Secret North Korean Workforce Stealing Corporate Crypto to Fund Nuclear Weapons

By Jody McDonald December 03, 2024 In Cryptocurrency, Hackers, Korea
Bitcoin security. Protecting Cryptocurrency from Hacking. Secure Bitcoin Wallet. Digital Currency Theft Concept. Flat Vector illustration
Source:AdobeStock
  • Cybersecurity researchers presenting at the Cyberwarcon conference in Washington DC have detailed how North Korean hackers pose as fake VCs, recruiters and remote workers to gain access to organisations’ computer systems to steal cryptocurrency and corporate secrets.
  • Tactics include having US-based ‘facilitators’ to operate employer-issued laptops and receive income to US bank accounts, while the hacker remains hidden in North Korea.
  • The researchers said hacker groups have stolen over US$1 billion in crypto over the past decade, much of which is funnelled into North Korea’s nuclear weapons program.

The North Koreans are coming for the precious crypto!

Cybersecurity researchers presenting at the Cyberwarcon conference in Washington DC on November 29, have detailed the threat posed from North Korea’s large network of sophisticated hacking groups, as reported by TechCrunch

These hacker groups are now actively targeting large global organisations and stealing their crypto. And it’s not only the crypto they’re after — the hackers are also posing as recruiters, VCs and fake remote workers to funnel money to the regime and acquire corporate secrets and intellectual property.

The researchers said that over the past decade North Korean hacking groups have pilfered over US$1 billion (AU$1.5b) in crypto, which has largely been used by the regime to fund its nuclear weapons program, allowing it to skirt international sanctions.

Advertisement

Related: North Korean Hackers Unleash New ‘Durian’ Malware to Target South Korean Crypto Firms, Reveals Kaspersky Report

How Do These Hackers Steal the Precious Crypto?

During a bull market, a crypto degen’s thoughts tend to turn towards two things: 1) Lambos; 2) How terrible it would be if someone stole their precious crypto, thus depriving them of Lambos.

Artist’s impression of average degen checking their portfolio. 

Given that your mind is lambo-addled right now, your first thought upon learning about these hacking groups is likely “is the average degen at risk from these hacking groups?”

The hackers mainly target large organisations — so, they’re probably not the primary threat faced by the average crypto investor. (Having said that, make sure you store your crypto securely, never share your private keys and stay alert to scams.)

According to the researchers, the hacking groups have been taking advantage of the growth of remote work and online meetings since the rise of COVID in 2020 to allow them to more easily masquerade as venture capitalists, recruiters or remote workers. 

In the venture capitalist and recruiter scenarios, once the hacker has gained the trust of their victim, they’ll set up an online meeting and get the victim to unknowingly install malware — either by pressuring them to download a tool to help resolve technical difficulties during the meeting, or by getting them to download and complete a ‘skills assessment’ which also contains malware. The hackers are then able to use the malware to access the victim’s computer, including their crypto wallets.

But the most common and most persistent threat according to the researchers, are fake remote workers. These fake workers have really boomed since COVID and have been labelled a ‘triple threat’ by the researchers because they benefit the North Korean regime in three important ways:

  • earning money for the regime directly through their employment as a fake worker; 
  • stealing corporate secrets, intellectual property and crypto; and 
  • extorting the companies with these secrets to get even more out of them.

Microsoft cybersecurity researcher James Elliott said these North Korean IT workers had already infiltrated “hundreds” of organizations around the world by creating false identities. They may rely on ‘facilitators’ based in the US to handle their work-issued laptop and income, in order to get around the sanctions imposed on North Korea and make them seem more legit. The workers then remotely-access the work-issued computer from North Korea, so the employer never knows they have a North Korean employee.

One North Korean hacking group using these tactics — known as Sapphire Sleet — has been leading crypto theft since 2020. Microsoft says Sapphire Sleet has stolen at least US$10 million in crypto from several international companies over a single six-month period.

Organisations Told to Be Extra Vigilant Against Threat

While sanctions have been imposed and public warnings have been issued for a while now, the threat posed from North Korean hacking groups has continued to increase. Earlier this year the FBI issued a specific warning alerting companies to the risk of AI-deepfakes used by North Korean-based employment scams resulting in the theft of crypto assets stolen from US companies:

For companies active in or associated with the cryptocurrency sector, the FBI emphasizes North Korea employs sophisticated tactics to steal cryptocurrency funds and is a persistent threat to organizations with access to large quantities of cryptocurrency-related assets or products.

FBI crypto theft warning

Related: North Korean Hackers to Target DeFi, Crypto Employees, FBI Warns

The US Department of Treasury, Department of State and Department of Justice have also released joint guidance specifically for companies looking to protect themselves from the threat of North Korean fake remote workers.

Jody McDonald
Author

Jody McDonald

Jody is a Brisbane-based freelance writer who specialises in writing about business, technology, and the future of work.

You may also like