Researchers working for the security firm Sansec released a report documenting previously undisclosed evidence that the Advanced Persistent Threat (APT) group known as Lazarus, which is believed to be backed by the government of North Korea, has engaged in the digital theft of credit and debit card account details from online merchants since at least May 2019. Previous reports of threat activity attributed to the group include theft of cryptocurrency, theft of money from banks, and other actions that are more often associated with cyber-criminal groups than nation state espionage. Because North Korea operates under international sanctions, it is not surprising that the government continues to resort to theft and the sale of stolen goods as a source of income. The attacks against online merchants detailed in Sansec’s report follow the typical pattern of Magecart attacks—malicious JavaScript is injected into websites to collect the credit card or debit card details entered by clients during the checkout process, and the stolen information is sent to other compromised servers under the control of the threat actors. From there, the card records are organized into batches and sold on underground markets known as “carding shops” where other criminals purchase the card details in bulk and use them to make fraudulent purchases. The researchers were able to link the activity to Lazarus group through overlaps in the domain names and other infrastructure used to steal card details with other attacks attributed to Lazarus group.