North Korea-Linked Lazarus Group Poses as VC Firms to Spread Malware

Jason Nelson
Jason Nelson December 28, 2022
Updated 2022/12/28 at 7:47 AM
3 Min Read

BlueNoroff—the name given by security researchers to a group linked with North Korean state-sponsored hacking collective Lazarus Group—has expanded its criminal activities to include posing as venture capitalists looking to invest in crypto startups, according to a new report from the Cybersecurity firm Kaspersky.

“BlueNoroff created numerous fake domains impersonating venture capital companies and banks,” Kaspersky says.

In its report, Kaspersky says it detected global attacks by BlueNoroff targeting cryptocurrency startups in January 2022,  but says there was a lull in activity until the fall.

 

According to Kaspersky, BlueNoroff is using malware to attack organizations that deal with smart contracts, DeFi, Blockchain, and the FinTech industry. Kaspersky says BlueNoroff is also using software to bypass Mark-of-the-Web (MOTW) technology, which ensures that a message from Windows pops up to warn users when trying to open a file downloaded from the Internet.

Stealing cryptocurrency has been a profitable business for North Korean hackers. Since 2017, over $1.2 billion in cryptocurrency has been looted, according to data from South Korean spy agencies. In 2022, several high-profile companies, including FTX, were hit by cyber-attacks.

A treacherous fall

In August, the group sent job offers to candidates on LinkedIn for an engineering manager position at cryptocurrency exchange Coinbase.

In September, the Lazarus Group targeted Coinbase and Crypto.com job seekers in two separate phishing attacks. One malware attack encouraged job seekers to download a PDF document showcasing the open vacancies at Crypto.com. Once downloaded, the PDF would install a trojan horse and steal personal and financial information.

In October, cyber criminals used an exploit in the Binance Smart Chain to make off with over $100 million in cryptocurrency.

On November 11, 2022, the day FTX filed for Chapter 11 bankruptcy protection, an unknown actor began siphoning funds from FTX wallets to the tune of $640 million in tokens.

While the story of the fall of Sam Bankman-Fried and FTX has taken over the headlines, the threat posed by cyber criminals has never subsided.

Kaspersky acknowledged a request for comment from Decrypt but was unable to provide a response prior to publication.

 

Stay on top of crypto news, get daily updates in your inbox.

This article was first published on Decrypt.co
Share this Article