North Korean Hackers Steal Billions in Crypto by Posing as VCs, Recruiters, and IT Workers
Security researchers expose how North Korean operatives infiltrate global companies to fund weapons programs and evade sanctions.
Because Bitcoin
November 29, 2024
A venture capitalist, a recruiter, and a newly hired remote IT worker might seem unrelated, but all have been caught secretly working for the North Korean regime, according to security researchers (Source: TechCrunch).
At the Cyberwarcon conference in Washington DC, experts updated their assessment of North Korea’s cyber threat, revealing that the country’s hackers are infiltrating multinational corporations by posing as job applicants. These efforts fund the regime and steal corporate secrets for its weapons program. Over the past decade, North Korean hackers have funneled billions of dollars in stolen cryptocurrency to support the nation’s nuclear ambitions while evading sanctions.
Microsoft’s James Elliott explained that North Korean IT workers have infiltrated “hundreds” of global companies by creating false identities and using U.S.-based facilitators to manage their earnings and workstations. The hackers’ primary goal is cryptocurrency theft, with little risk for the regime due to ongoing sanctions.
Microsoft detailed two hacker groups: “Ruby Sleet,” which targeted aerospace and defense companies for industry secrets, and “Sapphire Sleet,” which posed as recruiters and a venture capitalist to steal cryptocurrency. In one campaign, hackers tricked victims into downloading malware that accessed sensitive data, including cryptocurrency wallets. Microsoft reported over $10 million in stolen assets in just six months.
The most concerning tactic involves hackers posing as remote workers. Microsoft described these individuals as a “triple threat” for their ability to earn money for North Korea, steal intellectual property, and blackmail companies. Although many organizations have unknowingly hired North Korean spies, only a few have gone public, like KnowBe4, which blocked a worker once the deception was discovered.
North Korean IT workers typically create professional profiles on LinkedIn and GitHub, sometimes using AI-generated identities. Once hired, facilitators in the U.S. set up the employees’ laptops with remote access software, allowing hackers to operate undetected. Microsoft also found that hackers are operating from Russia and China, making detection more difficult.
The researchers uncovered valuable information when they found a public repository detailing the hackers’ operations. They also identified flaws in the fake identities of some workers, such as linguistic mistakes and inconsistencies in claimed locations. The U.S. government has already sanctioned organizations involved in these activities, and the FBI has warned about the use of AI-generated images to facilitate identity theft for tech jobs.
Experts emphasized the need for better vetting, with Elliott stating, “They’re not going away. They’re gonna be here for a long time.”
Resources: