North Korean Hackers Expand Social Engineering Scams to Steal Cryptocurrencies by Infiltrating Multinational IT Firms

Hackers with ties to the North Korean government have reportedly expanded social engineering scams designed to steal cryptocurrencies by infiltrating “hundreds” of large, multinational information technology firms.

North Korean government-linked hackers are reportedly expanding their social engineering scams to pilfer cryptocurrencies by infiltrating ‘hundreds’ of large, multinational information technology firms.

Researchers at the Cyberwarcon cybersecurity conference identified two North Korean hacker groups called “Sapphire Sleet” and “Ruby Sleet,” according to a report by TechCrunch.

Sapphire Sleet targeted individuals through fraudulent employment schemes by posing as legitimate recruiters and luring unsuspecting victims into interviews or other offers of employment. At some point during the interview process, the hackers would infect the users’ computers with malware disguised as picture-document files (PDFs) or malicious links.

Meanwhile, Ruby Sleet managed to infiltrate aerospace and defense contractors in the United States, the United Kingdom, and South Korea to steal military secrets.

The report also noted that the North Korean IT workers used fake identities crafted through AI, social media, and voice-changing technologies to infiltrate the companies and carry out recruitment scams.

Crypto theft for November 2024. Source: Immunefi, Because Bitcoin

North Korean hackers have been targeting the crypto industry for a while now. As early as 2021, researchers claimed to have uncovered a North Korean crypto scam involving fake identities.

Later in 2022, the Federal Bureau of Investigation (FBI) warned that North Korean hackers were targeting crypto companies and decentralized finance (DeFi) projects with malware disguised as employment offers. Once the user downloaded the malware or clicked a malicious link, their private keys would be stolen.

More recently, the Cosmos ecosystem faced concerns over its Liquid Staking Module, which was allegedly built by North Korean developers. At the time, Cosmos ecosystem developer Jacob Gadikian said, “The people who built the LSM are the world’s most skilled and prolific crypto thieves.” The threat of backdoors and other malicious lines of code prompted several security audits of the Cosmos Liquid Staking Module.