June 10, 2025 • 36 mins
In December 2014, Sony Pictures announced they were cancelling the release of Seth Rogan’s newest venture The Interview due to a large-scale cyberattack. And in February of this year, global cryptocurrency exchange Bybit suffered a massive attack resulting in the theft of $1.5 billion.
These masked actors are still active. But now, they’ve turned their attention to companies like yours...
Join Group-IB’s Gary Ruddell and Nick Palmer as they speak with Geoff White, one of the worlds leading journalists covering organized crime and tech and the author of The Lazarus Heist – From Hollywood to High Finance: Inside North Korea’s Global Cyber War as they explore the infamous Lazarus group.
In this episode, they delve into the groups’ latest modus operandi – infiltration campaigns, whereby North Korean hackers pose as remote IT employees to funnel information through the backdoor and leave logic bombs in code that they can trigger years or months down the line. They look at how this shifts the responsibility model for cybersecurity, requiring vigilance from across the organisation for unusual behaviour.
By understanding who these actors are and how they operate, you can better anticipate threats and protect yourself in an increasingly hostile digital world.
Subscribe now to meet these Masked Actors — and stay one step ahead in the fight against cybercrime.
Episode links:
Group-IB's Top 10 Masked Actors
Lazarus Arisen: Architecture, Tools and Attribution
Stealthy Attributes of Lazarus APT Group: Evading Detection with Extended Attributes
APT Lazarus: Eager Crypto Beavers, Video calls and Games
Meet Group-IB's top 10 Masked Actors here - and stay one step ahead in the fight against cybercrime.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Gary Ruddell (00:00):
In December 2014, Sony Pictures announced that
they were cancelling the releaseof Seth Rogen's newest movie,
The Interview, due to alarge-scale cyber attack.
And in February of this year,global cryptocurrency exchange
Bybit suffered a massive attackresulting in the theft of $1.5
(00:20):
billion.
One group pulled off both ofthese attacks and many more.
Today, they're alsoinfiltrating IT roles in the
private and public sectors Butwhat do these attacks have in
common?
We've got perhaps the biggestcryptocurrency theft ever, plans
to put criminals on the insidesof organizations around the
(00:43):
world, and a film detailing afictional plot to kill Kim
Jong-un.
That last part is the giveaway.
The link is North Korea.
And the criminals responsiblefor the attacks are the
state-sponsored threat actorcodenamed Lazarus Group.
We're your hosts, Gary Riddelland Nick Palmer.
Nick, let's get into Lazarus.
Nick Palmer (01:04):
So it would be impossible to discuss Lazarus
Group without sitting down withperhaps the best known expert on
this topic, Jeff White.
He's an investigativejournalist who's written
numerous books about theintersection of organized crime
and technology, including Rinsedand, of course, The Lazarus
Heist.
Jeff, thanks a lot for joiningus.
Thanks.
Thanks for having me.
(01:24):
So, Jeff, let's dive right intoit.
When did you first become awareof Lazarus Group?
And what can you tell us aboutthe first moment in the
spotlight, that Sony Picturesattack?
It's pretty different fromtheir modus operandi of
targeting cryptocurrencycompanies, isn't it?
Geoff White (01:40):
Yes, absolutely.
I mean, this goes back, as yousaid, to December 2014.
We knew there was trouble atSony Pictures Entertainment.
We knew the company had beenhacked because swathes of its
internal emails were beingleaked online, some extremely
juicy and salacious information.
Some movies were leaked online.
And then the attribution camefrom the US government itself
that this was the work of NorthKorea.
(02:02):
At the time, I was working forChannel 4 News in the UK.
And I'll be honest, like quitea lot of journalists, I was
slightly sceptical as to whetherthis was the actions of North
Korea.
I mean, yes, at the heart of itwas this filmed the interview,
which detailed a plot lineinvolving the assassination of
Kim Jong-un.
It was quite a grislyassassination, which would be,
(02:23):
of course, hugely offensive toNorth Korea.
So there was a reason why theymight do it.
But it just seemed very odd.
I mean, you've got to realisethis was the era of the
anonymous hacking group, youknow, the guys in the Guy Fawkes
masks breaking into companies,leaking data.
It seemed more like somethingthey would do.
But as the evidence started tospill out, and that took several
years, really, for the evidenceto really kind of come to
(02:45):
fruition.
fingers started pointing atNorth Korea and it linked back
to previous attacks that NorthKorea had done.
Now, in that case, the Sonybreak-in, it's attributed to
North Korea.
And the idea is that NorthKoreans were so angry at this
film, so outraged by what wasbeing depicted of happening to
Kim Jong-un, you know, a sittingworld leader, that they decided
(03:05):
to go and hack Sony.
The subsequent activity, andwe've had now five, 10 years
more activity after that, hasbeen more focused on stealing
money.
You know, the North Koreans,that attack on Sony Pictures
Entertainment seems to have beena slightly unusual attack.
It was a reputational damageissue, certainly reputational
(03:26):
damage for Sony.
But the subsequent attacks,it's mostly been certainly the
ones I've covered about stealingmoney and vast quantities of
it.
Nick Palmer (03:33):
Yeah, it's a super interesting change from their
normal modus operandi anddefinitely one that made the
headlines worldwide.
So thanks a lot for thebreakdown.
Let's talk a little bit moreabout the operations and the
timelines around escalatingdifferent attacks for Lazarus
Group.
Geoff White (03:52):
Yeah, the activity for Lazarus Group, and by the
way, the Lazarus Group is thename given to them by security
researchers.
The North Korean governmenthackers themselves almost
certainly don't call themselvesLazarus Group.
From what we know, this is amilitary unit within the North
Korean government.
They will be run as a militaryinstitution.
They will have military ranksand unit numbers and so on.
So the Lazarus Group is aconvenient sort of shorthand.
(04:15):
First activity starts about2013.
They start looking at attackingSouth Korea is the accusation,
taking down TV stations,banking.
It's disrupt North Korea's oldenemy, South Korea.
But over the years, we start tosee North Korea doubling down
on hacks to target financialinstitutions.
(04:36):
banks and also cryptocurrencycompanies.
Now, the backdrop to that isNorth Korea keeps testing
nuclear weapons and keepslaunching missiles.
Obviously, that's quite ahostile act, certainly in that
region of the world.
And so the United Nations andothers have sanctioned North
Korea, turned off theinternational money taps, the
trade taps.
So North Korea is pretty muchisolated.
(04:56):
Can't bank, can't trade, can'tbuy, can't sell.
How do you survive as acountry?
if that's going on.
And of course, that's the ideaof sanctions is North Korea will
eventually come back and say,oh, these sanctions are hurting
us, let's negotiate.
The accusation is that NorthKorea has responded to those
sanctions by putting its hackerson the send for money.
They go out, they findfinancial institutions, they
(05:17):
break into them and bring thatmoney back to the North Korean
government.
The US government believes thatNorth Korea pays for about half
of its missile program throughcomputer hacks.
We are talking about multiplebillions.
I've seen figures up as far assix to seven billion dollars
worth of currency stolen,allegedly by North Korea's
hackers and taken back for theregime.
Nick Palmer (05:37):
Yeah, very organized operation.
And when you're shut off fromthe international money supply,
you have to find unique ways offunding what it is that you want
to do as a nation.
So, you know, talking aboutcryptocurrency, why is that such
a heavy point of interest forthem?
You know, we've seen them focuson banks in the past, but, you
know, in more recent years, theyfocused in on cryptocurrency.
(05:59):
Why is that in your opinion?
Geoff White (06:01):
Yeah, this has been an interesting evolution.
So one of the early bankingattacks attributed to the North
Koreans is the hack onBangladesh Bank, the famous
billion dollar hack, where theywent to try and steal a billion
dollars from the National Bankof Bangladesh.
Didn't get away with thebillion, which is a whole story
in itself, but they weretargeting that bank.
Then they start to target otherbanks, dozens of banks they
(06:23):
were targeting around this time,stealing in the sort of
hundreds of millions of dollars.
They started going after bank'sATM systems.
So they actually managed towork out that once you're inside
a bank, you can effectivelyhijack the ATM system and make
ATMs around the world spew outnotes, banknotes, which of
course means you've got to havesomebody on the other side to
(06:44):
collect those banknotes.
And you've got to have peoplein loads of different countries
where the ATMs are.
So that led the North Koreansinto its alleged various
interactions and alliances withsome quite murky characters and
quite bizarre characters who areon the other side of these sort
of cash out operations.
Probably with all of that is ittakes place within the
traditional banking system.
So Bangladesh Bank, forexample, when it was robbed, it
(07:06):
could see exactly where themoney went.
It could follow the flow allthe way through to the
Philippines and to casinos,which is where the cash
eventually ended up.
If you use traditional bankingto do hacking, there's going to
be a paper trail, these days adigital trail, but it's a trail
that investigators can follow.
With cryptocurrency, this wasthe big switch.
North Korea startsexperimenting with
cryptocurrency about 2016, butthen there's the big ransomware
(07:31):
attack, WannaCry 2017.
Now, the WannaCry ransomwareattack, I mean, ransomware has
been in the news, certainly inthe UK recently.
The hackers scramble your filesand then charge you a ransom to
unscramble them.
