North Korean Cybercriminals Eyeing Employees Of Bitcoin, Ethereum ETF Firms: FBI

In the vulnerable world of cryptocurrencies and blockchain, hackers and scammers run amok, and among them are cybercriminals linked to the Democratic People's Republic of Korea (DPRK). The said threat actors are known for carrying out some of the biggest security breaches in history, but in recent months, they have been shifting their attention to employees of companies offering spot cryptocurrency exchange-traded funds (ETFs).

In a Tuesday notice, the FBI warned the crypto industry about the latest activities of North Korea-linked cyber actors, saying these actors have been conducting "highly tailored, difficult-to-detect social engineering campaigns" that target employees of decentralized finance (DeFi), crypto firms, and similar businesses.

ETF Company Employees at Center of Campaigns

"North Korean malicious cyber actors conducted research on a variety of targets connected to cryptocurrency exchange-traded funds (ETFs) over the last several months," the FBI said Tuesday.

Their research included pre-operational preparations that suggest North Korean cybercriminals may be planning to carry out activities against companies associated with Bitcoin and Ethereum ETFs, the agency noted.

The agency went on to reiterate how North Korea makes use of sophisticated tactics to steal crypto assets and continues to be a threat to organizations exposed to large quantities of crypto-related products and services.

Tactics Used by North Korean Threat Actors

Among the strategies used by North Korean cyber actors is coming up with "individualized fake scenarios," the FBI said. In such cases, the actors often offer new employment or corporate investment opportunities to a victim. They initiate prolonged conversations to build trust and familiarity. They are also usually well-versed in crypto topics and can speak nearly fluent English.

North Korea-linked cybercriminals also impersonate various individuals, including people a prospect victim may know personally. They make use of "realistic imagery" to "induce immediate action from intended victims."

Indicators of North Korean Social Engineering

According to the FBI, the following are some potential indicators of social engineering activity by North Korean threat actors:

• Requests to execute code or download apps on company-owned devices
• Requests to undergo a "pre-employment test" that involves executing non-standard Node.js packages, etc.
• Employment offers from prominent crypto firms with unrealistically high compensation
• Insistence on using non-standard software to complete simple tasks
• Requests to run a script for call or video teleconferences
• Requests to move professional exchanges to other messaging platforms
• Unsolicited contacts with suspicious links or attachments

The FBI has urged crypto firms or businesses with crypto-related offerings to strengthen their measures against potential attacks by DPRK-linked hackers.

While there are various hacking groups associated with the reclusive country, one of them stands out due to its ability to evolve with the times: Lazarus Group.

North Korea-Linked Lazarus Group

Prominent crypto researcher ZachXBT revealed in April how Lazarus Group, a notorious hacking group linked to North Korea, laundered some $200 million in pilfered digital assets into fiat.

Lazarus Group managed to conduct 25 hacks across the crypto industry over a three-year period, including the exploit of crypto exchange CoinMetro wherein a staggering $750,000 in crypto was lost.

The stolen digital assets from its crypto hacks were consolidated into a single wallet address earlier this year then moved to crypto mixing tool Tornado Cash before being sent to various peer-to-peer marketplaces for conversion into fiat.