Reports have emerged that bad actors allegedly tied to North Korea’s Lazarus Group executed a complex cyberattack that used a fake NFT-based game to exploit a zero-day vulnerability in Google Chrome.

According to the report, the vulnerability ultimately allowed the attackers to access people’s crypto wallets.

Exploiting Chrome’s Zero-Day Flaw

Kaspersky Labs security analysts Boris Larin and Vasily Berdnikov wrote that the perpetrators cloned a blockchain game called DeTankZone and promoted it as a multiplayer online battle arena (MOBA) with play-to-earn (P2E) elements.

Per the experts, they then embedded a malicious code within the game’s website, detankzone[.]com, infecting devices that interacted with it, even without any downloads.

The script exploited a critical bug in Chrome’s V8 JavaScript engine, letting it bypass sandbox protections and enabling remote code execution. This vulnerability allowed the suspected North Korean actors to install an advanced malware called Manuscrypt, which gave them control over the victims systems.

Kaspersky reported the flaw to Google upon discovering it. The tech giant then addressed the issue with a security upgrade days later. However, the hackers had already capitalized on it, suggesting a broader impact on global users and businesses.

What Larin and his security team at Kaspersky found interesting was how the attackers adopted extensive social engineering tactics. They promoted the tainted game on X and LinkedIn by engaging well-known crypto influencers to distribute AI-generated marketing material for it.

The elaborate setup also included professionally done websites and premium LinkedIn accounts, which helped create an illusion of legitimacy that attracted unsuspecting players to the game.

Lazarus Group’s Crypto Pursuits

Surprisingly, the NFT game wasn’t just a shell; it was fully functional, with gameplay elements such as logos, heads-up displays, and 3D models.

However, anyone visiting the P2E title’s malware-ridden website had their sensitive information, including wallet credentials, harvested, enabling Lazarus to execute large-scale crypto thefts.

The group has demonstrated a sustained interest in cryptocurrency over the years. In April, on-chain investigator ZachXBT connected them to more than 25 crypto hacks between 2020 and 2023, which bagged them more than $200 million.

Additionally, the U.S. Treasury Department has linked Lazarus to 2022’s infamous Ronin Bridge hack, in which they reportedly stole over $600 million in ether (ETH) and USD Coin (USDC).

Data collected by 21Shares’ parent company 21.co in September 2023 revealed that the criminal group held more than $47 million in assorted cryptocurrencies, including Bitcoin (BTC), Binance Coin (BNB), Avalanche (AVAX), and Polygon (MATIC).

In total, they are said to have stolen digital assets worth more than $3 billion between 2017 and 2023.