WannaCry was North Korea'sransomware attack, and it was
vast.
It went around the world, youknow, automatically spreading
from computer to computer.
It was the single most virulentransomware attack ever
(07:53):
launched, but was also, for alot of people, a complete dud,
because the ransoms that came inas a result were only in the
low millions, 10 million-ish,maybe 100 million, depending on
how you value the Bitcoincryptocurrency that the ransoms
were paid in.
And so people said, well, whatwas the point of this ransomware
attack?
It didn't make so much money.
But what it taught the NorthKoreans, I believe, was crypto
(08:16):
money laundering.
Laundering the money from thatattack, i.e.
taking the cryptocurrencyransoms that were paid and
vanishing them, took about 48hours.
And we still have no idea,apparently, where that money
went.
It's just gone.
Compare that to that Bangladeshbank attack.
It took them a month, a solidmonth, to get the money into the
casinos, to gamble it through,to try and wash the money.
(08:36):
They lost 30 million of it tosome intermediary who's just
never been seen again.
So hacking crypto suddenlystarts to look like a really
good idea because you can movethe money instantly.
You can launder it so much morequickly.
And crucially, cryptocurrencycompanies are not bound by the
kind of laws and regulationsthat banks are.
So as a hacker, you're hackingan easy target, low hanging
(08:59):
fruit.
And the North Koreans have madebillions upon billions is the
accusation out of targetingthese crypto companies.
Gary Ruddell (09:05):
When you talk about Lazarus Group being a
state-sponsored group, elaborateon that.
What does that really mean in
Geoff White (09:12):
practical terms?
What that means is that thegovernment is actually hiring
these people.
So in the UK, we havegovernment hackers.
They work for GCHQ and MODCaution and all these places.
The US has them.
Most countries worth their salthave government hackers, and
they are paid a nine-to-fivesort of salary.
What you've also got, though,in most countries is a sort of,
(09:32):
well, a non-government hackerscene.
You've got organised criminalswho do hacking.
You've also got sort ofhacktivists, sometimes
teenagers, who just acquirethese skills and sit in their
bedrooms and carry this out.
And you've got this interestinginteraction, you know, Russian
Federation, for example.
We've got stories of theRussian government working with
some of those sort of have-a-gocyber criminal hackers.
So there's this interestingcrossover.
(09:54):
In North Korea, the situation'squite different.
In North Korea, if you have acomputer and an internet
connection, it's because thegovernment has given it to you.
You can't go out and buy alaptop and get a SIM card or
broadband connection and a Wi-Firouter and off you go.
Not in North Korea.
And if you're given that, youare very, very closely
surveilled.
So the vast majority of onlinecomputer use in North Korea is
(10:19):
government controlled, verycertainly government monitored.
So what that means is if you'redoing hacking from inside North
Korea, you're a North Koreanhacker, you are government
sanctioned.
You're probably governmentemployed and paid.
So when we see malicious cyberactivity from North Korea,
there's no ability for NorthKorea to turn around and say,
oh, well, that must be someteenager in their bedroom that
we don't know about because weknow North Korea knows about all
(10:41):
of them.
They are all state sponsored.
And what this means is you'vegot all of the resources of the
state, all of the time, themoney, the organization that
goes behind this, and that canbe applied to this cyber army.
I've heard figures of around6,000 cyber warriors in North
Korea.
I suspect the true figure ismuch higher because there are
(11:03):
people who are coders, there arepeople who are computer
hackers, but there are alsopeople who do IT work for the
North Korean government, butalso for other people, and they
interface with the hackers.
So it sort of depends how youdefine a North Korean
government.
hacker as to how many might bein the pool.
You
Gary Ruddell (11:17):
mentioned earlier the casinos and trying to get
the money out and the challengesaround that.
In the cryptocurrency space,can you talk us through how it's
done in crypto land, why theycan't just trace the money if
it's crypto?
Geoff White (11:34):
Well, it's interesting this because when
people talk aboutcryptocurrency, as anybody knows
anything about Bitcoin andblockchain will know all
cryptocurrency transactions aresort of logged and tracked.
It's a digital currency.
But in a way, that's the samewith traditional finance.
If you spend on your creditcard, there's sort of a record
of it.
The thing with cryptocurrencyis the log, the ledger, the
(11:54):
register of transactions ispublic, certainly in the case of
Bitcoin.
And so you can use thisblockchain to track Bitcoin
transactions.
And so a lot of people think,well, cryptocurrency must be
fantastic for investigatorsbecause they can see all the
transactions.
You can see it move in realtime.
And that's exactly whathappened with that WannaCry
ransomware attack I talked aboutback in 2017.
When the money starts to getlaundered, you can watch it in
(12:16):
real time.
The problem is that it wentinto an Eastern European
cryptocurrency exchange And fromthere, we have no idea what
happened to it because it dropsinto this black box.
The money just goes in and it'sinside this organization,
inside this company.
It must have got spewed outsomewhere, we presume, but we
can't track it beyond that.
So when people talk aboutcryptocurrency being traceable,
(12:38):
yes, it's traceable, butsometimes only to a certain
point.
And even then, yes, the cryptois traceable, but even if you
can trace it, can you stop it,freeze it and get it back?
If somebody breaks into myhouse and steals my TV and runs
off down the street, it's allvery well me being able to watch
them as they run down thestreet with my TV.
What I want is my TV back.
So traceability of crypto isonly one part of the challenge.
(13:02):
Freezing it and recovering itis the issue.
And again, for crypto moneylaunderers, that's been the boon
as they realize that you canget away with it.
You can actually vanish themoney if you do it correctly.
Gary Ruddell (13:13):
I guess as well, if you're North Korea and you
have their sort of resourcesand, you know, the money that
they have, potentially theycould have agents in different
countries around the world thatjust they create a company that
is a crypto company.
They could put the moneythrough it and then shut that
company down to sort of masksome of this stuff.
Is that something that happens?
Geoff White (13:35):
It's a good question.
And actually...
I've heard tell of North Koreasort of flirting around that
for, you know, for example,setting up crypto companies,
crypto enterprises and so on.
The problem we've got there issort of liquidity.
It's volume.
This is the mad thing aboutNorth Korea and some of these
financial attacks that they'reaccused of doing is they're
actually sort of the cuttingedge of finance and they have to
(13:56):
deal with very, very heavyfinancial issues.
which for a country that's theworld's oldest communist
country, I mean, North Koreapredates China as a communist
country, the idea that they'reinvolved in this sort of massive
financial machinations, I findvery ironic.
If you're going to set up acrypto exchange or crypto
company, as you've described,Gary, what you really need is
liquidity.
You need a big pool of money sothat you can stick your stolen
(14:18):
money in and mix it.
If...
you or I, or indeed NorthKorea, just sort of sets one up,
you don't really have enoughmoney sloshing around.
So what they prefer to do is touse large organizations, large
institutions, and try and trickthose institutions into
accepting the stolen money.
So North Korea might take thecrypto, run it through a few
Bitcoin wallets, maybe hundredsof Bitcoin wallets, and then try
(14:41):
and stick it into a bigexchange, you know, your
Coinbase or Binance or Kraken,all these big exchanges, and try
and trick them into saying,hey, this money is actually
fine.
You can accept it.
It's not stolen money.
So that's been the game.
They tend to prefer to usethese big organizations.
The other thing they use iscrypto mixers, which, as the
name suggests, takes incomingcrypto, mixes it with other
(15:01):
people's currency, and thenspits it out to a fresh wallet
address.
Which, by the way, if you wantprivacy in crypto, which is
quite a challenge, using acrypto mixer makes a lot of
sense.
If you want to donate to aparticular political cause
through crypto without beingspotted or identified, crypto
mixer helps you.
It also helps with moneylaundering.
And so we know cybercrimegroups in general, but the North
(15:24):
Koreans particularly have beenusing these crypto mixers to
wash, you know, millions andmillions, probably in the
billions of dollars worth ofcryptocurrency.
Nick Palmer (15:33):
Yeah, they've certainly become experts at
learning how to wash digitalcurrencies around the world.
And like you said, Jeff, beingousted from the global financial
community, they've certainlystill been involved in it to
profit.
We've talked a lot about largeorganizations, Bank of
Bangladesh and cryptocurrencyorganizations, but what about
(15:56):
small companies?
Do they have to be concernedabout North Korean hackers, or
is it just large organizations?
Geoff White (16:03):
Before, I would have said, well, frankly, if
you're a large organization, theNorth Koreans are interested in
you.
If you're a big governmentorganization, of course, All big
government organisations, theycan't see hacking each other, so
they have to be worried aboutlots of threats, including North
Korea.
Big financial institution, abig organisation like Sony.
Yes, you should be worriedabout the North Korean threat.
But what's been interesting isthis recent switch that North
(16:25):
Korea's done in terms of movingfrom hacking to almost an
infiltration campaign, if youlike.
The backdrop to this is that...
North Korea's citizens used tobe allowed to work abroad.
North Korea could actually getits citizens to work overseas.
They would do things likelogging in Vladivostok, or there
(16:45):
was a North Korean restaurant,I think, in Sweden, in
Stockholm, where you couldactually go and have North
Korean food served by a NorthKorean.
