Kaspersky Report: North Korean Hackers Impersonating Crypto VCs in New Phishing Scam

BlueNoroff, a subgroup of the North Korean state-sponsored hacking group Lazarus, is now impersonating venture capitalists looking to invest in crypto startups in a new phishing method. 

According to a new report from the Cybersecurity firm Kaspersky, BlueNoroff has created more than 70 fake domains that seek to pose as venture capital firms and banks. The bulk majority of the fake VCs presented themselves as well-known Japanese companies, while some others assumed the identity of the United States and Vietnamese companies. 

These fake VCs then target cryptocurrency startups that deal with smart contracts, DeFi, Blockchain, and the FinTech industry with new malware delivery methods. 

Kaspersky says BlueNoroff is also using software to bypass Mark-of-the-Web (MOTW) technology, which ensures that a message from Windows pops up to warn users when trying to open a file downloaded from the Internet. In a press release, the company detailed:

“The attackers have used phishing techniques to try to infect targeted companies and then intercept large cryptocurrency transfers, changing the recipient’s address, and pushing the transfer amount to the limit, essentially draining the account in a single transaction.”

The BlueNoroff name was first coined by Kaspersky back in 2016 when its researchers were investigating the notorious attack on Bangladesh’s Central Bank. 

Kaspersky noted that a UAE citizen, who was in the sales department responsible for signing contracts, fell victim to the BlueNoroff group after downloading a Word document called “Shamjit Client Details Form.doc,” which allowed the hackers to connect to his computer and extract information as they attempted to execute even more potent malware.

As reported, North Korean hackers have stolen an estimated 1.5 trillion won ($1.2 billion) in crypto assets since 2017. More than half of that tally, or about 800 billion won ($626 million), have been stolen so far this year.

According to South Korea’s main spy agency, the National Intelligence Service, North Korea is using the stolen crypto assets to fund its nuclear program and support its fragile economy which has constantly shrunk over the past couple of years amid harsh U.N. sanctions and the COVID-19 pandemic.

Seongsu Park, the lead security researcher at Kaspersky’s Global Research and Analysis Team (GReAT), claimed that North Korean hacker would further increase their illicit cyber activities in 2023. He said:

“As per our forecast in recent APT predictions for 2023, the coming year will be marked by the cyber epidemics with the biggest impact, the strength of which has been never seen before.”