The North Korean hacking collective Lazarus Group has launched a targeted cyberattack on cryptocurrency investors by exploiting a fake decentralized finance (DeFi) game and leveraging a newly discovered Google Chrome zero-day vulnerability. This scheme, which included the use of malware and advanced browser exploits, allowed Lazarus to infiltrate sensitive user information and posed significant risks for crypto asset holders.
Background on the Attack
In May 2024, cybersecurity researchers at Kaspersky uncovered a novel method of attack by Lazarus when they detected the Manscrypt backdoor malware being used to exploit Google Chrome’s vulnerability CVE-2024-4947. The group created a fraudulent game site, “DeTankZone,” marketed as an NFT-based multiplayer online battle arena game. This fake game site was heavily promoted across social media, LinkedIn, and even spear-phishing emails designed to lure cryptocurrency enthusiasts and investors into the trap.
Exploiting the Zero-Day Vulnerability
Lazarus Group’s attack leveraged a type confusion flaw in Chrome’s code, tracked as CVE-2024-4947, which allowed them to corrupt memory and ultimately exfiltrate sensitive data. A hidden script on the game’s website abused this flaw, gaining access to browser histories, cookies, passwords, and authentication tokens. Researchers noted that this exploit allowed attackers to remotely execute malicious code, further enhancing their reach by collecting data on operating systems, BIOS information, and CPU details.
Also read: Indicted NYC Mayor Eric Adams’ Crypto Promises Under Scrutiny Amid Legal Troubles
Impact on Crypto Investors
This attack specifically aimed to compromise the wallets and exchanges used by investors. By accessing private user data through Chrome’s vulnerabilities, Lazarus Group managed to exfiltrate crucial information that could be leveraged to access and drain crypto assets. Security experts have raised alarms over Lazarus’s ability to combine social engineering with technical exploits, making it increasingly difficult for individuals and institutions to detect or counteract these attacks effectively.
Response from the Security Community
The CVE-2024-4947 vulnerability has since been patched by Google, following its discovery by Kaspersky’s team. Security experts are advising crypto investors to keep their software up-to-date and to remain cautious when accessing DeFi or NFT-based applications, especially those promoted through unverified social channels.
Cybersecurity researchers and professionals emphasize the importance of rigorous security practices, including multi-factor authentication and phishing awareness, as essential defenses against the evolving tactics of groups like Lazarus.
