Cybersecurity specialists claim that cybercriminals associated with the notorious North Korean Lazarus Group, also known as Guardians of Peace, Whois Team, or Hidden Cobra, used the web skimming tactic to thieve Bitcoin in a formerly undocumented operation that began last year.

You should know that web skimming is a form of internet or carding fraud whereby a payment page on a website is compromised when malware is injected onto the page via compromising a third-party script service in order to steal payment information.

In other words, hackers are breaking into online stores and steal customers’ card information when they visit the checkout page.

The attacks, known as web skimming or “Magecart attacks” have started taking place two years ago and have affected clients of at least three online shops and depended on the structure used for web skimming actions.

Bitcoin-friendly Shops Targeted

These attacks were first reported by Dutch cyber-security organization Sansec. They stated that digital skimming methods have been growing since 2015, and although it was commonly utilized by Russian- and Indonesian-speaking cybercriminals groups, government-sponsored North Korean hackers are now impeding credit card information from online stores.

The malicious JavaScript code (also referred to as JS-sniffer or web skimmer) exploited in the attacks accumulated the remittance card information that clients wrote on the checkout page.

One of the operations, tracked as “clientToken=” due to a string hidden in the code, began two years ago, in May. The ID of the campaign and the JS-sniffer utilized in the assaults lead to Lazarus’ activity aimed at stealing Bitcoin.

Online stores that received Bitcoin as payment were also affected by Lazarus Group in the past year, according to Group-IB cybersecurity company specialists who began an investigation since Sansec’s finding.

The threat actors changed the malicious JavaScript from the “clientToken=” campaign so that it substitutes the shop’s Bitcoin address with one they controlled. This way, online buyers’ cash would end up in the hacker’s pocket.

Lazarus BTC Changer source code snippet


According to Group-IB researchers, the malicious script, dubbed as Lazarus BTC Changer had identical names of functions as the skimmer utilized in the “clientToken=” campaign.

The research showed the hackers began using the changed script last year, in February and exploited an identical infrastructure that helped the previous web skimming campaigns. One such website was luxmodelagency[.]com.

The researchers stated that in the past, Lazarus BTC Changer was also existing at a third victim, an Italian luxury clothes store but at the time of the investigation, the script had been eliminated from the site.

Group-IB said:

Like all traditional JS-sniffers, Lazarus BTC Changer detects when users are on the checkout page of an infected website, but instead of collecting bank card details, it replaces the BTC or ETH address owned by the shop with an address used by the hackers.

Some changes have been made to the method last year, in March, when the hackers included a false payment paper in the script that opened in an iframe element on the page meaning that the shop’s BTC wallet didn’t have to be replaced anymore and the client would send the Bitcoin straight to the hacker’s address.

Lazarus BTC Changer fake pay form


When the code has been examined again by the Group-IB specialists, they discovered that it had been saved discovered another hint pointing to a Korean actor: the Korean text for Greenwich Mean Time in a comment created by SingleFiles when saving a web page, suggesting the use of a system with Korean locale.

Apparently, the hackers didn’t manage to make much money even if the operation started a year ago. Still, a set of four Bitcoin addresses withdrawn from the malicious script show some financial gain.

  • 1Gf8U7UQEJvMXW5k3jtgFATWUmQXVyHkJt
  • 1MQC6C4FVX8RhmWESWsazEb5dyDBhxH9he
  • 1DjyE7WUCz9DLabw5EWAuJVpUzXfN4evta
  • 0x460ab1c34e4388704c5e56e18D904Ed117D077CC

Nevertheless, throughout the Lazarus BTC Changer operation, only the first two cryptocurrency wallets were functional, the third one had only one transaction from January. The researchers tracked all outgoing transactions from the BTC addresses found in Lazarus BTC Changer samples and discovered that they all went to a single address.

Previous activity linked to threat actors’ addresses shows that they utilized the payment service supplier CoinPayments, which integrates with online stores and payment gateways for Bitcoin support.

The good news is that the company’s Know Your Customer (KYC) policy could help determine whoever organized the attacks due to the employment of CoinPayment to move money to other Bitcoin addresses.

The bad news is that there are ways that threat actors can use to hide their personal information despite KYC guidelines.

The researchers concluded by saying that the web skimming method was only a test run for a new set of tools and strategies that could be exploited in bigger attacks in the future.

New Vyveva Malware Used by Lazarus Hacking Group to Attack South African Freight

The Lazarus Group Targeted Cybersecurity Researchers Again, Google Says

The Lazarus Group Used Custom Malware to Target Defense Industry

 Is Bitcoin Safe? Things to Consider Before Investing

10+ Cryptocurrency Fraud and Scams You Need to Pay Attention to

Leave a Reply

Your email address will not be published. Required fields are marked *