So they were allowed to workabroad.
The problem was that peoplefigured out these employees were
just sending money back toNorth Korea.
And so effectively they weresort of funding the regime and
as the regime tested moremissiles and nukes, that became
(17:06):
an issue.
So the sanction went out fromthe United Nations, you are not
allowed to hire a North Korean,allow a North Korean to work in
your country.
So North Korea's employees gotsent back inside the borders or
struggled to go outside theborders.
Then COVID happened again, thecountry got sort of locked down.
So increasingly North Korea'sability to sort of reach out
into the world to get its peopleoverseas and working overseas,
(17:28):
those routes started to get shutoff, not entirely, they can
still use diplomatic passportsand so on to get people out, but
out and about in the world.
But a lot of the time it'squite difficult.
So then the challenge became,well, okay, we want to try and
hack into these companies.
We want to try and get intothese companies, but we're not
allowed to physically go and bein these places.
Our hacking attacks areworking, but hacking is
(17:49):
difficult.
You have to go into the backdoor.
If you get caught, you're goingto get kicked out.
Why don't we go into the frontdoor?
Why don't we just apply for ajob at these companies?
Now, obviously, that wouldnormally involve you turning up
to an interview and sittingthere in your Kim Jong-un badge
and your military uniform.
Obviously, you wouldn't get thejob.
But obviously, post-COVID,there's been this huge boom in
(18:10):
remote IT working.
So as a software developer, aweb developer, an IT person, you
can apply for a remote workingjob, and a lot of companies
don't really care so muchanymore where you are in the
world they just want employeesthe north koreans have hopped on
board this with gusto they'vemanaged to get jobs at companies
around the world and we'retalking you know fortune 500
(18:31):
companies in the us in europe inthe uk applying for these jobs
now the employer obviouslydoesn't want to hire a north
korean so what the north koreanshave done is used
intermediaries effectivelyproxies and accomplices in these
different countries toimpersonate a local individual.
It might be an identity they'vestolen, or it might be a
willing individual who's handedover their ID, you know, their
(18:53):
bank account to be used by theseNorth Koreans.
So the North Koreans get a jobat the company, the
organization.
And as far as the organizationis concerned, they're hiring
John Smith in New York, butactually John Smith in New York
turns out to be, you know, ParkJin-hyuk based in Pyongyang,
who's dialing in remotely.
Now, the company will send alaptop out to John Smith in New
(19:15):
York, and the person who'spretending to be John Smith will
plug it in, connect to theinternet, install remote access
software, and Park Jin-hyuk fromNorth Korea can dial in and
start work.
It's absolutely incredible.
And there are hundreds andhundreds of cases of this.
We suspect thousands of NorthKorean IT workers on the other
side of it.
(19:35):
Some of whom, by the way, arejust doing the IT work job.
They're just getting on withit.
And they actually, some of themare quite effective employees.
In fact, we got told in thepodcast that I made for the BBC,
one of the employers we spoketo who almost, almost hired a
North Korean had this greatstory about another company that
they spoke to who actually didhire a North Korean, got a call
(19:55):
from the FBI saying, we've beentracing this and you hired a
North Korean.
The company apparently came...
You've got to sack this person.
It's in North Korea.
You can't keep hiring thisperson.
And the company went back tothe FBI and said, well, he's
actually one of our bestprogrammers, so we'd rather not
let him
Gary Ruddell (20:10):
go.
I feel like I need to ask allof us just to sort of pull on
our skin to prove that we'renot...
Wearing masks or deep fakes oranything, yeah.
You mentioned the laptop case.
I think, was that Kraken, ifI'm recalling correctly, Geoff?
Geoff White (20:26):
Correct, yes.
Kraken is one of the companiesthat's been targeted in this
way, went out, went public.
Also, KnowBefore, a companythat a lot of your listeners
might know, it's an IT securityand security culture awareness
company.
KnowBefore actually for aperiod of, I think it was a
couple of hours, did hire aNorth Korean, sent the laptop to
them and have done a wholebunch So if you Google Kraken
(20:48):
and Nobifor, Nobiforparticularly has been putting
out advice to people on how theyspotted this person, how you
can make sure you don'tinadvertently hire a North
Korean.
But those are just the onesthat have got the big headlines.
Multiple, multiple companies.
I mean, I can't name them yetbecause I haven't given them the
right of reply.
But I mean, I've been toldrecently about three of the
world's biggest companies who...
didn't just almost actuallyhired a North Korean and sent a
(21:13):
laptop out to a representative.
So it's big.
It's big.
It's very big.
Nick Palmer (21:18):
Incredible.
Incredible.
You know, speaking about thehiring process, I imagine, you
know, you're living in NorthKorea, having such a position
within, you know, the organizedcrime group, conducting hacking,
et cetera, is probably a prettyprestigious position.
position.
Do you have any insights onlike, if I was living there, how
would I go about getting thatjob?
(21:38):
Or how do the local people dothat?
Geoff White (21:41):
It's very interesting.
I'm not a North Korean expert.
There are loads of people whoare.
My co-host for the podcast,Lazarus Heiss, Jean Lee, is a
fountain of information aboutNorth Korea.
But I've read a lot about itand I've obviously spoken to
people who've got expertise inthis.
North Korean society is almostimpossible for us outside it to
(22:03):
understand.
I mean, from birth, your lot inlife is controlled for you.
And interestingly, a lot ofthat's about how close your
family or your ancestors were toKim Il-sung, the founder of
North Korea, or his offspring,including Kim Jong-un, the
current leader of North Korea.
So from birth, almost, yourpath is sort of set for you.
(22:25):
This is where you're going tobe.
This is where you fit in thestrata.
This is how wealthy you'regoing to be or not.
And There are effectivelygroups in each territory that
control all of this.
Everything's very tightlymanaged.
Within the apartment block thatyou live in, there will be a
structure and a hierarchy.
There will be somebody whoeffectively runs that apartment
block, who makes sure that youdon't get above your station,
(22:45):
who makes sure that you don'tstart trying to research news
that you shouldn't be hearing orget an illicit radio.
There's all this control thatgoes on to it.
And one of the things aboutthat is your career really is
largely structured for you.
What North Korea does fromquite early on is it tries to
spot who's good at differentthings and effectively channels
(23:10):
and streams those people very,very specifically.
If, for example, you're good atmathematics and you show
prowess, it's likely that you'llbe streamed into You know,
mathematics classes at school,university, you'll study it.
And what they'll be looking outfor is those people who have
computer ability on top of that.
If you have that, you'll put inspecial programs, special
university, and you'll bestreamed if you're good, if
(23:32):
you're the best, the best intothe computer hacking teams, the
Lazarus group and the militaryunits behind that.
or the nuclear program, whichobviously is also a computer
heavy kind of career.
So those are your sort oftrajectories if you're into
computers and you're quite goodat them.
And what this means for NorthKorean is you can potentially
escape the sort of fate that'sset for you and escalate your
career chances.
(23:53):
One of the defectors weinterviewed talked about a thing
called songbun, which in NorthKorean society is effectively
your place in society.
It's kind of logged.
It's actually recorded quitecarefully as to who you are,
what you will do.
If you want to escape yoursongbun, if you want to improve
you and your family's chances,one of the ways is to show
(24:13):
prowess in a particular skill.
Sports, for example, is one ofthem.
If you're a particularlytalented sports person or a
musician, you can actually sortof raise your stock, your
standing in society.
Computer hacking, again,computer skills is another way
of doing that.
So there's a real incentive forthe North Koreans to do this.
What this translates to in reallife would be perhaps a larger
(24:33):
apartment in Pyongyang, perhapsa a refrigerator, maybe even a
car.
There are perks available forthis.
It's also worth pointing outthat for the North Koreans, they
don't often have an option.
The government tells you to dosomething.
Now, you might think, well, whydon't you just refuse?
If you refuse, the consequencesfor you and your direct family
(24:55):
can be extremely severe.
If you do something reallywrong, the consequences could be
fatal for your family members.
When we talk about thesehackers, it's worth noting on
the other side that their level,the lower levels, they don't
have a huge amount of options towhat to do.
It's just run for them.
Nick Palmer (25:10):
Fascinating.
It takes the requirement toexcel to the next level if you
want to get out of your currentcast or situation.
Very interesting.
Thank you.
Gary Ruddell (25:18):
When companies and people try to protect
themselves from these types ofthreats, what types of things do
you see working?
Geoff White (25:27):
Well, at the high level, obviously, you've got all
of the sort of usual stuff oftrying to, you know, segment
your network so you don't getin, get all the crown jewels,
obviously, multi-factorauthentication and so on.
I mean, a lot of the hacks I'velooked into with North Korea,
social engineering is at theheart of this.
I mean, the Bybit hack that youmentioned, this is a
(25:47):
cryptocurrency exchange calledBybit, the target of an alleged
North Korean hack in which $1.5billion worth of cryptocurrency
was stolen.
An absolutely astonishingamount of money.
I have been on record, and I'llgo on record again, saying it's
the biggest single theft everin terms of one theft, one hit,
and one victim in one go, valuedat the time of the theft.
(26:10):
It's the biggest we've everhad.
At one point, there's just nocompetitor for that.
Now, the way they broke intoBybit was really interesting.
