North Korean Hackers Behind Magecart Attacks

North Korean hackers appear to have been breaking into US e-commerce stores since May 2019 and planting digital skimming code to make money for the hermit nation.

Researchers at Sansec claimed today that the notorious Lazarus (Hidden Cobra) group was behind attacks on at least several dozen stores, including a recent high-profile raid on US accessories retailer Claire’s.

It’s unclear how the attackers gained access to the victims’ back-end systems, although spear-phishing against retail staff is a distinct possibility.

“To monetize the skimming operations, Hidden Cobra developed a global exfiltration network. This network utilizes legitimate sites, that got hijacked and repurposed to serve as disguise for the criminal activity,” Sansec continued.

“The network is also used to funnel the stolen assets so they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, which include a modeling agency from Milan, a vintage music store from Tehran and a family run book store from New Jersey.”

The researchers linked various elements of the attacks to previous North Korean activity, including domains such as, and where malware and skimmers have been launched from.

“Does the usage of common loader sites, and the similarity in time frame, prove that the DPRK-attributed operations are run by the same actor as the skimming operations? Theoretically, it is possible that different nefarious actors had simultaneous control over the same set of hijacked sites, but in practice, this would be extremely unlikely,” argued Sansec.

“First, thousands of sites get hacked each day, making an overlap highly coincidental. Secondly, when a site gets hacked, it is common practice for a perpetrator to close the exploited vulnerability after gaining access, in order to shield the new asset from competitors.”

The revelations over Pyongyang-sponsored Magecart attacks mean the despotic regime is using yet another tactic to fill its government coffers.

Previously, groups like Lazarus have been associated mainly with attacks on banks and cryptocurrency exchanges.

A UN report from last year claimed the Kim Jong-un regime had managed to generate $2bn from such attacks.

What’s Hot on Infosecurity Magazine?