North Korean threat actors continue to target cryptocurrency businesses

BlueNoroff, a North Korean professional cybercriminal organization with links to the infamous Lazarus group, is attacking small and mid-sized cryptocurrency businesses in a campaign called “SnatchCrypto,” according to a new report from Kaspersky, a cybersecurity firm. According to the detailed report, state sponsored BlueNoroff was first identified by Kaspersky “while investigating the notorious attack on Bangladesh’s Central Bank back in 2016.” According to Kaspersky, “The group seems to work more like a unit within a larger formation of Lazarus attackers, with the ability to tap into its vast resources: be it malware implants, exploits, or infrastructure.” The group has more recently turned its attention from hitting banks to crypto startups. “These attackers even took the long route of building fake cryptocurrency software development companies in order to trick their victims into installing legitimate-looking applications that eventually receive backdoored updates.” The attacks are sophisticated, well planned, and rely on targeted social engineering. The Kaspersky report discusses a number of attacks on crypto businesses and the op sec used.

Reports indicate that BlueNoroff operators are stalking and studying successful cryptocurrency startups to carry out these attacks. The goal of the attacker's infiltration team is to build a map of interactions between individuals and understand possible topics of interest of the victim. This allows attackers to mount high-quality social engineering attacks that look like totally normal interactions to the victim. A document sent from one colleague to another on a topic which was already being discussed is unlikely to trigger any suspicion. BlueNoroff compromises companies through this precise identification of the necessary people and the topics they are discussing at a given time.

North Korea has long been engaged in cyberattacks on cryptocurrency businesses. In fact, they have built several professional teams — known collectively to outside observers as the Lazarus Group — to engage in this activity. North Korea is, in most respects, cut off from the global financial system by a long sanctions campaign by the U.S. and foreign partners. As a result they have taken to the digital battlefield to steal crypto in essentially bank robbery at the speed of the internet to fund weapons programs, nuclear proliferation and other destabilizing activities. The economic incentives are powerful; hundreds of millions of dollars in pure profit represent an enormous share of overall North Korean hard currency earnings, especially in its post-COVID period of heightened trade isolation.

In February of last year, the United States Department of Justice unsealed an indictment against North Korean hackers that, line by line, laid out a highly targeted, sophisticated plan to use social engineering, ICO scams, and other methods to breach cyber security systems, infiltrate cryptocurrency businesses and steal funds at unprecedented speed and scale. TRM provided analysis here.

How Does North Korea do it?

As detailed in some recent reports, North Korean hackers often engage in highly targeted and sophisticated campaigns against potential victims. These operations often take months to play out, with hackers carefully observing a target’s activities and waiting till the opportune moment to strike. From unsealed federal complaints and indictments, we even know the names of some of the architects of these attacks, including Pak Jin-hyok, Jon Chang-hyok, and Kim Il. That said, North Korean hackers face no real threat of extradition so they are able to take risks that other hackers can't. For example, while we see them use mixing services, non-compliant exchanges, and other on-chain obfuscation techniques, often times Lazarus will simply move funds in the open as quickly as possible because the key is speed to an off ramp rather than a concern for hiding the transactions.

How is law enforcement responding to attacks on crypto businesses?

In addition to the indictments against North Korean cybercriminal actors, the administration has made clear that ransomware and malware attacks are a cyber problem, not a crypto problem. That is why the focus has been on working with crypto businesses to harden cyber defenses. Social engineering is the leading cause of malware attacks. The BlueNoroff attacks are a great example of this. The attacks are sophisticated, targeted, and focus on and exploit human vulnerabilities. Educating employees is critical.

Regulators and law enforcement have also pushed out key guidance to the private sector on how to build compliance programs to mitigate the risks of ransomware and illicit finance. For example, OFAC issued comprehensive guidance for the cryptocurrency industry in October. While working with the private sector to harden cyber defenses, law enforcement and regulators have offensively gone after illicit actors that are facilitating ransom payments. For example, OFAC recently brought a sanctions action against non-compliant Russia based crypto exchanges SUEX and Chatex for facilitating ransom payments and the US Department of Justice brought criminal charges against darknet mixing services Helix and Bitcoin Fog. We are likely to see authorities go after this illicit underbelly of the overwhelmingly growing and licit cryptocurrency economy and we should also expect a focus on working with the private sector to harden cyber defenses.

What does the future hold?

The increasing penetration of crypto into mainstream investment circles and the lives of ordinary people present North Korea’s various hacking groups with lucrative and ever-growing target sets. As we see the continued rapid growth of the crypto-economy we are likely to see continued interest by North Korea to target crypto businesses that are young and building out cyber defenses and anti-money laundering controls. We will also see a continued and sustained focus from law enforcement and regulators on mitigating this threat.

‍