North Korean Hackers Target Crypto Developers

[pushups44]

In a new malicious campaign that started in 2024, the group has been posing as recruiters on LinkedIn, targeting developers of cryptocurrency projects with malicious coding challenges.

[...]

First, ​​the Slow Pisces hackers impersonate potential recruiters on LinkedIn and engage with likely targets, sending them a benign PDF with a job description. The targets are primarily involved in cryptocurrency projects.

If the targets apply, attackers present them with a coding challenge consisting of several tasks outlined in a question sheet.

These question sheets typically include generic software development tasks and a “real project” coding challenge, which links to a GitHub repository.

[...]

By focusing on individuals contacted via LinkedIn rather than conducting broad phishing campaigns, the group tightly controls later campaign stages to deliver malware solely to intended victims.

https://www.infosecurity-magazine.com/news/north-korea-hackers-linkedin/

[freedomgo]

I keep seeing headlines about these hackers, but I haven’t dug deep into the stories or followed the details. Is there any verified info out there, like official claims or reports confirming that North Korean hackers are actually taking responsibility for these big hacks?

[Ethan_Crypto]

Every crypto developers and enthusiast must take security very seriously in order not to get hacked

[SilverCryptoBullet]

Every crypto developers and enthusiast must take security very seriously in order not to get hacked

Their devices can be hacked but their fund must be safe. Nothing is safe completely but if you are more carefully in practice, and separate your programming works with your project treasury or your own cryptocurrency storage, you will reduce risk of losing your project treasury or your individual capital. Because the compromised device does not help hackers to access your company treasury or your individual capital.

Cryptocurrency security standard for enterprises.

[Queentoshi]

If Crypto developers know that they are the target of hackers especially the ones from North Korea as this post has claimed, is it not possible for them to prevent any such attacks by maybe recruiting one of such hackers to make their system impenetrable by making sure their system is not vulnerable to all the methods that the North Korean hackers will use. I believe that there are hackers whose job is usually to help companies prevent their severs from being hacked. Are Crypto developers and other targets overlooking the threats on their back and waiting for it to happen first before they take action?

[criptoevangelista]

The rocket man nation is already one of the largest holders of bitcoins just by applying scams and hacks, now it remains to be seen what North Korea's plans are with these bitcoins, do they intend to use them as an international exchange currency in some kind of gray market on the deep web, (only for nations)? Because just having bitcoins will not do any good if they cannot spend this wealth... or could it in the future be equivalent to holding nuclear bombs? Bargaining power? Will it?

[examplens]

I only partially went through the text, but can you provide more references on how exactly it is known that it is a North Korean hacker group?
It's a bit strange to me that over the years, we hear about various hacks, and usually, the infamous Lazarus group or hackers from North Korea in general are always blamed.
Given that no one outside NK has insight into such groups, how do we know that it is really them, and not, for example, some group from the Netherlands?

[pushups44]

I only partially went through the text, but can you provide more references on how exactly it is known that it is a North Korean hacker group?
It's a bit strange to me that over the years, we hear about various hacks, and usually, the infamous Lazarus group or hackers from North Korea in general are always blamed.
Given that no one outside NK has insight into such groups, how do we know that it is really them, and not, for example, some group from the Netherlands?

Security researchers are pretty confident about North Korean involvement, and while I'm no expert on this topic, I thought up some possibilities that an AI chatbot fleshed out in more detail - such as IP addresses or actual identification of individuals who slipped up. Here is what Perplexity mentioned (I will offer some snippets so as to not plagiarize):

• Malware Reuse and Code Similarities: North Korean groups, such as Lazarus, often reuse distinctive malware families, code snippets, or encryption routines across multiple operations.
• Infrastructure Overlap: Attackers may reuse command-and-control (C2) servers, IP addresses, or domains previously linked to North Korean operations.
• Metadata and Language Artifacts: Sometimes, malware or phishing documents contain metadata (such as usernames, file properties, or language settings) that point to Korean language environments or even North Korean time zones and keyboard layouts.
  

There are also patterns of behavior as well as classified intelligence law enforcement has.

