Cosmos ecosystem rocked by North Korean developer allegations

As a seasoned researcher with over two decades of experience in cybersecurity and blockchain technology, I find myself intrigued by the recent allegations against the Cosmos ecosystem. The prospect of North Korean agents potentially being involved in its development is certainly not something we encounter every day.


An ongoing examination conducted on the blockchain network suggests that certain elements within the Cosmos system might have originated from North Korean developers. This could potentially lead to scrutiny from the FBI in the year 2023.

A potential part of Cosmos’ Liquid Staking Module (LSM) could have originated from North Korean programmers, as suggested by Jacob Gadikian, a contributor to the Cosmos ecosystem, who recently disclosed this possibility in a post on October 16.

“It isn’t about their geography or ethnicity.  The people who built the LSM are the world’s most skilled and prolific crypto thieves.”

Concerns were raised among investors following the disclosure, as there was apprehension that some of these developers might be linked to the notorious Lazarus Group, a cybercrime organization with suspected ties to the North Korean government. This group is known for being involved in significant cryptocurrency heists, such as the $600 million theft from the Ronin bridge.

As a researcher, I recently became aware, through a post on Oct. 18 by Ethan Buchman, co-founder of Cosmos, that North Korea had previously been overlooked in the development of the LSM (Layer 0 Swap Module).

“Props to the teams coming together to line up these audits quickly. We’re also looking at ways to remove dependence on LSM completely. None of us were aware of the North Korean work on LSM, but working together to deal with it.”

It’s possible that malicious North Korean entities might be associated with the Cosmos LSM code. This could potentially conceal weaknesses or secret entry points within the code itself, similar to having a hidden back door in the ecosystem, as suggested by Melody Chan, the research lead at Redecentralise, an organization promoting the responsible growth of decentralized finance (DeFi).

The research lead told CryptoMoon:

“The big fear is that these developers might add vulnerabilities, like backdoors or ways to hack the system. With the current issues in the LSM and the FBI’s warnings, it’s clear that thorough code audits are urgently needed.”

Lazarus Group, one of the world’s most infamous cybercriminal organizations, made its debut in 2009. Over a period of approximately six years before 2023, they managed to swipe over $3 billion worth of cryptocurrency assets from various victims.

Cosmos LSM’s fate could be decided by incoming security audits

Although the undisclosed link to North Korea raises some worries, it doesn’t automatically mean that the software creators were part of the Lazarus Group from North Korea, suggests Anndy Lian, a writer and international blockchain specialist.

According to the present data, Lian stated that the links to the Lazarus Group remain unproven claims, as reported to CryptoMoon.

“Should developers with connections to North Korea—especially those linked to military or state operations known for cyberattacks and cryptocurrency theft—be implicated, there is a potential risk of hidden vulnerabilities or backdoors in the code.”

Two separate evaluations, one led by OtterSec and Binary Builders, starting the following week, and another led by Zellic, commencing around mid-November, will be performed concurrently. These audits aim to identify and address any potential weaknesses, as announced by Informal Systems, a significant contributor to the core Cosmos project.

Core Cosmos contributors suggest phased removal of Cosmos LSM

Based on recent reports, Informal Systems has proposed a gradual elimination of the Cosmos LSM, to be subsequently replaced with a novel framework.

In my analysis, I find that the recently proposed framework holds potential advantages for validators, voters, and the overall management of Cosmos governance. As a contributing member to the Cosmos community, this was expressed in a blog post dated October 22nd.

“After a community vote to remove the LSM, there would be a 1-2 month grace period for LSM shareholders to un-tokenize and convert their shares to native delegations. The Cosmos Hub will then need to upgrade to remove the LSM, invalidating remaining tokenized shares and automatically converting them back to native delegations.”

In simpler terms, the latest system allows users to choose a single verifier for creating blocks (block production), while they can distribute their voting rights for decision-making (governance) among various parties.

CryptoMoon has approached Cosmos for comment.

Read More

2024-10-23 14:20