Fresh off their audacious $1.5B crypto heist from Bybit, Lazarus group caught setting its sights on a new target: IOHK, the blockchain engineering company based in hong kong. Since 2017, the Lazarus Group has siphoned more than $6 billion dollar worth of crypto from exchanges and companies.
The Lazarus Group: Kim’s Cyber Army
Lazarus is the Pyongyang’s infamous elite hacking group working closely with Reconnaissance General Bureau (RGB), the country’s intelligence agency. The FBI pinned the 2014 Sony Pictures attack on Lazarus group’s operative Jin Hyok, while DOJ charged Chang Hyok and Kim II in 2021 for fake crypto schemes, distributing malwares, and financial theft.
Why We’re Calling It Lazarus
The Lazarus Group’s fingerprints are all over the newly registered domain “assessiohq[.]com”using kathryndavies384@gmail[.]com on 26th February .
Here is why we attributed it to them
- IP Overlap: The registered domain’s IP address 91[.]222[.]173[.]30 was previously hosted bybit-assessment[.]com, the phishing hub for Bybit’s heist. It was also connected with other hacks on crypto exchanges like Phemex, BingX and Poloniex.
- The IP address also has links to Metasploit, a commonly used tool by Lazarus Group.
- Both assessiohq[.]com and bybit-assessment[.]com were registered using the same domain registrar UKRNAMES (Center of Ukrainian Internet Names), which was also used for a January 2025 fake job campaign linked to the Lazarus Group.
- The use of the word “Assess” is notabe, with Lazarus frequently using this term in their phishing domains.
- The IP is also connected to cryptocurrency mixers such as chipmixer[.]live, solanatumbler[.]com, flagged by US DOT for money laundering.
Extras
In an unexpected Twist, Lazarus Group’s activities may triggered an cyberattack from another group, who altered North Korean WHOIS record of the country’s only ISP, Star JV Co.,Ltd., displaying a troll face ASCII art. https://whois.ipip.net/AS131279
The Bottom Line
North Korea has successfully turned crypto heist into a geopolitical weapon to harass western countries.Their next attack could hit any exchange, protocol, or wallet naive enough to drop its guard like Bybit, the question is when and how hard will be the next strike.
Follow Cybersecurity88 on X and Linkedin for latest cybersecurity news
