July 24th - Security incident post-mortem
Contents
July 24th - Security incident post-mortem
Summary
On July 24, 2025, WOO X experienced a sophisticated security incident that resulted in $14 million in unauthorized withdrawals from 9 user accounts. There is evidence that this attack was perpetrated by UNC4899, a North Korean state-sponsored cyber espionage group aligned with the Reconnaissance General Bureau and known publicly as Lazarus Group, TraderTraitor, and Jade Sleet.
The attack began with social engineering targeting our development team through what appeared to be a legitimate open-source collaboration request. A team member was approached on an open-source software forum to help debug a development tool. After a brief discussion, the developer downloaded the file on mobile, then used their company-issued MacBook to open the file. Prior to opening, the file was assessed for malware, but the scan was negative. After running, the program downloaded a hidden backdoor that resembled a common backend process. This allowed the exploiter to maintain …
Summary
On July 24, 2025, WOO X experienced a sophisticated security incident that resulted in $14 million in unauthorized withdrawals from 9 user accounts. There is evidence that this attack was perpetrated by UNC4899, a North Korean state-sponsored cyber espionage group aligned with the Reconnaissance General Bureau and known publicly as Lazarus Group, TraderTraitor, and Jade Sleet.
The attack began with social engineering targeting our development team through what appeared to be a legitimate open-source collaboration request. A team member was approached on an open-source software forum to help debug a development tool. After a brief discussion, the developer downloaded the file on mobile, then used their company-issued MacBook to open the file. Prior to opening, the file was assessed for malware, but the scan was negative. After running, the program downloaded a hidden backdoor that resembled a common backend process. This allowed the exploiter to maintain …