In July 2020, Sansec published an article
The Group-IB Threat Intelligence team looked deeper into these campaigns and identified another campaign involving the same infrastructure. The threat actor went back to the old habit of stealing crypto using a never-before-seen tool.
Lazarus attacked online stores which accept cryptocurrency payments through crypto skimmers: JS-sniffers modified for the purpose of stealing crypto currency. Some victims, identified by Sansec, in fact, didn't fell prey to the clientToken= campaign, but to a different, previously undocumented Lazarus campaign, codenamed BTC Changer
by Group-IB researchers. Group-IB's TI&A team identified BTC addresses used by Lazarus and have analyzed the transactions. Group-IB found additional evidence of Lazarus involvement in the campaigns.
Group-IB researchers analyzed the newly discovered attacks, described the links with the clientToken= campaign, analyzed the transactions associated with the wallets controlled by the gang, and estimated Lazarus' profits from the use of crypto-stealing JS-sniffers at 0.89993859 BTC ($8,446.55 at the moment of the transaction and $52,611 as of April 9, 2021) and 4.384719 ETH, ($9,047 as of April 9, 2021).