North Korean hackers pose as venture capitalists to steal crypto
Hackers and cybercriminals, allegedly working for the North Korean state, posing as venture capitalists as well as tech support workers and recruiters, have stolen more than $1 billion in crypto in recent years, according to security researchers who presented their findings at the Washington DC-based Cyberwarcon conference. Here’s what we know.
The $1 Billion Crypto Heist Explained
You might not think that a venture capitalist and big company recruiter have much in common, even less so when you throw a remote IT worker into the mix, but according to Zack Whittaker, reporting for TechCrunch, “all have been caught as imposters secretly working for the North Korean regime, according to security researchers.”
Those security researchers were presenting at the annual Cyberwarcon conference in Washington DC, which takes an analytical look at the threats that are most disruptive in the world of cybersecurity. One presentation, by Microsoft Threat Intelligence, revealed how, across the last decade, the Democratic People’s Republic of Korea has “successfully built computer network exploitation capability” enabling the threat actors involved to “steal billions of dollars in cryptocurrency.” During this time, the threat intelligence analysts said, “North Korean threat actors have developed and used multiple zero-day exploits and have become experts in cryptocurrency, blockchain, and AI technology.”
One North Korea-affiliated threat group in particular, known as Sapphire Sleet, has been observed undertaking crypto theft since 2020, Microsoft said. In one six-month period, for example, the threat intelligence revealed how Sapphire Sleet had stolen more than $10 million from multiple companies. Although the precise methodologies used by the threat actors have changed over time, Microsoft said that the most recent and primary scheme is to “masquerade as a venture capitalist.” That fake VC will feign interest in investing in a target company and schedules an online meeting to discuss. On the day of the meeting, technical issues appear to strike and the victim is directed to a support team. This kicks the malicious play into action with a malware script being downloaded to purportedly fix the issue while really downloading malware that ultimately compromises cryptocurrency wallet credentials and steals the crypto within.
Microsoft recommended organizations and individuals should follow the guidance on how to spot North Korean fake IT workers and the like from the U.S. Department of State and the Federal Bureau of Investigation. You can also refer to this advice given by the FBI to protect yourself and your business from crypto attackers.
