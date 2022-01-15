The North Korean hacker they almost stole $ 400 million in cryptocurrencies in the course of 2021 through at least seven attacks. The analysis, carried out by Cainalysis, identified that most of the thefts occurred in Ethereum and in Bitcoin, with the former becoming the cryptocurrency of choice for attackers.

North Korea: in 2021 the value of thefts reached record levels

In recent years, hacker groups attributable to North Korea had also perpetrated such attacks, but in 2021 the value of thefts has reached record levels. The best known of these groups Lazarus, responsible for the attack a Sony Pictures Entertainment of 2014 and ransomware WannaCry in 2017. More recent is the case of malware AppleJesus, which has targeted Windows and Mac systems around the world by posing as a legitimate cryptocurrency trading platform.

Also known as APT 38, the group focused on cryptocurrency theft for the purpose of evading US and UN economic sanctions. A group of UN experts in 2018 concluded that its cryptocurrency hacks contribute to financing of the North Korean government’s missile programs.

Typical tools are used for this type of attacks such as social engineering, phishing and exploits. “From 2020 to 2021, the number of hacks connected to North Korea went from four to seven and the value obtained from these attacks increased by 40%”, says Chainalysis in his report. According to Chainalysis, North Korean hacker attacks in 2021 mainly targeted investment companies and cryptocurrency exchanges.

Last year, North Korean hackers focused mainly on Ethereum, as 68% of the stolen value was in this cryptocurrency, which replaced Bitcoin as the main cryptocurrency in the attacker’s programs. Bitcoin, however, still plays a key role in the recycling of Ether before its final cash. The cryptocurrency mixer software o “tumbler”in fact, it breaks the funds down into small sums and mixes them with other transactions before sending the equivalent value to a new address. “North Korea is systematically laundering money through a mixer to obscure the origins of their illicit cryptocurrencies before turning them into traditional currency”, observes the report.

The attacks were ascertained by the Cybersecurity and Infrastructure Security Agency (CISA) from the United States and also from the cybersecurity company Kaspersky, which has been monitoring intrusions since 2017, identifying them with the name of “SnatchCrypto”.

These attacks are based on the pattern of closely following the startup in the FinTech sector inventing elaborate social engineering schemes to build trust with goals by posing as legitimate venture capitalist firms. The goal is to persuade victims to open documents containing malware which activate a payload designed to run malicious software that comes from a channel encrypted by a remote server.

An alternative method used to activate the chain of infection is the use of Windows shortcut file (“.LNK”) to recover the malware. It is one Visual Basic script, which then serves as a starting point for running a series of intermediate payloads, before installing one backdoor complete with functionality to take screenshots, record keystrokes, steal data from Chrome browser and execute malicious commands.

