Blockchain companies are being targeted by North Korean hackers, US agencies warn
Image: Micha Brandli/TheRecord
Adam Janofsky April 19, 2022

Blockchain companies are being targeted by North Korean hackers, US agencies warn

Blockchain companies are being targeted by North Korean hackers, US agencies warn

The Cybersecurity and Infrastructure Security Agency (CISA), the Department of Treasury, and the FBI issued a joint advisory Monday evening describing a North Korean state-sponsored hacking campaign that has been associated with cryptocurrency heists since at least 2020.

The advanced persistent threat (APT) group has been tracked widely by cybersecurity companies as Lazarus Group and APT38, and the agencies highlighted malware-laced cryptocurrency applications the group uses, which the alert dubs “TraderTraitor.”

Experts have warned in recent years that North Korea has focused its hacking efforts on financial crime, using it as an income stream as it deals with international sanctions. In 2016, hackers linked to Lazarus Group managed to steal tens of millions of dollars from Bangladesh’s central bank using the SWIFT banking network. In more recent years, decentralized finance (DeFi) platforms and cryptocurrency companies have become easier targets with bigger rewards.

Last week, the US Treasury’s Office of Foreign Assets Control attributed a $540 million DeFi hack to Lazarus, announing sanctions against the group and tying them to the attack on Ronin Network through the thief’s Ethereum address.

“The U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs),” the agencies said in the alert.

Spotting Lazarus

The agencies described the tactics, techniques, and procedures that the group uses to gain a foothold into cryptocurrency companies.

“Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms,” the alert reads. “The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications.”

A website linked to Lazarus Group’s cryptocurrency hacking operations. Image: CISA/FBI/Treasury

These cryptocurrency applications, which the government refers to as TraderTraitor, are derived from several open-source projects and masquerade as trading or price prediction tools. They’re written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework, the agencies said.

Malware payloads observed by the agencies include both macOS and Windows variants of Manuscrypt, a remote access trojan (RAT) that collects information about the victim device and can download additional payloads.

“Post-compromise activity is tailored specifically to the victim’s environment and at
times has been completed within a week of the initial intrusion,” the agencies warned.

The alert provides a list of indicators of compromise, as well as mitigations that apply to critical infrastructure organizations, financial sector firms, and blockchain technology and cryptocurrency companies.

Adam is the founding editor-in-chief of The Record by Recorded Future. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.