They looked at the company.
They worked out how Bybit'scryptocurrency transactions
worked.
They worked out what softwarethey were using to enable those
transactions within Bybit, itsinternal systems.
They then went after Bitcoin.
the software provider.
(26:31):
So it's not quite true to saythey hacked Bybit.
In the end, they hacked Bybit.
What they started doing washacking a company that made
software called Safe, ironicallyenough, that authorised the
transactions.
That's where the North Koreanswent.
And again, it was socialengineering.
They found one of the softwaredevelopers who worked for that
company that made that Safesoftware.
(26:51):
They managed to trick thatemployee into downloading a sort
of share trading, commoditytrading type app onto their
phone.
And that gave them access tothe phone.
So again, it's not, you know,the tactics aren't massively
sort of advanced.
And fundamentally at the heartof that is a social engineering
attack.
You know, can I convince thisperson to do something they
shouldn't do?
Download a dodgy app ontotheir, I think their work phone
(27:14):
in this case.
So it's all that usual sort ofstuff you do about, you know,
segmenting your network, lookingafter your business processes,
looking at your business the wayan attacker would and thinking,
we're by a bit, we're sittingon a billion and a half.
If I want to steal that, whatwould I have to actually do?
Well, I'd have to do this, thisand this.
That's the process you gothrough.
And what's great about that isfor business, for an
organisation, there's notechnology involved in that.
(27:36):
You don't have to understandanything about technology.
You just have to look at yourbusiness and go, what do we do?
Where's the money?
If I was going to do damage,how would I do that?
What's our processes?
And how would I get into ourprocesses and screw them up?
mess them up so that I could dosome damage.
You could do that with a paperand pen.
You don't need a computer to doit.
So that's a good place tostart.
In terms of the North Koreansapplying for these jobs, these
(27:59):
sort of blagging, if you like,exercises, the infiltration
exercises, again, you've got tolook at the processes by which
you're hiring people,particularly if you're hiring
people remotely and you're nevergoing to see these people and
you send out a laptop.
You've got to do an extra jobof diligence around these
employees because it'seffectively like letting
somebody into your network, intoyour office building at night.
(28:21):
So I'm not going to see them,but I'll just give them a key.
I'm sure they're fine.
No, you would want to know whothat person was.
It's the same with remote ITworkers.
If you're hiring anybody whoworks remotely, who's not going
to come into the office, youneed to really double down on
the diligence.
warning signs are things likethey want the laptop sent out
but not to the address that's onthe bank account or not to the
(28:41):
address they used on theirapplication form you know they
have references but thereferences addresses are gmail
addresses or outlook addressesso their reference is somebody i
don't know the bank of englandbut you're not emailing them a
bank of england.com addressyou're emailing the reference at
a gmail address so yes it's youknow Jane Smith, who works at
the Bank of England, but it'sjanesmith at gmail.com.
(29:02):
It's like, well, hang on.
Why aren't I emailing thisperson at their Bank of England
address?
Loads of little signs likethat.
You just have to have yourradar up, particularly if you're
hiring somebody remotely forany signs that their story
doesn't quite add up and justdoubling down that diligence.
And I know that's a faff, butthe consequences are if you hire
this person, A, you've justhired a North Korean, your
sanctions dodging.
It's a very serious offence.
(29:23):
And B, they just walked intoyour network.
They've got access toeverything.
It's potentially a huge problemfor you.
Gary Ruddell (29:29):
What do you think the future holds for North
Korea, Lazarus Group, from ahacking perspective?
Given the trajectory they'vebeen on, the 1.5 billion you
talked about earlier, what mightwe see in the future?
I don't know, you don't have acrystal ball, but in your
experience.
Geoff White (29:46):
Yes.
I mean, look, what I hope forfor North Korea is what I think
all people hope for and shouldhope for, which is peace, some
way of this country not being...
As militarily focused as it is.
That's obviously politicalmatter, it's diplomatic matter.
And the issue with thesesanctions, and we need to think
about this in terms of theRussian Federation as well, is
(30:08):
if you pull every sanctionslever, if you tighten the
screws, the country just learnsto survive despite the
sanctions.
So there's kind of no morescrews we can turn on North
Korea.
What else could we do?
You know, do we let thiscountry back into the fold?
Do we offer it?
Well, OK, we'll lift thosesanctions if you do X.
What's the diplomatic path?
(30:29):
There's all of that sort ofstuff going on.
In terms of North Korea's cyberactivity, this whole
infiltration campaign thing is awhole new front.
One of the things I do worryabout is if North Korean hackers
have blagged their way intojobs at companies and they've
blagged their way into IT jobsat companies, have they left
North logic bombs effective inthe code, security
(30:51):
vulnerabilities in code thatthey found access to, that they
could then trigger months, yearsdown the line and used to
either get back into thatorganization or steal money from
it if it's a cryptoorganization or a bank, for
example.
So we may see this sort ofsecond wave happen.
These infiltration campaigns,they might get spotted, but they
might have left some sort ofvulnerabilities into there.
(31:12):
Cryptocurrency has been areally interesting journey.
As I say, the the NorthKoreans, despite being a
communist country, are nowinvolved in financial
engineering at the absolutecutting edge of that industry.
Some of the stuff they deal in,we're talking DeFi, Web3, smart
contracts.
This is out there stuff.
I mean, I just about understandit, but, you know, it takes me
(31:33):
a while.
They are absolutely at thecutting edge of finance, as are
a lot of cyber criminals,because the cutting edge of
finance is where the regulationis limited and weakest and
non-existent in some cases.
So of course, as a criminal,that's where you're going to
sort of go to.
So as we see cryptocurrencybecome more embedded in society
and we've already seen, youknow, big organizations getting
(31:55):
into crypto, we've seen thething called the Bitcoin ETF,
the exchange traded funds, youknow, you can now invest in
Bitcoin in the same way youwould invest in normal shares in
normal companies in the US, forexample.
Cryptocurrency is going tobecome more and more embedded
into society.
There's going to be more andmore innovation on top of that.
And I suspect the North Koreansare not going to shy away from
(32:15):
targeting that innovation.
Every new wave, every new thingthat comes through, every new
innovation that's quite cool andgroovy and will help us
potentially in the future have anew financial world.
North Koreans and other cybercriminals are going to hop on
board with it, hop on top of itand see if they can exploit it
first.
Gary Ruddell (32:30):
Like you say, Jeff, this probably isn't going
to end anytime soon.
And yes, those concernsaround...
If we did embrace North Koreaas a nation again and embedding
things like logic bombs insystems they get access to, that
is a real concern, isn't it?
Nick, from a vendorperspective, from our side of
(32:50):
the game, what does goodsecurity practices look like for
us?
Nick Palmer (32:56):
Well, as Jeff was speaking, I was thinking to
myself how thankful I am aboutthe seriousness that Group IB
takes about our hiring process.
So, Jeff, you might not knowabout this, but we have a fairly
in-depth security practicewithin Group IB to screen
employees and perform differentsecurity checks to ensure that
(33:19):
who we are hiring is veryimportant.
So I think you're exactlyright.
You know, looking at How arethey doing it today?
How might they do it in thefuture is an important question
to ask as well.
And then make sure that youhave the necessary both security
checks in place.
device checks in place foraccess to certain data or
(33:42):
modifications to certainprograms for certain levels of
employees will be absolutelyessential.
I love what Jeff was sayingabout trying to anticipate where
this will go in the future froma pure ingenuity perspective.
When you tighten the screws,like Jeff was saying, as hard as
they are against North Koreatoday, they have to be creative
(34:03):
in the way that the targetorganizations and we as
defenders need to think aboutwhat that might look like and
make sure we have the practicesin place.
Gary Ruddell (34:12):
I'm sure if anything does happen, We'll hear
about it from Jeff becausewe're now buddies with the guy
who keeps his eye on LazarusGroup for us.
So yeah, I mean, if you haven'theard the Lazarus Heist
podcast, I do recommend that yougo check it out.
It's a fantastic podcast.
There's another podcast aboutthe, is it the Pongsu?
(34:33):
It's about a shipping vessel.
That was a fantastic podcast aswell.
So there's a few North Koreapodcasts that just give you
great insight that you wouldotherwise not get.
Geoff White (34:42):
Really good, the Pongsu podcast.
I really enjoyed it.
We were trying to work out,could we somehow integrate that
into or cover that in theLazarus Heights podcast?
But it was two sort ofseparate, but it is really worth
listening to.
It's really well put togetheras well.
So yes, thumbs up for that.
Gary Ruddell (34:55):
Thanks very much for your time today, Jeff.
Been fantastic talking withyou.
And I look forward to seeingwhat you get up to in the very
near future.
I'm sure there's going to besome super interesting things on
our airwaves, sadly, becauseit's a whole different you know,
malicious based stuff.
It's never good news.
It's always bad news.
But thank you very much.
Thanks for having me.
(35:15):
I appreciate it.
Your data is valuable and it'sunder attack.
Cyberespionage groups,financially motivated threat
actors, ransomware attackers,and other criminal enterprises
are on the rise.
Working in secrecy to dismantlesecurity perimeters, they
spread like a virus through theweb, stoking geopolitical
(35:38):
tensions, holding businesses toransom, and flooding criminal
marketplaces with sensitiveinformation.