[leonair]

I keep seeing headlines about these hackers, but I haven’t dug deep into the stories or followed the details. Is there any verified info out there, like official claims or reports confirming that North Korean hackers are actually taking responsibility for these big hacks?

The North Korean government uses its country's hackers in various ways and supports them. So they can do anything at any time and in any way. For example, a few days ago it was proven that North Korean hackers were behind the bybit hacking. They stole several billion dollars from there. However, bybit has not yet recovered that money and will never recover it because they have the support of their government. So North Korean hackers are very dangerous and it is not possible to recover anything from them.

[Zlantann]

Criminals are always devising new ways to steal from individuals. Using job offers that look real might make it difficult to dictate. I think we should use different devices for work and keeping our coins.

I only partially went through the text, but can you provide more references on how exactly it is known that it is a North Korean hacker group?
It's a bit strange to me that over the years, we hear about various hacks, and usually, the infamous Lazarus group or hackers from North Korea in general are always blamed.
Given that no one outside NK has insight into such groups, how do we know that it is really them, and not, for example, some group from the Netherlands?

Every international hacker is always said to come from North Korea. It is possible that Slow Pisces and others might have originated from other countries. Hackers from other countries might use patterns that are similar to South Korean hackers to conceal their location.

[serjent05]

The well known group of North Korean hackers are the Lazarus Group, also known as  APT38, Guardians of Peace, Hidden Cobra, Whois Team, and more.  According to this article: The Lazarus group: North Korean scourge for +10 years, they are responsible for some of the largest cyber attacks worldwide.

• The North Korean threat actor, Lazarus, has operated for more than 10 years and is behind infamous cyber incidents such as the attack on Sony Pictures in 2014 and the spread of the WannaCry ransomware in 2017.
• Unlike other state actors, Lazarus is highly financially motivated and attempts to boost the feeble North Korean economy.
• Due to government support and instigation, North Korean threat actors face no risk of prosecution in their home country; on the contrary. It’s therefore very likely that the Lazarus group will continue to operate for years to come.

In addition this article: The Lazarus Group (APT38): North Korean Threat Actor show how these North Korean Hackers operates.

Lazarus Group Techniques and Tactics
The Lazarus Group is known for its adaptability and the breadth of its toolkit. They continuously evolve their tactics and tools, making them a significant cybersecurity threat that leverages techniques such as:

Zero-days: Lazarus Group has been observed exploiting zero-day vulnerabilities in software to breach targets. For instance, they exploited a zero-day vulnerability in a popular certificate software to compromise a South Korean financial entity twice within a span of a year. They also leveraged an ActiveX zero-day vulnerability to attack a South Korean think tank.

Spear Phishing: The group often uses spear phishing techniques, where they send targeted emails to individuals within organizations. These emails typically contain malicious links or attachments. For instance, they have used LinkedIn to trick targets into installing malicious files such as Word documents with hidden macros.

Disinformation: While specific instances of disinformation campaigns by the Lazarus Group are not readily available, they have been known to use misdirection techniques in their campaigns. Some operations were disguised as hacktivist activities, with groups such as “GOP,” “WhoAmI,” and “New Romanic Army” claiming responsibility for these alleged hacktivism attacks.

Malware: Lazarus Group uses a range of custom-built malware, such as remote access trojans (RATs), backdoors, and botnets. They have used the RATANKBA malware to target cryptocurrency companies. They also deployed the Manuscrypt backdoor via macro-laced documents in phishing attacks.

Backdoors: The group uses backdoors to maintain access to compromised systems. For instance, they used the Manuscrypt (aka NukeSped) backdoor in their phishing attacks. They also deployed the BLINDINGCAN and COPPERHEDGE implants in their attacks against the defense industry.

Droppers: The Lazarus Group has been known to use droppers, which are typically used in cyberattacks to install malware onto a target system.

Here is an illustration on how they attack Swift The Swift Banking system


The North Korean Hackers targets not only cryptocurrency but any financial Institution that has security lapses.

