North Korean Hackers Impersonate Major Crypto Investment Firm to Scam Startups

The hackers impersonated big names in crypto such as the Digital Currency Group in a months-long and carefully planned campaign.
January 13, 2022, 5:19pm
north-korea
Image: narvikk/GettyImages
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

Hackers who are believed to work for the North Korean government have been impersonating venture capitalists and workers at crypto and blockchain-focused companies such as the Digital Currency Group to steal cryptocurrency, according to a new report.

Kaspersky Lab published a report on Thursday that details the months-long hacking campaign. During that time, the hackers broke into several cryptocurrency startups by pretending to work for venture capital firms involved in the industry. The goal was to steal large quantities of cryptocurrency, according to the researchers.

Advertisement

“We have seen BlueNoroff operators stalking and studying successful cryptocurrency startups,” the researchers wrote, using their internal name for the hacking group. “The goal of the infiltration team is to build a map of interactions between individuals and understand possible topics of interest. This lets them mount high-quality social engineering attacks that look like totally normal interactions. A document sent from one colleague to another on a topic, which is currently being discussed, is unlikely to trigger any suspicion. BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time.”

The hackers impersonated more than 15 venture businesses, including a person who works in the top management of the Digital Currency Group, according to the report. Digital Currency Group, or DCG, is one of the major firms in the cryptocurrency space with subsidiaries across investing and media. DCG owns Grayscale Investments, which is the world's largest asset manager for cryptocurrencies and manages billions in assets. DCG also owns CoinDesk, which is a leading cryptocurrency trade publication. The company's founder, Barry Silbert, is a celebrity among crypto investors. 

The hackers are exploiting a startup's eagerness to engage with potential investors, especially if they are well-known and influential players such as DCG, the researchers noted. .

Advertisement

“If a venture capital company approaches a startup and sends files that look like an investment contract or some other promising documents, the startup won’t hesitate to open them, even if some risk is involved and Microsoft Office adds warning messages,” the researchers wrote. 

DCG did not immediately respond to a request for comment. 

Do you research vulnerabilities on cryptocurrencies and their networks? Do you track hackers who target cryptocurrencies? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com

Kaspersky Lab researchers believe BlueNoroff is linked to the notorious Lazarus group, a hacking team that is widely believed to be working for the North Korean government. This is the group behind spectacular hacks such as the one against Sony Pictures Entertainment in 2014, or the one against the Bangladesh Bank, where they almost stole $1 billion dollars. 

The group has long been focused on stealing money to fund their government, which is hamstrung by international economic sanctions. 

Advertisement

Researchers noted that they do not believe DCG or the other affected companies were hacked, but simply that the hackers impersonated them or their workers.   

The hackers’ attacks initially rely on phishing and social engineering, but also involve more technical work. For example, one of the ways they stole cryptocurrency, once they hacked into a target’s computer, was to inject their own code whenever the target was moving cryptocurrency to redirect the transaction. This attack involved analyzing the MetaMask Chrome extension and rewriting transaction details in a way that the target doesn’t immediately notice.

“This way, when the compromised user transfers funds to another account, the transaction is signed on the hardware wallet. However, given that the action was initiated by the user at the very right moment, the user doesn’t suspect anything fishy is going on and confirms the transaction on the secure device without paying attention to the transaction details,” the researchers wrote. “The user doesn’t get too worried when the size of the payment he/she inputs is low and the mistake feels insignificant. However, the attackers modify not only the recipient address, but also push the amount of currency to the limit, essentially draining the account in one move.”

Kaspersky Lab’s researcher Seongsu Park said he and his colleagues could not count the exact number of victims, nor they could confirm how much money the hackers stole.

“The obvious thing is this campaign has been targeting the cryptocurrency industry extensively for a long time,” he said in an email to Motherboard. “We can't confirm how much they successfully stole. However, their ongoing attacks for almost 4 years mean a lot of success has been made from this campaign.”

This story has been updated to include Kasperky’s spokesperson’s comments.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.