Crypto Exchange Heist by Lazarus Group (DPRK)
In the shadows of cyberspace, not every heist happens in a vault. Some unfold in lines of code and misconfigured cloud policies.
In this Scenario, you join Secure-Corp’s elite Red Team to replicate one of the most high-stakes cloud breaches of 2025: a simulation inspired by the notorious Lazarus Group (APT38) and their infiltration into crypto infrastructure — aimed at siphoning millions in digital currency.
Background
Drawing inspiration from the actual strategies employed by the state-sponsored North Korean threat actor APT 38-Lazarus Group, this lab replicates a sophisticated cloud exploitation chain in which every action is motivated by financial gain.
In February 2025, a breach involving ByBit’s cloud resources enabled threat actors to manipulate website code used in crypto transactions — diverting funds to attacker-controlled wallets by exploiting IAM misconfigurations and S3 buckets.
Attackers allegedly injected malicious logic into the transaction processing layer of the platform’s backend—causing crypto transfers to appear legitimate while redirecting funds to attacker-controlled wallets.
Threat Actor Profile: APT38 / Lazarus Group (DPRK)
The North Korean state-sponsored cybercrime group APT38, also known as Lazarus Group, is connected to extensive financial theft schemes that are intended to support the regime. With a track record of damaging strikes, including the intrusions into cryptocurrency exchanges and the SWIFT banking breaches, APT38 combines financial motivation, espionage, and cyberwarfare into a lethal toolkit.
Their attacks are known for:
The Bybit 2025 breach, allegedly attributed to similar tactics, is one of the latest examples of how these actors pivot from cloud to code in order to drain digital assets.
Objectives:
Your mission: Divert crypto assets into an attacker-controlled wallet by:
Attack Chain Breakdown
Step 1: Perform Social Engineering to Get Initial Foothold
The operation kicks off with a targeted social engineering campaign against the Crypto_Developer. As a threat actor, you have several techniques at your disposal to gain initial access, such as:
Once the Crypto_Developer interacts with the malicious component—their temporary AWS credentials are silently siphoned off and sent to your command-and-control (C2) channel.
These credentials are your golden ticket into the cloud environment.
Step 2: Configuring Temporary AWS Credentials
Export credentials to your environment: Configure the credentials and verify the Access
Step 3: Enumerate Cloud Resources
Look around the cloud surface and gather as much information/data as possible which will be useful in further stages of Attack.
Step 4: Modifying Code to Redirect Funds
With access to the website source, locate the transaction logic:
Step 5: Misconfiguring Crypto Transaction
Here, the live transaction process triggers — and thanks to the code modification, funds are redirected to the attacker’s wallet.
Each time a transaction is started, the sender thinks they are sending cryptocurrency to the correct person. But behind the scenes, the attacker’s code silently hijacks the process — rerouting the funds straight into their own wallet, all while leaving the sender none the wiser. It’s a silent heist, masked in plain sight.
Mission Accomplished!! As crypto gets transferred and received by the attacker.
Learning Outcome:
You’ve just simulated a real-world crypto heist based on Lazarus Group’s APT tactics:
Play This Attack on Infinity Platform
This scenario is part of the Infinity APT Lab Series, where you get to recreate nation-state attacks in controlled environments.
[Access Lab Here]
Experience the simulation of attacks firsthand in a guided simulation on the Infinity Platform.