These groups thrive in secrecynow more than ever.
Knowing who your adversariesare is critical.
So join us as we ask who'sbehind the world's most prolific
cybercriminal groups.
(35:59):
What are their tactics, theirmotivations, and their impact?
Who are the world's maskedactors?
Masked Actors is an independentpodcast from Group IB, a
leading voice in the fightagainst cybercrime.
The threat landscape evolvesquickly, but all information was
correct at the time ofrecording and based on Group
(36:19):
IB's high-tech crime trendsreport 2025.
Join in the conversation onlineusing the hashtag maskedactors.
And don't forget to subscribeso you don't miss an episode.
Thanks for listening.
See you next time as we uncovermore of the world's top masked
actors.
In December 2014, Sony Pictures announced that
they were cancelling the releaseof Seth Rogen's newest movie,
The Interview, due to alarge-scale cyber attack.
And in February of this year,global cryptocurrency exchange
Bybit suffered a massive attackresulting in the theft of $1.5
(00:20):
billion.
One group pulled off both ofthese attacks and many more.
Today, they're alsoinfiltrating IT roles in the
private and public sectors Butwhat do these attacks have in
common?
We've got perhaps the biggestcryptocurrency theft ever, plans
to put criminals on the insidesof organizations around the
(00:43):
world, and a film detailing afictional plot to kill Kim
Jong-un.
That last part is the giveaway.
The link is North Korea.
And the criminals responsiblefor the attacks are the
state-sponsored threat actorcodenamed Lazarus Group.
We're your hosts, Gary Riddelland Nick Palmer.
Nick, let's get into Lazarus.
Nick Palmer (01:04):
So it would be impossible to discuss Lazarus
Group without sitting down withperhaps the best known expert on
this topic, Jeff White.
He's an investigativejournalist who's written
numerous books about theintersection of organized crime
and technology, including Rinsedand, of course, The Lazarus
Heist.
Jeff, thanks a lot for joiningus.
Thanks.
Thanks for having me.
(01:24):
So, Jeff, let's dive right intoit.
When did you first become awareof Lazarus Group?
And what can you tell us aboutthe first moment in the
spotlight, that Sony Picturesattack?
It's pretty different fromtheir modus operandi of
targeting cryptocurrencycompanies, isn't it?
Geoff White (01:40):
Yes, absolutely.
I mean, this goes back, as yousaid, to December 2014.
We knew there was trouble atSony Pictures Entertainment.
We knew the company had beenhacked because swathes of its
internal emails were beingleaked online, some extremely
juicy and salacious information.
Some movies were leaked online.
And then the attribution camefrom the US government itself
that this was the work of NorthKorea.
(02:02):
At the time, I was working forChannel 4 News in the UK.
And I'll be honest, like quitea lot of journalists, I was
slightly sceptical as to whetherthis was the actions of North
Korea.
I mean, yes, at the heart of itwas this filmed the interview,
which detailed a plot lineinvolving the assassination of
Kim Jong-un.
It was quite a grislyassassination, which would be,
(02:23):
of course, hugely offensive toNorth Korea.
So there was a reason why theymight do it.
But it just seemed very odd.
I mean, you've got to realisethis was the era of the
anonymous hacking group, youknow, the guys in the Guy Fawkes
masks breaking into companies,leaking data.
It seemed more like somethingthey would do.
But as the evidence started tospill out, and that took several
years, really, for the evidenceto really kind of come to
(02:45):
fruition.
fingers started pointing atNorth Korea and it linked back
to previous attacks that NorthKorea had done.
Now, in that case, the Sonybreak-in, it's attributed to
North Korea.
And the idea is that NorthKoreans were so angry at this
film, so outraged by what wasbeing depicted of happening to
Kim Jong-un, you know, a sittingworld leader, that they decided
(03:05):
to go and hack Sony.
The subsequent activity, andwe've had now five, 10 years
more activity after that, hasbeen more focused on stealing
money.
You know, the North Koreans,that attack on Sony Pictures
Entertainment seems to have beena slightly unusual attack.
It was a reputational damageissue, certainly reputational
(03:26):
damage for Sony.
But the subsequent attacks,it's mostly been certainly the
ones I've covered about stealingmoney and vast quantities of
it.
Nick Palmer (03:33):
Yeah, it's a super interesting change from their
normal modus operandi anddefinitely one that made the
headlines worldwide.
So thanks a lot for thebreakdown.
Let's talk a little bit moreabout the operations and the
timelines around escalatingdifferent attacks for Lazarus
Group.
Geoff White (03:52):
Yeah, the activity for Lazarus Group, and by the
way, the Lazarus Group is thename given to them by security
researchers.
The North Korean governmenthackers themselves almost
certainly don't call themselvesLazarus Group.
From what we know, this is amilitary unit within the North
Korean government.
They will be run as a militaryinstitution.
They will have military ranksand unit numbers and so on.
So the Lazarus Group is aconvenient sort of shorthand.
(04:15):
First activity starts about2013.
They start looking at attackingSouth Korea is the accusation,
taking down TV stations,banking.
It's disrupt North Korea's oldenemy, South Korea.
But over the years, we start tosee North Korea doubling down
on hacks to target financialinstitutions.
(04:36):
banks and also cryptocurrencycompanies.
Now, the backdrop to that isNorth Korea keeps testing
nuclear weapons and keepslaunching missiles.
Obviously, that's quite ahostile act, certainly in that
region of the world.
And so the United Nations andothers have sanctioned North
Korea, turned off theinternational money taps, the
trade taps.
So North Korea is pretty muchisolated.
(04:56):
Can't bank, can't trade, can'tbuy, can't sell.
How do you survive as acountry?
if that's going on.
And of course, that's the ideaof sanctions is North Korea will
eventually come back and say,oh, these sanctions are hurting
us, let's negotiate.
The accusation is that NorthKorea has responded to those
sanctions by putting its hackerson the send for money.
They go out, they findfinancial institutions, they
(05:17):
break into them and bring thatmoney back to the North Korean
government.
The US government believes thatNorth Korea pays for about half
of its missile program throughcomputer hacks.
We are talking about multiplebillions.
I've seen figures up as far assix to seven billion dollars
worth of currency stolen,allegedly by North Korea's
hackers and taken back for theregime.
Nick Palmer (05:37):
Yeah, very organized operation.
And when you're shut off fromthe international money supply,
you have to find unique ways offunding what it is that you want
to do as a nation.
So, you know, talking aboutcryptocurrency, why is that such
a heavy point of interest forthem?
You know, we've seen them focuson banks in the past, but, you
know, in more recent years, theyfocused in on cryptocurrency.
(05:59):
Why is that in your opinion?
Geoff White (06:01):
Yeah, this has been an interesting evolution.
So one of the early bankingattacks attributed to the North
Koreans is the hack onBangladesh Bank, the famous
billion dollar hack, where theywent to try and steal a billion
dollars from the National Bankof Bangladesh.
Didn't get away with thebillion, which is a whole story
in itself, but they weretargeting that bank.
Then they start to target otherbanks, dozens of banks they
(06:23):
were targeting around this time,stealing in the sort of
hundreds of millions of dollars.
They started going after bank'sATM systems.
So they actually managed towork out that once you're inside
a bank, you can effectivelyhijack the ATM system and make
ATMs around the world spew outnotes, banknotes, which of
course means you've got to havesomebody on the other side to
(06:44):
collect those banknotes.
And you've got to have peoplein loads of different countries
where the ATMs are.
So that led the North Koreansinto its alleged various
interactions and alliances withsome quite murky characters and
quite bizarre characters who areon the other side of these sort
of cash out operations.
Probably with all of that is ittakes place within the
traditional banking system.
So Bangladesh Bank, forexample, when it was robbed, it
(07:06):
could see exactly where themoney went.
It could follow the flow allthe way through to the
Philippines and to casinos,which is where the cash
eventually ended up.
If you use traditional bankingto do hacking, there's going to
be a paper trail, these days adigital trail, but it's a trail
that investigators can follow.
With cryptocurrency, this wasthe big switch.
North Korea startsexperimenting with
cryptocurrency about 2016, butthen there's the big ransomware
(07:31):
attack, WannaCry 2017.
Now, the WannaCry ransomwareattack, I mean, ransomware has
been in the news, certainly inthe UK recently.
The hackers scramble your filesand then charge you a ransom to
unscramble them.
WannaCry was North Korea'sransomware attack, and it was
vast.
It went around the world, youknow, automatically spreading
from computer to computer.
It was the single most virulentransomware attack ever
(07:53):
launched, but was also, for alot of people, a complete dud,
because the ransoms that came inas a result were only in the
low millions, 10 million-ish,maybe 100 million, depending on
how you value the Bitcoincryptocurrency that the ransoms
were paid in.
And so people said, well, whatwas the point of this ransomware
attack?
It didn't make so much money.
But what it taught the NorthKoreans, I believe, was crypto
(08:16):
money laundering.
Laundering the money from thatattack, i.e.
taking the cryptocurrencyransoms that were paid and
vanishing them, took about 48hours.
And we still have no idea,apparently, where that money
went.
It's just gone.
