News: 1725499062

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

North Korean scammers plan wave of stealth attacks on crypto companies, FBI warns

(2024/09/05)


The FBI has warned that North Korean operatives are plotting "complex and elaborate" social engineering attacks against employees of decentralized finance (DeFi) organizations, as part of ongoing efforts to steal cryptocurrency.

State-sponsored crews have [1]researched targets connected to cryptocurrency exchange-traded funds, and conducted other reconnaissance work, we're told. This suggests that North Korea is likely to attempt "highly tailored, difficult-to-detect social engineering campaigns" against cryptocurrency-related businesses in the near future, the US investigative agency [2]wrote on Tuesday.

The scammers display such "sophisticated technical acumen" that victims may not even realize they’ve been attacked until it's too late.

[3]

North Korea has for years tried to steal assets from cryptocurrency outfits because international sanctions designed to stop it developing weapons of mass destruction mean the murderous autocracy is all but excluded from the global financial system. The nation has found cryptocurrency helps it get around those restrictions, so has launched many campaigns to acquire digi-dollars.

[4]

[5]

The FBI is concerned that those efforts have become more refined.

"Given the scale and persistence of this malicious activity, even those well-versed in cyber security practices can be vulnerable to North Korea's determination to compromise networks connected to cryptocurrency assets," the FBI warned.

[6]

Here's how the social engineering attacks typically go down.

North Korean cyber criminals scout out their targets by stalking would-be victims' social media accounts, "particularly on professional networking or employment-related platforms."

These services and job boards are familiar territory for Pyongyang's hackers. Previously, they've used [7]fake LinkedIn job ads and posed as both [8]jobseekers and/or employers to trick victims into downloading infostealers and other malware from malicious GitHub repos.

[9]

Kim Jong Un's cyber-scourges next initiate conversations with targets they've identified. Correspondence is sent in English and displays strong knowledge of crypto-related industries. Sometimes the crims pose as a mutual professional connection, an employee of a well-known company, or a recruiter. Whatever ruse they use, the goal is delivering malware in a way that "may appear natural and non-alerting."

[10]Security biz KnowBe4 hired fake North Korean techie, who got straight to work ... on evil

[11]US 'laptop farm' man accused of outsourcing his IT jobs to North Korea to fund weapons programs

[12]North Korea likely behind takedown of Indian crypto exchange WazirX

[13]North Korea building cash reserves using ransomware, video games

The scammers aren't afraid to play a long game. "If successful in establishing bidirectional contact, the initial actor, or another member of the actor's team, may spend considerable time engaging with the victim to increase the sense of legitimacy and engender familiarity and trust," according to the FBI.

The Bureau has also compiled a list of potential indicators that a North Korean social engineer is attempting to scam you:

Requests to execute code or download applications on company-owned devices or other devices with access to a company's internal network;

Asks to conduct a "pre-employment test" or debugging exercise that involves executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories;

Employment offers from prominent cryptocurrency or technology firms that are unexpected or involve unrealistically high compensation without negotiation;

Offers of investment from prominent companies or individuals that are unsolicited or have not been proposed or discussed previously;

Insistence of using non-standard or custom software to complete simple tasks easily achievable through the use of common applications (like video conferencing or connecting to a server);

Demands to run a script to enable call or video teleconference functionalities supposedly blocked due to a victim's location;

Proposes to move professional conversations to other messaging platforms or applications;

Unsolicited contacts that contain unexpected links or attachments.

If you experience, or have experienced, any of these things, isolate potentially compromised devices ASAP and [14]contact the FBI's Internet Crime Complaint Center along with local law enforcement agencies.

And as a general rule, don't download documents, GitHub packages, or other files from someone you meet on LinkedIn. Sadly, unsolicited job offers from well-known tech firms that offer compensation packages that seem too good to be true probably always are. ®

Get our [15]Tech Resources



[1] https://www.theregister.com/2024/07/19/wasirx_pauses_trade/

[2] https://www.ic3.gov/Media/Y2024/PSA240903

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Ztks6Gw1q7ksbMC_IZ-FFwAAAc8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Ztks6Gw1q7ksbMC_IZ-FFwAAAc8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Ztks6Gw1q7ksbMC_IZ-FFwAAAc8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Ztks6Gw1q7ksbMC_IZ-FFwAAAc8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2020/08/25/lazarus_group_north_korea_linkedin_lure/

[8] https://www.theregister.com/2023/11/23/north_korea_attacks_job_market/

[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Ztks6Gw1q7ksbMC_IZ-FFwAAAc8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[10] https://www.theregister.com/2024/07/24/knowbe4_north_korean/

[11] https://www.theregister.com/2024/08/08/north_korea_laptop_farm_arrest/

[12] https://www.theregister.com/2024/07/19/wasirx_pauses_trade/

[13] https://www.theregister.com/2024/05/29/north_korea_using_ransomware_and/

[14] https://www.ic3.gov/

[15] https://whitepapers.theregister.com/



Crypto scammers

Anonymous Coward

But I repeat myself…

Are you sick of wasting valuable seconds while ingesting caffeine or
eating a cold pizza? Is your programming project running behind because
you keep falling asleep? EyeOpener(tm) brand caffeinated beverages has the
solution. Our new ActiveIV product will provide a 24 hour supply of
caffeine via intravenous tube while you work -- so you can hack without
any interruptions at all (except going to the bathroom -- but our
Port-a-Urinal(tm) can help solve that problem as well).

EyeOpener(tm) beverages contain at least 5,000% of the daily recommended
dose of caffeine, a quantity that will surely keep you wide awake, alert,
and in Deep Hack Mode for weeks at a time. With EyeOpener and ActiveIV,
you won't waste your valuable time at a vendine machine.

EyeOpener(tm): You'll Never Waste Another Millisecond Ever Again.