The FBI has announced that the Democratic People's Republic of Korea is engaging in social engineering campaigns targeting employees in the DeFi and cryptocurrency sectors. These operations are designed to distribute malware and steal digital assets from companies.
North Korean cyber actors have developed complex social engineering schemes that are difficult to detect. Their methods are advanced enough to compromise individuals with strong technical backgrounds. Despite an awareness of cybersecurity practices, many in the cryptocurrency industry remain vulnerable to these persistent and targeted attacks according to the FBI.
In recent months, North Korean cyber actors have conducted extensive research on entities connected to cryptocurrency exchange-traded funds (ETFs). This research has raised concerns that the country may be preparing for cyberattacks on firms dealing with ETFs and other financial products related to cryptocurrency.
The FBI has identified North Korea as a consistent threat to organisations handling substantial cryptocurrency assets. The country employs a range of advanced tactics to infiltrate networks and steal funds.
North Korean cyber teams focus on identifying specific DeFi and cryptocurrency-related companies. They target multiple employees within these firms, aiming to gain unauthorised access to company networks. Prior to making contact, they often gather intelligence from social media platforms, particularly those used for professional networking.
These actors craft individualised fictional scenarios, incorporating personal details about the target’s career or business interests. Common strategies include offering new employment opportunities or investment deals. The attackers often reference information that only a few people are likely to know, creating a sense of legitimacy.
Once initial contact is established, the attackers attempt to build a rapport with the victim. This relationship may last for an extended period, as the goal is to eventually deliver malware in a way that appears natural. The attackers often communicate fluently in English and display a high level of understanding of cryptocurrency-related topics.
North Korean cyber actors are known to impersonate a variety of individuals, including professional contacts the target may recognise. They use stolen images from social media profiles and sometimes fabricate time-sensitive events to pressure their targets into quick action.
They may also impersonate recruitment firms or technology companies, relying on fake websites to enhance their credibility. There are documented cases of North Korean domains being seized due to their involvement in these malicious activities.
If a company suspects it has been targeted by a North Korean social engineering campaign, the FBI recommends immediately disconnecting affected devices from the internet but leaving them powered on to preserve evidence. They advise reporting the incident to the FBI’s Internet Crime Complaint Center and providing detailed information, including any screenshots of communications with the attackers.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now