Compare that to that Bangladeshbank attack.
It took them a month, a solidmonth, to get the money into the
casinos, to gamble it through,to try and wash the money.
(08:36):
They lost 30 million of it tosome intermediary who's just
never been seen again.
So hacking crypto suddenlystarts to look like a really
good idea because you can movethe money instantly.
You can launder it so much morequickly.
And crucially, cryptocurrencycompanies are not bound by the
kind of laws and regulationsthat banks are.
So as a hacker, you're hackingan easy target, low hanging
(08:59):
fruit.
And the North Koreans have madebillions upon billions is the
accusation out of targetingthese crypto companies.
Gary Ruddell (09:05):
When you talk about Lazarus Group being a
state-sponsored group, elaborateon that.
What does that really mean in
Geoff White (09:12):
practical terms?
What that means is that thegovernment is actually hiring
these people.
So in the UK, we havegovernment hackers.
They work for GCHQ and MODCaution and all these places.
The US has them.
Most countries worth their salthave government hackers, and
they are paid a nine-to-fivesort of salary.
What you've also got, though,in most countries is a sort of,
(09:32):
well, a non-government hackerscene.
You've got organised criminalswho do hacking.
You've also got sort ofhacktivists, sometimes
teenagers, who just acquirethese skills and sit in their
bedrooms and carry this out.
And you've got this interestinginteraction, you know, Russian
Federation, for example.
We've got stories of theRussian government working with
some of those sort of have-a-gocyber criminal hackers.
So there's this interestingcrossover.
(09:54):
In North Korea, the situation'squite different.
In North Korea, if you have acomputer and an internet
connection, it's because thegovernment has given it to you.
You can't go out and buy alaptop and get a SIM card or
broadband connection and a Wi-Firouter and off you go.
Not in North Korea.
And if you're given that, youare very, very closely
surveilled.
So the vast majority of onlinecomputer use in North Korea is
(10:19):
government controlled, verycertainly government monitored.
So what that means is if you'redoing hacking from inside North
Korea, you're a North Koreanhacker, you are government
sanctioned.
You're probably governmentemployed and paid.
So when we see malicious cyberactivity from North Korea,
there's no ability for NorthKorea to turn around and say,
oh, well, that must be someteenager in their bedroom that
we don't know about because weknow North Korea knows about all
(10:41):
of them.
They are all state sponsored.
And what this means is you'vegot all of the resources of the
state, all of the time, themoney, the organization that
goes behind this, and that canbe applied to this cyber army.
I've heard figures of around6,000 cyber warriors in North
Korea.
I suspect the true figure ismuch higher because there are
(11:03):
people who are coders, there arepeople who are computer
hackers, but there are alsopeople who do IT work for the
North Korean government, butalso for other people, and they
interface with the hackers.
So it sort of depends how youdefine a North Korean
government.
hacker as to how many might bein the pool.
You
Gary Ruddell (11:17):
mentioned earlier the casinos and trying to get
the money out and the challengesaround that.
In the cryptocurrency space,can you talk us through how it's
done in crypto land, why theycan't just trace the money if
it's crypto?
Geoff White (11:34):
Well, it's interesting this because when
people talk aboutcryptocurrency, as anybody knows
anything about Bitcoin andblockchain will know all
cryptocurrency transactions aresort of logged and tracked.
It's a digital currency.
But in a way, that's the samewith traditional finance.
If you spend on your creditcard, there's sort of a record
of it.
The thing with cryptocurrencyis the log, the ledger, the
(11:54):
register of transactions ispublic, certainly in the case of
Bitcoin.
And so you can use thisblockchain to track Bitcoin
transactions.
And so a lot of people think,well, cryptocurrency must be
fantastic for investigatorsbecause they can see all the
transactions.
You can see it move in realtime.
And that's exactly whathappened with that WannaCry
ransomware attack I talked aboutback in 2017.
When the money starts to getlaundered, you can watch it in
(12:16):
real time.
The problem is that it wentinto an Eastern European
cryptocurrency exchange And fromthere, we have no idea what
happened to it because it dropsinto this black box.
The money just goes in and it'sinside this organization,
inside this company.
It must have got spewed outsomewhere, we presume, but we
can't track it beyond that.
So when people talk aboutcryptocurrency being traceable,
(12:38):
yes, it's traceable, butsometimes only to a certain
point.
And even then, yes, the cryptois traceable, but even if you
can trace it, can you stop it,freeze it and get it back?
If somebody breaks into myhouse and steals my TV and runs
off down the street, it's allvery well me being able to watch
them as they run down thestreet with my TV.
What I want is my TV back.
So traceability of crypto isonly one part of the challenge.
(13:02):
Freezing it and recovering itis the issue.
And again, for crypto moneylaunderers, that's been the boon
as they realize that you canget away with it.
You can actually vanish themoney if you do it correctly.
Gary Ruddell (13:13):
I guess as well, if you're North Korea and you
have their sort of resourcesand, you know, the money that
they have, potentially theycould have agents in different
countries around the world thatjust they create a company that
is a crypto company.
They could put the moneythrough it and then shut that
company down to sort of masksome of this stuff.
Is that something that happens?
Geoff White (13:35):
It's a good question.
And actually...
I've heard tell of North Koreasort of flirting around that
for, you know, for example,setting up crypto companies,
crypto enterprises and so on.
The problem we've got there issort of liquidity.
It's volume.
This is the mad thing aboutNorth Korea and some of these
financial attacks that they'reaccused of doing is they're
actually sort of the cuttingedge of finance and they have to
(13:56):
deal with very, very heavyfinancial issues.
which for a country that's theworld's oldest communist
country, I mean, North Koreapredates China as a communist
country, the idea that they'reinvolved in this sort of massive
financial machinations, I findvery ironic.
If you're going to set up acrypto exchange or crypto
company, as you've described,Gary, what you really need is
liquidity.
You need a big pool of money sothat you can stick your stolen
(14:18):
money in and mix it.
If...
you or I, or indeed NorthKorea, just sort of sets one up,
you don't really have enoughmoney sloshing around.
So what they prefer to do is touse large organizations, large
institutions, and try and trickthose institutions into
accepting the stolen money.
So North Korea might take thecrypto, run it through a few
Bitcoin wallets, maybe hundredsof Bitcoin wallets, and then try
(14:41):
and stick it into a bigexchange, you know, your
Coinbase or Binance or Kraken,all these big exchanges, and try
and trick them into saying,hey, this money is actually
fine.
You can accept it.
It's not stolen money.
So that's been the game.
They tend to prefer to usethese big organizations.
The other thing they use iscrypto mixers, which, as the
name suggests, takes incomingcrypto, mixes it with other
(15:01):
people's currency, and thenspits it out to a fresh wallet
address.
Which, by the way, if you wantprivacy in crypto, which is
quite a challenge, using acrypto mixer makes a lot of
sense.
If you want to donate to aparticular political cause
through crypto without beingspotted or identified, crypto
mixer helps you.
It also helps with moneylaundering.
And so we know cybercrimegroups in general, but the North
(15:24):
Koreans particularly have beenusing these crypto mixers to
wash, you know, millions andmillions, probably in the
billions of dollars worth ofcryptocurrency.
Nick Palmer (15:33):
Yeah, they've certainly become experts at
learning how to wash digitalcurrencies around the world.
And like you said, Jeff, beingousted from the global financial
community, they've certainlystill been involved in it to
profit.
We've talked a lot about largeorganizations, Bank of
Bangladesh and cryptocurrencyorganizations, but what about
(15:56):
small companies?
Do they have to be concernedabout North Korean hackers, or
is it just large organizations?
Geoff White (16:03):
Before, I would have said, well, frankly, if
you're a large organization, theNorth Koreans are interested in
you.
If you're a big governmentorganization, of course, All big
government organisations, theycan't see hacking each other, so
they have to be worried aboutlots of threats, including North
Korea.
Big financial institution, abig organisation like Sony.
Yes, you should be worriedabout the North Korean threat.
But what's been interesting isthis recent switch that North
(16:25):
Korea's done in terms of movingfrom hacking to almost an
infiltration campaign, if youlike.
The backdrop to this is that...
North Korea's citizens used tobe allowed to work abroad.
North Korea could actually getits citizens to work overseas.
They would do things likelogging in Vladivostok, or there
(16:45):
was a North Korean restaurant,I think, in Sweden, in
Stockholm, where you couldactually go and have North
Korean food served by a NorthKorean.
So they were allowed to workabroad.
The problem was that peoplefigured out these employees were
just sending money back toNorth Korea.
And so effectively they weresort of funding the regime and
as the regime tested moremissiles and nukes, that became
(17:06):
an issue.
So the sanction went out fromthe United Nations, you are not
allowed to hire a North Korean,allow a North Korean to work in
your country.
So North Korea's employees gotsent back inside the borders or
struggled to go outside theborders.
Then COVID happened again, thecountry got sort of locked down.
So increasingly North Korea'sability to sort of reach out
into the world to get its peopleoverseas and working overseas,
(17:28):
those routes started to get shutoff, not entirely, they can
still use diplomatic passportsand so on to get people out, but
out and about in the world.
But a lot of the time it'squite difficult.
So then the challenge became,well, okay, we want to try and
hack into these companies.
