jong Un.

A month before the scheduled release date, a group of

infected the computers of Sony workers.

They managed to erase sensitive data from the company, published salary details and revealed compromising

from some of its managers.

They also threatened to attack the movie theaters where the film was shown, which led the big distributors to withdraw it from the billboard.

Kim Jong Un's big step forward

No one believed that North Korea would be capable of becoming a cyber power.

Nor that he could develop the atomic bomb.

But he got both.

The second was the obsession of three generations of dictators;

the first, an express wish of the current one.

Kim Jong Un rules with an iron hand one of the most isolated countries in the world.

Since taking over from his father in 2009, he has been able to see the potential of the digital sphere both to spy on and sabotage his enemies (the US and South Korea) and to earn money that he cannot get through trade.

"The North Korean regime actively empowers elite

to incorporate them into Office 121," writes Australian Anna Fifield in her book

(Captain Swing, 2021), in which he makes an x-ray of the hermetic life and career of Kim Il Sung's grandson.

“Students who show potential aptitude in this regard, some as young as 11, are sent to special schools and then to the Pyongyang University of Automation,” where “over the course of five years they are taught how to

systems and create computer viruses".

Strikingly, says Fifield, that as early as 2018 North Korean students regularly took first place in competitions, or

, organized by the Indian

company CodeChef.

From what the journalist, who knows the country well due to her years in Tokyo and Beijing as bureau chief for the

and in South Korea as a correspondent for the

, has been able to find out, North Korean

enjoy a position of respect and a comfortable life in a country where, until the 1990s, people literally starved to death.

According to Fifield to EL PAÍS, he has no data that his status has changed in recent years.

Quite the contrary: Kim Jong Un is clear that cybercrime is just another business, a response to international sanctions.

"The regime participates in all kinds of sectors that can bring in foreign exchange, such as pharmaceutical testing, opium cultivation or human trafficking," says Meyers. "Cyber ​​espionage and cybercrime are yet another vector."

If he can't make money trading, he will steal it.

You can follow