News: 1736952314

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Crypto klepto North Korea stole $659M over just 5 heists last year

(2025/01/15)


North Korean blockchain bandits stole more than half a billion dollars in cryptocurrency in 2024 alone, the US, Japan, and South Korea say.

The sum of stolen assets totaled a little more than $659 million across five major incidents, although just two contributed a large portion of that.

The [1]BitcoinDMM crypto exchange was raided for $308 million in May 2024 – the biggest haul of the five heists - by a group tracked by law enforcement agencies as TraderTraitor.

[2]

To pull it off, the North Korean attackers upended their usual playbook of seeking employment at Western organizations and assumed the role of recruiter.

[3]

[4]

They reached out to a staffer at Japanese enterprise crypto wallet company Ginco in March with a pre-employment test, which turned out to be a malicious Python script. The job seeker uploaded it to their personal GitHub page, which was then compromised.

TraderTraitor exploited stolen session cookies to impersonate the Ginco employee to gain access to the company's unencrypted comms system in May. From there, the group tampered with a transaction request made by a BitcoinDMM worker to forward the stolen funds to North Korean wallets.

[5]

The attack on Indian crypto exchange WazirX also raked in a pretty penny for Kim's crew – $235 million to be precise.

Mere months after the BitcoinDMM attack, [6]WazirX was hit in July and according to Arkham [7]data , by September North Korea had laundered most of the stolen assets using the [8]Tornado Cash mixer service.

Cyvers Alerts first [9]detected the compromise of the exchange's multi-signature wallet on July 18, claiming the stolen assets comprised around 45 percent of the exchange's total reserves. WazirX halted operations the following day and engaged all the outside expertise it could.

North Korea's Lazarus Group is baa....ack Infosec house Security Scorecard also recently identified a fresh attempt by North Korea’s Lazarus Group to target software devs.

Dubbed Operation 99, the latest Lazarus trick is similar to the one that led to the compromise at Ginco: Target a dev with a new job offer, convince them to load a malicious project that installs malware, and gain access to anything they can.

The researchers said Kim's cronies will take anything they can find, including intellectual property, sensitive configurations, credentials, and of course crypto wallet keys.

However, the latest developments remove self-destruction elements of the malware used to spy on victims, maintaining access for longer periods. They also involve refined obfuscation techniques, such as a 65-layer encoding scheme, and new malware modules to increase the app's capabilities. Think data exfiltration, clipboard monitoring, and process termination all in one module, while others are devoted to functions like pan-OS browser credential theft, and transmitting data over C2 servers.

"The campaign's focus on developers reflects a strategic evolution," said Ryan Sherstobitoff, SVP of threat research and intelligence at Security Scorecard.

"By compromising the creators of technology, the attackers indirectly jeopardize the projects and enterprises these developers support. It's a devastatingly efficient method of supply chain attack."

The exchange's [10]postmortem report revealed that the attackers compromised the transaction authorization processes at both WazirX and Liminal, the two signatories that approve transactions on the affected wallet.

It said four of six signatures are required to authorize a transaction – three from WazirX and one from Liminal. The North Korean attackers obtained all four, but the exchange still found no evidence of compromise on its signers' machines.

[11]

WazirX said one of two possible scenarios could be true, claiming that Liminal's infrastructure was likely breached in both:

Considered by WazirX as the more likely explanation, it involves malicious transactions sent by a potentially compromised Liminal to exchange signers. It believes that because no new connection requests were made to hardware wallets, the request came from an address whitelisted by Liminal, and that expected token names and the destination address were seen on the Liminal interface and email notifications.

All three exchange signers were compromised by malware by unknown means, despite no malware being found. WazirX emphasized that this would also mean a breach at Liminal had to have taken place to obtain the fourth signature.

The other named incidents affected Upbit, Rain Management, and Radiant Capital.

The three countries raising awareness of North Korea's actions said the schemes being concocted to steal these huge sums are sophisticated and well disguised.

[12]Security pros baited with fake Windows LDAP exploit traps

[13]North Korea's fake IT worker scam hauled in at least $88M over six years

[14]Scattered Spider, BlackCat claw their way back from criminal underground

[15]Officials warn of Russia's tech-for-troops deal with North Korea amid Ukraine conflict

The FBI [16]said in September, around the time it started noticing a significant uptick in North Korea's targeting of the crypto industry: "North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen. Given the scale and persistence of this malicious activity, even those well versed in cybersecurity practices can be vulnerable to North Korea's determination to compromise networks connected to cryptocurrency assets.

"North Korean malicious cyber actors conducted research on a variety of targets connected to cryptocurrency exchange-traded funds (ETFs) over the last several months. This research included pre-operational preparations suggesting North Korean actors may attempt malicious cyber activities against companies associated with cryptocurrency ETFs or other cryptocurrency-related financial products."

The three said this week they will continue to work together to counter North Korea's attempted attacks, and called for deeper collaboration between the public and private sectors to step up these efforts.

They also once again drew attention to North Korea's ongoing attempts to siphon funds out of enemy economies by securing employment at Western companies, typically in IT roles.

The public communications about these schemes have been coming for a few years now but intensified during 2024. The US government maintains that the money generated from this activity is used to fund North Korea's weapons programs.

High-profile incidents, such as the one involving KnowBe4 in July, alerted the industry that North Korea can even infiltrate major cybersecurity companies.

Kim's spy passed four video interviews after faking a US identity and landed a software engineering job on the vendor's AI team. He wasn't [17]caught until he started loading malware using his company-issued Mac.

Other cases reported by incident responders demonstrated that even after being outed and ousted, North Korean workers [18]demanded six-figure ransoms for data they stole during their undercover work.

The US Department of Justice [19]said last month that in the past six years, these rogue employment schemes have netted North Korea $88 million. ®

Get our [20]Tech Resources



[1] https://www.fbi.gov/news/press-releases/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcom

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z4fpvdJudNbAEDmQc2wsJQAAAAk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z4fpvdJudNbAEDmQc2wsJQAAAAk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z4fpvdJudNbAEDmQc2wsJQAAAAk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z4fpvdJudNbAEDmQc2wsJQAAAAk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2024/07/19/wasirx_pauses_trade/

[7] https://intel.arkm.com/explorer/entity/wazirx-hacker

[8] https://www.theregister.com/2023/08/23/tornado_cash_founders_indicted/

[9] https://x.com/CyversAlerts/status/1851239095730602136

[10] https://wazirx.com/blog/wazirx-cyber-attack-key-insights-and-learnings/

[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z4fpvdJudNbAEDmQc2wsJQAAAAk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[12] https://www.theregister.com/2025/01/09/security_pros_baited_by_fake/

[13] https://www.theregister.com/2024/12/13/doj_dpkr_fake_tech_worker_indictment/

[14] https://www.theregister.com/2024/11/08/scattered_spider_blackcat_return/

[15] https://www.theregister.com/2024/11/07/russia_tech_transfer_north_korea/

[16] https://www.state.gov/office-of-the-spokesperson/releases/2025/01/joint-statement-on-cryptocurrency-thefts-by-the-democratic-peoples-republic-of-korea-and-public-private-collaboration

[17] https://www.theregister.com/2024/07/24/knowbe4_north_korean/

[18] https://www.theregister.com/2024/10/18/ransom_fake_it_worker_scam/

[19] https://www.theregister.com/2024/12/13/doj_dpkr_fake_tech_worker_indictment/

[20] https://whitepapers.theregister.com/



Anonymous Coward

So, less than honest politicians, $big_corporation and such.

"Maybe we can get together and show off to each other sometimes."