We want to try and get intothese companies, but we're not
allowed to physically go and bein these places.
Our hacking attacks areworking, but hacking is
(17:49):
difficult.
You have to go into the backdoor.
If you get caught, you're goingto get kicked out.
Why don't we go into the frontdoor?
Why don't we just apply for ajob at these companies?
Now, obviously, that wouldnormally involve you turning up
to an interview and sittingthere in your Kim Jong-un badge
and your military uniform.
Obviously, you wouldn't get thejob.
But obviously, post-COVID,there's been this huge boom in
(18:10):
remote IT working.
So as a software developer, aweb developer, an IT person, you
can apply for a remote workingjob, and a lot of companies
don't really care so muchanymore where you are in the
world they just want employeesthe north koreans have hopped on
board this with gusto they'vemanaged to get jobs at companies
around the world and we'retalking you know fortune 500
(18:31):
companies in the us in europe inthe uk applying for these jobs
now the employer obviouslydoesn't want to hire a north
korean so what the north koreanshave done is used
intermediaries effectivelyproxies and accomplices in these
different countries toimpersonate a local individual.
It might be an identity they'vestolen, or it might be a
willing individual who's handedover their ID, you know, their
(18:53):
bank account to be used by theseNorth Koreans.
So the North Koreans get a jobat the company, the
organization.
And as far as the organizationis concerned, they're hiring
John Smith in New York, butactually John Smith in New York
turns out to be, you know, ParkJin-hyuk based in Pyongyang,
who's dialing in remotely.
Now, the company will send alaptop out to John Smith in New
(19:15):
York, and the person who'spretending to be John Smith will
plug it in, connect to theinternet, install remote access
software, and Park Jin-hyuk fromNorth Korea can dial in and
start work.
It's absolutely incredible.
And there are hundreds andhundreds of cases of this.
We suspect thousands of NorthKorean IT workers on the other
side of it.
(19:35):
Some of whom, by the way, arejust doing the IT work job.
They're just getting on withit.
And they actually, some of themare quite effective employees.
In fact, we got told in thepodcast that I made for the BBC,
one of the employers we spoketo who almost, almost hired a
North Korean had this greatstory about another company that
they spoke to who actually didhire a North Korean, got a call
(19:55):
from the FBI saying, we've beentracing this and you hired a
North Korean.
The company apparently came...
You've got to sack this person.
It's in North Korea.
You can't keep hiring thisperson.
And the company went back tothe FBI and said, well, he's
actually one of our bestprogrammers, so we'd rather not
let him
Gary Ruddell (20:10):
go.
I feel like I need to ask allof us just to sort of pull on
our skin to prove that we'renot...
Wearing masks or deep fakes oranything, yeah.
You mentioned the laptop case.
I think, was that Kraken, ifI'm recalling correctly, Geoff?
Geoff White (20:26):
Correct, yes.
Kraken is one of the companiesthat's been targeted in this
way, went out, went public.
Also, KnowBefore, a companythat a lot of your listeners
might know, it's an IT securityand security culture awareness
company.
KnowBefore actually for aperiod of, I think it was a
couple of hours, did hire aNorth Korean, sent the laptop to
them and have done a wholebunch So if you Google Kraken
(20:48):
and Nobifor, Nobiforparticularly has been putting
out advice to people on how theyspotted this person, how you
can make sure you don'tinadvertently hire a North
Korean.
But those are just the onesthat have got the big headlines.
Multiple, multiple companies.
I mean, I can't name them yetbecause I haven't given them the
right of reply.
But I mean, I've been toldrecently about three of the
world's biggest companies who...
didn't just almost actuallyhired a North Korean and sent a
(21:13):
laptop out to a representative.
So it's big.
It's big.
It's very big.
Nick Palmer (21:18):
Incredible.
Incredible.
You know, speaking about thehiring process, I imagine, you
know, you're living in NorthKorea, having such a position
within, you know, the organizedcrime group, conducting hacking,
et cetera, is probably a prettyprestigious position.
position.
Do you have any insights onlike, if I was living there, how
would I go about getting thatjob?
(21:38):
Or how do the local people dothat?
Geoff White (21:41):
It's very interesting.
I'm not a North Korean expert.
There are loads of people whoare.
My co-host for the podcast,Lazarus Heiss, Jean Lee, is a
fountain of information aboutNorth Korea.
But I've read a lot about itand I've obviously spoken to
people who've got expertise inthis.
North Korean society is almostimpossible for us outside it to
(22:03):
understand.
I mean, from birth, your lot inlife is controlled for you.
And interestingly, a lot ofthat's about how close your
family or your ancestors were toKim Il-sung, the founder of
North Korea, or his offspring,including Kim Jong-un, the
current leader of North Korea.
So from birth, almost, yourpath is sort of set for you.
(22:25):
This is where you're going tobe.
This is where you fit in thestrata.
This is how wealthy you'regoing to be or not.
And There are effectivelygroups in each territory that
control all of this.
Everything's very tightlymanaged.
Within the apartment block thatyou live in, there will be a
structure and a hierarchy.
There will be somebody whoeffectively runs that apartment
block, who makes sure that youdon't get above your station,
(22:45):
who makes sure that you don'tstart trying to research news
that you shouldn't be hearing orget an illicit radio.
There's all this control thatgoes on to it.
And one of the things aboutthat is your career really is
largely structured for you.
What North Korea does fromquite early on is it tries to
spot who's good at differentthings and effectively channels
(23:10):
and streams those people very,very specifically.
If, for example, you're good atmathematics and you show
prowess, it's likely that you'llbe streamed into You know,
mathematics classes at school,university, you'll study it.
And what they'll be looking outfor is those people who have
computer ability on top of that.
If you have that, you'll put inspecial programs, special
university, and you'll bestreamed if you're good, if
(23:32):
you're the best, the best intothe computer hacking teams, the
Lazarus group and the militaryunits behind that.
or the nuclear program, whichobviously is also a computer
heavy kind of career.
So those are your sort oftrajectories if you're into
computers and you're quite goodat them.
And what this means for NorthKorean is you can potentially
escape the sort of fate that'sset for you and escalate your
career chances.
(23:53):
One of the defectors weinterviewed talked about a thing
called songbun, which in NorthKorean society is effectively
your place in society.
It's kind of logged.
It's actually recorded quitecarefully as to who you are,
what you will do.
If you want to escape yoursongbun, if you want to improve
you and your family's chances,one of the ways is to show
(24:13):
prowess in a particular skill.
Sports, for example, is one ofthem.
If you're a particularlytalented sports person or a
musician, you can actually sortof raise your stock, your
standing in society.
Computer hacking, again,computer skills is another way
of doing that.
So there's a real incentive forthe North Koreans to do this.
What this translates to in reallife would be perhaps a larger
(24:33):
apartment in Pyongyang, perhapsa a refrigerator, maybe even a
car.
There are perks available forthis.
It's also worth pointing outthat for the North Koreans, they
don't often have an option.
The government tells you to dosomething.
Now, you might think, well, whydon't you just refuse?
If you refuse, the consequencesfor you and your direct family
(24:55):
can be extremely severe.
If you do something reallywrong, the consequences could be
fatal for your family members.
When we talk about thesehackers, it's worth noting on
the other side that their level,the lower levels, they don't
have a huge amount of options towhat to do.
It's just run for them.
Nick Palmer (25:10):
Fascinating.
It takes the requirement toexcel to the next level if you
want to get out of your currentcast or situation.
Very interesting.
Thank you.
Gary Ruddell (25:18):
When companies and people try to protect
themselves from these types ofthreats, what types of things do
you see working?
Geoff White (25:27):
Well, at the high level, obviously, you've got all
of the sort of usual stuff oftrying to, you know, segment
your network so you don't getin, get all the crown jewels,
obviously, multi-factorauthentication and so on.
I mean, a lot of the hacks I'velooked into with North Korea,
social engineering is at theheart of this.
I mean, the Bybit hack that youmentioned, this is a
(25:47):
cryptocurrency exchange calledBybit, the target of an alleged
North Korean hack in which $1.5billion worth of cryptocurrency
was stolen.
An absolutely astonishingamount of money.
I have been on record, and I'llgo on record again, saying it's
the biggest single theft everin terms of one theft, one hit,
and one victim in one go, valuedat the time of the theft.
(26:10):
It's the biggest we've everhad.
At one point, there's just nocompetitor for that.
Now, the way they broke intoBybit was really interesting.
They looked at the company.
They worked out how Bybit'scryptocurrency transactions
worked.
They worked out what softwarethey were using to enable those
transactions within Bybit, itsinternal systems.
They then went after Bitcoin.
the software provider.
(26:31):
So it's not quite true to saythey hacked Bybit.
In the end, they hacked Bybit.
What they started doing washacking a company that made
software called Safe, ironicallyenough, that authorised the
transactions.
That's where the North Koreanswent.
And again, it was socialengineering.
They found one of the softwaredevelopers who worked for that
company that made that Safesoftware.
(26:51):
They managed to trick thatemployee into downloading a sort
of share trading, commoditytrading type app onto their
phone.
And that gave them access tothe phone.
So again, it's not, you know,the tactics aren't massively
sort of advanced.
