North Korea Running ‘Trojan-infested Fake Crypto Exchange,’ Say Experts

A security firm says North Korean hackers created a bogus crypto exchange that infects users’ internet-connected devices with malware, allowing them to access sensitive networks to steal cryptoassets.

The claims were made by the security provider Volexity, and backed by the likes of Malwarebytes.

In a blog post, Volexity claimed that the notorious Lazarus hacking group – thought to be based in Pyongyang – had masterminded the plan. It said Lazarus launched the fake exchange in June this year.

Named BloxHolder, the alleged crypto trading platform promotes its operations thusly:

“Use our trusted crypto trading bots to automate crypto trading strategies on over 20+ exchanges with our privacy focused on-prem trade automation solutions.”

But Volexity claimed that BloxHolder was a clone of the bona fide trading platform HaasOnline. It produced examples of near-identical webpages and word-for-word-identical text from the two sites as evidence.

How Does the Trojan Work?

Volexity claimed that BloxHolder users are prompted to accept a Microsoft installer file that has been modified to contain a variant of the AppleJeus trojan.

Security experts say that AppleJeus, first identified by Kaspersky Labs in 2018, harvests information about the systems it infects. It is able to collect details on computer addresses, computer names, and OS versions. This initial access step later allows hackers to steal cryptoassets.

Cryptonews.com discovered that virus-blocking software such as MacAfee, Avast and the South Korean Ahn Labs all flag the website as a “trojan-infested” or “risky” website.

Volexity added that it had “identified several other Microsoft Installer files with cryptocurrency themes that are linked to this campaign.”

The report’s authors warned:

“The Lazarus Group continues its effort to target cryptocurrency users, despite ongoing attention to their campaigns and tactics.”

Volexity added that it “has not previously noted the use of Microsoft Office documents to deploy AppleJeus variants,” – which may represent a “change” in tactics from Lazarus.

South Korea’s SBS noted that Lazarus allegedly reports to the Pyongyang-run Reconnaissance General Bureau. The bureau is believed to be the North Korean intelligence agency charged with operating the nation’s clandestine operations.

Last month, a leading academic called for Seoul to do more to prevent the North from attacking crypto targets south of the DMZ.