North Korean hackers are pretending to be crypto VCs in new phishing scheme: Kaspersky

Published at: Dec. 27, 2022

BlueNoroff, part of the North Korean state-sponsored Lazarus Group, has renewed its targeting of venture capital firms, crypto startups and banks. Cybersecurity lab Kaspersky reported that the group has shown a spike in activity after a lull for most of the year and it is testing new delivery methods for its malware.

BlueNoroff has created more than 70 fake domains that mimic venture capital firms and banks. Most of the fakes presented themselves as well-known Japanese companies, but some also assumed the identity of United States and Vietnamese companies.

BlueNoroff introduces new methods bypassing MoTWhttps://t.co/C6q0l1mWqo

— Pentesting News (@PentestingN) December 27, 2022

The group has been experimenting with new file types and other malware delivery methods, according to the report. Once in place, its malware evades Windows Mark-of-the-Web security warnings about downloading content and then goes on to “intercept large cryptocurrency transfers, changing the recipient's address, and pushing the transfer amount to the limit, essentially draining the account in a single transaction.”

Related: North Korea’s Lazarus behind years of crypto hacks in Japan — Police

According to Kaspersky, the problem with threat actors is worsening. Researcher Seongsu Park said in a statement:

“The coming year will be marked by the cyber epidemics with the biggest impact, the strength of which has been never seen before. […] On the threshold of new malicious campaigns, businesses must be more secure than ever.”

The BlueNoroff subgroup of Lazarus was first identified after it attacked the Bangladeshi central bank in 2016. It was among a group of North Korean cyber threats the U.S. Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation mentioned in an alert issued in April.

North Korean threat actors associated with the Lazarus Group have been spotted attempting to steal nonfungible tokens in recent weeks as well. The group was responsible for the $600-million Ronin Bridge exploit in March.

Tags
Related Posts
US authorities go after 280 crypto accounts allegedly tied to North Korea
"The Justice Department today filed a civil forfeiture complaint detailing two hacks of virtual currency exchanges by North Korean actors," said an Aug. 27 statement from the U.S. Department of Justice, or DoJ. "These actors stole millions of dollars’ worth of cryptocurrency and ultimately laundered the funds through Chinese over-the-counter (OTC) cryptocurrency traders." The hackers allegedly utilized 280 different digital asset accounts. March 2020 saw details of a 2019 legal case surface, in which two Chinese nationals allegedly hijacked piles of crypto assets totaling $250 million. This ordeal appears to be connected with the present day news, the DoJ statement …
Blockchain / Aug. 27, 2020
Kim Jong Un May Be Using Stolen Crypto to Offset Economic Fallout
North Korean leader, Kim Jong-un, is reportedly backing a group of hackers. Their goal? Stealing cryptocurrencies like Bitcoin (BTC) using phishing scams. Sources indicate that the country has ramped up these efforts in an attempt to prevent a financial meltdown amid the COVID-19 crisis. A report published on May 13 by the U.K. Mirror claims that the Lazarus group, a hacking syndicate with alleged ties to the North Korean state, could be launching a cybercrime campaign of advanced persistent threat, or APT, attacks. Experts from Seoul-based firm, ESTsecurity, state that Lazarus is “increasingly engaging” in cybercrime activities in and out …
Bitcoin / May 14, 2020
North Korea Reportedly Using Altcoins to Convert $1.5B in Stolen Funds to Cash
North Korea-based cybercriminals are suspected to be using untraceable alternative cryptocurrencies, or altcoins, to convert stolen funds into cash. According to an NK News report, an unpublished United Nations Panel of Experts report states that North Korea-backed hackers have stolen approximately $1.5 billion in cryptocurrencies and they were converting a portion of that amount into cash. Using altcoins, mixers and loosely regulated exchanges The hackers deliberately transact using privacy-focused altcoins as they are hard to trace and track, moving the stolen assets to loosely regulated cryptocurrency exchanges that have minimal customer identification requirements. The U.N. experts reportedly state that the …
Regulation / Aug. 7, 2020
North Korea's Lazarus Group masterminded $100M Harmony hack: FBI confirms
The Federal Bureau of Investigation (FBI) has confirmed the Lazarus Group and APT38 as the culprits behind the $100 million Harmony Bridge Hack from June 2022. The North Korea-linked cyber group had long been suspected of being behind the attack but their involvement hadn’t been confirmed by authorities until now. According to a Jan. 23 statement, the FBI noted that “through our investigation, we were able to confirm that the Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $100 million of virtual currency from Harmony’s Horizon bridge.” The Harmony Bridge hack in …
Regulation / Jan. 24, 2023
DeFi enjoys a prolific start to 2023: Finance Redefined
Welcome to Finance Redefined, your weekly dose of essential decentralized finance (DeFi) insights — a newsletter crafted to bring you significant developments over the last week. 2023 started on a bullish note for the entire crypto market, including the DeFi ecosystem, with most of the tokens posting double-digit gains in January and recording multi-month highs. Aside from the bull rally, January also saw a 93% year-on-year decline in losses from DeFi exploits and hacks. The slew of regulatory action against the Mango Markets exploiter is being hailed as a big win for the DeFi sector. The United States Securities and …
Regulation / Feb. 3, 2023