[hugeblack]

It's funny that developers and experts are the Trojan horse or hacker proxy to make such attacks successful.
For example, PDF files don't need to be downloaded and can be viewed using a browser without downloading. I also believe that these developers monitor their computer activity for potential attacks.
I can understand if it's part of a social attack targeting non-developers, but it's hard to believe such attacks would succeed against developers.

[Basels]

If Crypto developers know that they are the target of hackers especially the ones from North Korea as this post has claimed, is it not possible for them to prevent any such attacks by maybe recruiting one of such hackers to make their system impenetrable by making sure their system is not vulnerable to all the methods that the North Korean hackers will use. I believe that there are hackers whose job is usually to help companies prevent their severs from being hacked. Are Crypto developers and other targets overlooking the threats on their back and waiting for it to happen first before they take action?

We're talking about crypto not banks. These projects mostly are open source so anyone can contribute on GitHub as their developer. I guess the hackers want to be able to gain access to the developer's device when it matters most. Maybe create code flaws to enable them drain project treasuries down the line. You should know that one can't be too careful in these things. Just a slip is enough.

I think anyone involved in project codebase should absolutely be security conscious. Things like virtual machines should be used to isolate sensitive data in their work devices.

[X-ray]

More like social engineering.

Anyway, if you're a crypto developers, I think you should realize that you should not install anything recklessly to any of your machine that can access important thing like server and so on.

If you keep installing these random things into your machine anyway, do you really fit to be a crypto developer where security is like the primary concern?

[melinoe]

More like social engineering.

Anyway, if you're a crypto developers, I think you should realize that you should not install anything recklessly to any of your machine that can access important thing like server and so on.

If you keep installing these random things into your machine anyway, do you really fit to be a crypto developer where security is like the primary concern?

Can be simply referred to as the human factor.

Everybody can know that it's bad, yet one person may be ignorant and make the hack possible - you never know where the crack may emerge.

[Yaunfitda]

More like social engineering.

Anyway, if you're a crypto developers, I think you should realize that you should not install anything recklessly to any of your machine that can access important thing like server and so on.

If you keep installing these random things into your machine anyway, do you really fit to be a crypto developer where security is like the primary concern?

You might be right, but the thing is that sometimes we just have that one slipped and everything falls. There are some of blindly trust anyone and that is one mistake and this is a human factor that we really need to overcome. As for the North Korean Hackers, if I'm not mistaken, it was just the West that put the blame on this. We really don't know if such group really exists. There are also school of thoughts that the West might have created the Lazarus group out of thin air and blame everything on the North Koreans as far as hacking crypto and any services.

[melinoe]

More like social engineering.

Anyway, if you're a crypto developers, I think you should realize that you should not install anything recklessly to any of your machine that can access important thing like server and so on.

If you keep installing these random things into your machine anyway, do you really fit to be a crypto developer where security is like the primary concern?

You might be right, but the thing is that sometimes we just have that one slipped and everything falls. There are some of blindly trust anyone and that is one mistake and this is a human factor that we really need to overcome. As for the North Korean Hackers, if I'm not mistaken, it was just the West that put the blame on this. We really don't know if such group really exists. There are also school of thoughts that the West might have created the Lazarus group out of thin air and blame everything on the North Koreans as far as hacking crypto and any services.

That's a conspiracy theory at that point.

But nothing can be overlooked in the crypto space 

[yazher]

They are notorious hackers and they have long history of sabotaging things when it comes to currencies especially dollars and now that they have found a way to infiltrate cryptos, they are mostly behind the hacking activities and attempt in the crypto exchanges. They are also hard to track due to their remote areas and I believe they have some people working for them outside their country.

[FortuneFollower]

They are notorious hackers and they have long history of sabotaging things when it comes to currencies especially dollars and now that they have found a way to infiltrate cryptos, they are mostly behind the hacking activities and attempt in the crypto exchanges. They are also hard to track due to their remote areas and I believe they have some people working for them outside their country.

Or they work with the government of said country - we never know, the fact remains though that they know their business.

[therealfalcon]

sometimes we are told the north korea lacks advance computers, they hacked 1 Billion Dollars.