$3B Stolen with Fake Crypto Games in Chrome Exploit – GameFi Still Not Safe?
- Lazarus Group stole $3B with two fake NFT games by exploiting a zero-day vulnerability in the latest version of Google Chrome.
- Ittook 12 days for Google to patch the exploit after Kaspersky Lab reported it to them.
- A hacker stole $20M in crypto from a US government wallet and then proceeded to launder it in non-custodial wallets.
Lazarus Group (a North Korean hack group) stole $3B crypto through a fake crypto game.
They used azero-day vulnerability in Google Chrome that took Google 12 days to fix. Judging by the efforts put in by the hackers, this could be part of a larger plan.
Kaspersky Lab found the Chrome exploit and reported it immediately, with Borin Laryin (analyst) saying that the attack might have broader implications in the long term.A US government wallet also lost $20M crypto in another attack. Arkham Intelligence reported the on-chain movements yesterday, identifying an address used in the 2016 Bitfinex back.
Let's discuss what's happened.
NFT Games Steal $250M Per Day in Chrome ExploitThe math adds up:
- Google took 12 days to patch the Chrome exploit
- Kaspersky Labs reported a $3B theft by Lazarus Group in that period
Lazarus Group (a notorious North Korean hacker group) created two fake NFT games(DeTankZone and DeTankWar) and used ahidden Chrome exploit loader to siphon crypto from the users' wallets.
Kaspersky LabMost importantly, the zero-day vulnerability targeted the latest version of Google Chrome, which is more than a bit scary if you ask us.
For the more technically inclined, here's Kaspersky Lab's report on the vulnerability exploited by Lazarus.
In a nutshell, the hackers used the two NFT game websites to inject malicious software called Manuscript into their devices. The software corrupted Google Chrome's memory and let the hackers steal passwords and authentication tokens.
The two Kaspersky analysts who found this (Boris Larin and Vasily Berdnikov) said Lazarus is already using generative AI to improve its tactics.
Lazarus Group went to great lengths to optimize the social engineering aspect of the scam.
They focused on building a sense of trust to maximize the campaign's effectiveness [...] to make the promotional activities appear as genuine as possible. The attackers also attempted to engage cryptocurrency influencers [...], leveraging their social media presence not only to distribute the threat but also to target their crypto accounts directly.Larin and Berdnikov, Kaspersky AnalystsThis is how Lazarus Group conned crypto users of $3B, or $250M per day, in one of the largest crypto scams of this type.
US Government Loses $20M in Crypto ExploitIn similar news, the US government lost $20M in another crypto hack. Arkham Intelligence said the funds went to an address (0xc9E) used in the 2016 Bitfinex Hack.
The hackers stole $13.7M $AUSDC, $5.4M $USDC, $1.1M $USDT, and $500K $ETH for atotal of $20.7M.
As usual, X users came up with some wild' theories and remarks about the hack. Here are some funny ones we found.
After the hack, the thief started laundering the money with non-custodial wallets. ZachXBT corroborated Arkham Intelligence's conclusion.
Crypto Hackers Upping Their Tactics and Turning GutsyHackers using generative AI for social engineering - we all saw this coming, but seeing the aftermath is still depressing and worrying. Phishing scams are getting more and more dangerous.
And stealing from the US government? Gutsy.
But crazy? That remains to be seen. Our bet is that it won't take long before the authorities track down the hackers, with a bit of help from online sleuths.
ReferencesClick to expand and view sources- Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices (The Hacker News)
- The Crypto Game of Lazarus APT: Investors vs. Zero-days (Kaspersky Lab)
- Lazarus Group Exploits Chrome Zero-Day in Latest Campaign (Dark Reading)
- Arkham Intelligence X Post About the US Government Crypto Hack (X)
- ZachXBT X Post About the US Government Crypto Hack (X)
The post $3B Stolen with Fake Crypto Games in Chrome Exploit - GameFi Still Not Safe? appeared first on Techreport.