Just like technology evolved over the years, so did cybercrime. Some of the most successful cybercrime outfits today hail from the Democratic People's Republic of Korea (DPRK), a totalitarian state ruled by the dictator Kim Jong-un.
Researchers discovered in January 2022 that a prominent North Korean hacker group has been targeting cryptocurrency startups in several countries, and stealing millions of dollars in the process.
What Is SnatchCrypto?
Dubbed SnatchCrypto, this series of attacks on crypto startups was uncovered by researchers at the Russian cybersecurity company Kaspersky.
The campaign is reportedly being carried out by BlueNorOff, a unit that is part of the infamous North Korean cybercrime outfit Lazarus Group, which is also known as Guardians of Peace or Whois Team.
To execute its attacks, BlueNorOff (also known as APT38, Stardust Chollima, BeagleBoyz, and NICKEL GLADSTONE) uses sophisticated social engineering techniques and impersonates legitimate entities, tricking its targets into downloading malicious files.
For instance, the group might share a document via Google Drive. The file can appear perfectly legitimate, and have a name like "Digital Investment Strategy."
The group might also hack into another company, and send an email from an address belonging to that company to its target. In one example, the hackers compromised a registered company and took over its social media accounts. Using these profiles, they sent out supposed business offers in the form of malicious documents to their targets.
BlueNorOff does not always compromise another company to attack its targets. In fact, more often than not, it simply impersonates businesses and then distributes malicious files.
These attacks tend to work because blockchain-based startups often receive letters, contracts, offers, and similar business-related files from unfamiliar sources, according to Kaspersky.
The documents themselves seem, and sometimes even are, legitimate. If the victim were to open them while not connected to the internet, they would not even be infected with malware.
However, if the target is connected to the internet and opens a file distributed by BlueNorOff, another macro-enabled document is downloaded to the target's computer—and so, malware is deployed.
Once they infiltrate the target, the hackers monitor its activities for weeks or even months. And when the target is about to make a large crypto transaction, the hackers are notified, which allows them to intercept the said transaction and essentially drain the target's crypto wallet.
Why Is BlueNorOff Targeting Crypto Startups?
It is next to impossible to track cryptocurrency transactions, so it is no wonder hacker groups such as BlueNorOff have targeted companies that deal with crypto.
According to a report from the blockchain analytics firm Chainalysis, the Lazarus Group extracted around $400 million worth of digital assets from companies around the world in 2021 alone. The stolen funds were carefully moved to North Korea-controlled accounts, and then laundered by the government.
Kim Jong-un's regime, which is heavily sanctioned by Western governments, is thought to have used these funds for its nuclear weapons and ballistic missile programs.
According to Chainalysis, the North Korean government "supports cryptocurrency-enabled crime on a massive scale," which makes it a major threat to the crypto industry as a whole.
Defending Against BlueNorOff
As per Kaspersky, in order to protect themselves from BlueNorOff and similar hacker groups, organizations should first and foremost educate their employees on social engineering and phishing attacks, and provide comprehensive cybersecurity training.
Organizations should also conduct cybersecurity audits regularly, and invest in robust protection to identify the attacks early on and prevent theft.
In general, every company should pay close attention to its cybersecurity hygiene, update all of its software regularly, and invest in reliable data backup solutions.