And fundamentally at the heartof that is a social engineering
attack.
You know, can I convince thisperson to do something they
shouldn't do?
Download a dodgy app ontotheir, I think their work phone
(27:14):
in this case.
So it's all that usual sort ofstuff you do about, you know,
segmenting your network, lookingafter your business processes,
looking at your business the wayan attacker would and thinking,
we're by a bit, we're sittingon a billion and a half.
If I want to steal that, whatwould I have to actually do?
Well, I'd have to do this, thisand this.
That's the process you gothrough.
And what's great about that isfor business, for an
organisation, there's notechnology involved in that.
(27:36):
You don't have to understandanything about technology.
You just have to look at yourbusiness and go, what do we do?
Where's the money?
If I was going to do damage,how would I do that?
What's our processes?
And how would I get into ourprocesses and screw them up?
mess them up so that I could dosome damage.
You could do that with a paperand pen.
You don't need a computer to doit.
So that's a good place tostart.
In terms of the North Koreansapplying for these jobs, these
(27:59):
sort of blagging, if you like,exercises, the infiltration
exercises, again, you've got tolook at the processes by which
you're hiring people,particularly if you're hiring
people remotely and you're nevergoing to see these people and
you send out a laptop.
You've got to do an extra jobof diligence around these
employees because it'seffectively like letting
somebody into your network, intoyour office building at night.
(28:21):
So I'm not going to see them,but I'll just give them a key.
I'm sure they're fine.
No, you would want to know whothat person was.
It's the same with remote ITworkers.
If you're hiring anybody whoworks remotely, who's not going
to come into the office, youneed to really double down on
the diligence.
warning signs are things likethey want the laptop sent out
but not to the address that's onthe bank account or not to the
(28:41):
address they used on theirapplication form you know they
have references but thereferences addresses are gmail
addresses or outlook addressesso their reference is somebody i
don't know the bank of englandbut you're not emailing them a
bank of england.com addressyou're emailing the reference at
a gmail address so yes it's youknow Jane Smith, who works at
the Bank of England, but it'sjanesmith at gmail.com.
(29:02):
It's like, well, hang on.
Why aren't I emailing thisperson at their Bank of England
address?
Loads of little signs likethat.
You just have to have yourradar up, particularly if you're
hiring somebody remotely forany signs that their story
doesn't quite add up and justdoubling down that diligence.
And I know that's a faff, butthe consequences are if you hire
this person, A, you've justhired a North Korean, your
sanctions dodging.
It's a very serious offence.
(29:23):
And B, they just walked intoyour network.
They've got access toeverything.
It's potentially a huge problemfor you.
Gary Ruddell (29:29):
What do you think the future holds for North
Korea, Lazarus Group, from ahacking perspective?
Given the trajectory they'vebeen on, the 1.5 billion you
talked about earlier, what mightwe see in the future?
I don't know, you don't have acrystal ball, but in your
experience.
Geoff White (29:46):
Yes.
I mean, look, what I hope forfor North Korea is what I think
all people hope for and shouldhope for, which is peace, some
way of this country not being...
As militarily focused as it is.
That's obviously politicalmatter, it's diplomatic matter.
And the issue with thesesanctions, and we need to think
about this in terms of theRussian Federation as well, is
(30:08):
if you pull every sanctionslever, if you tighten the
screws, the country just learnsto survive despite the
sanctions.
So there's kind of no morescrews we can turn on North
Korea.
What else could we do?
You know, do we let thiscountry back into the fold?
Do we offer it?
Well, OK, we'll lift thosesanctions if you do X.
What's the diplomatic path?
(30:29):
There's all of that sort ofstuff going on.
In terms of North Korea's cyberactivity, this whole
infiltration campaign thing is awhole new front.
One of the things I do worryabout is if North Korean hackers
have blagged their way intojobs at companies and they've
blagged their way into IT jobsat companies, have they left
North logic bombs effective inthe code, security
(30:51):
vulnerabilities in code thatthey found access to, that they
could then trigger months, yearsdown the line and used to
either get back into thatorganization or steal money from
it if it's a cryptoorganization or a bank, for
example.
So we may see this sort ofsecond wave happen.
These infiltration campaigns,they might get spotted, but they
might have left some sort ofvulnerabilities into there.
(31:12):
Cryptocurrency has been areally interesting journey.
As I say, the the NorthKoreans, despite being a
communist country, are nowinvolved in financial
engineering at the absolutecutting edge of that industry.
Some of the stuff they deal in,we're talking DeFi, Web3, smart
contracts.
This is out there stuff.
I mean, I just about understandit, but, you know, it takes me
(31:33):
a while.
They are absolutely at thecutting edge of finance, as are
a lot of cyber criminals,because the cutting edge of
finance is where the regulationis limited and weakest and
non-existent in some cases.
So of course, as a criminal,that's where you're going to
sort of go to.
So as we see cryptocurrencybecome more embedded in society
and we've already seen, youknow, big organizations getting
(31:55):
into crypto, we've seen thething called the Bitcoin ETF,
the exchange traded funds, youknow, you can now invest in
Bitcoin in the same way youwould invest in normal shares in
normal companies in the US, forexample.
Cryptocurrency is going tobecome more and more embedded
into society.
There's going to be more andmore innovation on top of that.
And I suspect the North Koreansare not going to shy away from
(32:15):
targeting that innovation.
Every new wave, every new thingthat comes through, every new
innovation that's quite cool andgroovy and will help us
potentially in the future have anew financial world.
North Koreans and other cybercriminals are going to hop on
board with it, hop on top of itand see if they can exploit it
first.
Gary Ruddell (32:30):
Like you say, Jeff, this probably isn't going
to end anytime soon.
And yes, those concernsaround...
If we did embrace North Koreaas a nation again and embedding
things like logic bombs insystems they get access to, that
is a real concern, isn't it?
Nick, from a vendorperspective, from our side of
(32:50):
the game, what does goodsecurity practices look like for
us?
Nick Palmer (32:56):
Well, as Jeff was speaking, I was thinking to
myself how thankful I am aboutthe seriousness that Group IB
takes about our hiring process.
So, Jeff, you might not knowabout this, but we have a fairly
in-depth security practicewithin Group IB to screen
employees and perform differentsecurity checks to ensure that
(33:19):
who we are hiring is veryimportant.
So I think you're exactlyright.
You know, looking at How arethey doing it today?
How might they do it in thefuture is an important question
to ask as well.
And then make sure that youhave the necessary both security
checks in place.
device checks in place foraccess to certain data or
(33:42):
modifications to certainprograms for certain levels of
employees will be absolutelyessential.
I love what Jeff was sayingabout trying to anticipate where
this will go in the future froma pure ingenuity perspective.
When you tighten the screws,like Jeff was saying, as hard as
they are against North Koreatoday, they have to be creative
(34:03):
in the way that the targetorganizations and we as
defenders need to think aboutwhat that might look like and
make sure we have the practicesin place.
Gary Ruddell (34:12):
I'm sure if anything does happen, We'll hear
about it from Jeff becausewe're now buddies with the guy
who keeps his eye on LazarusGroup for us.
So yeah, I mean, if you haven'theard the Lazarus Heist
podcast, I do recommend that yougo check it out.
It's a fantastic podcast.
There's another podcast aboutthe, is it the Pongsu?
(34:33):
It's about a shipping vessel.
That was a fantastic podcast aswell.
So there's a few North Koreapodcasts that just give you
great insight that you wouldotherwise not get.
Geoff White (34:42):
Really good, the Pongsu podcast.
I really enjoyed it.
We were trying to work out,could we somehow integrate that
into or cover that in theLazarus Heights podcast?
But it was two sort ofseparate, but it is really worth
listening to.
It's really well put togetheras well.
So yes, thumbs up for that.
Gary Ruddell (34:55):
Thanks very much for your time today, Jeff.
Been fantastic talking withyou.
And I look forward to seeingwhat you get up to in the very
near future.
I'm sure there's going to besome super interesting things on
our airwaves, sadly, becauseit's a whole different you know,
malicious based stuff.
It's never good news.
It's always bad news.
But thank you very much.
Thanks for having me.
(35:15):
I appreciate it.
Your data is valuable and it'sunder attack.
Cyberespionage groups,financially motivated threat
actors, ransomware attackers,and other criminal enterprises
are on the rise.
Working in secrecy to dismantlesecurity perimeters, they
spread like a virus through theweb, stoking geopolitical
(35:38):
tensions, holding businesses toransom, and flooding criminal
marketplaces with sensitiveinformation.
These groups thrive in secrecynow more than ever.
Knowing who your adversariesare is critical.
So join us as we ask who'sbehind the world's most prolific
cybercriminal groups.
(35:59):
What are their tactics, theirmotivations, and their impact?
Who are the world's maskedactors?
Masked Actors is an independentpodcast from Group IB, a
leading voice in the fightagainst cybercrime.
The threat landscape evolvesquickly, but all information was
correct at the time ofrecording and based on Group
(36:19):
IB's high-tech crime trendsreport 2025.
Join in the conversation onlineusing the hashtag maskedactors.
And don't forget to subscribeso you don't miss an episode.
Thanks for listening.
See you next time as we uncovermore of the world's top masked
actors.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!