skip to content

How North Korean hackers stole billions in crypto while posing as VCs, IT workers

A new wave of cybercrime linked to North Korea has emerged, with hackers posing as venture capitalists, recruiters, and remote IT workers to steal cryptocurrency and corporate secrets. At Cyberwarcon, a Washington DC conference on cybersecurity threats, researchers revealed that these tactics have helped fund North Korea’s weapons program while bypassing international sanctions.

The regime’s hackers have stolen billions in cryptocurrency over the last decade, all while dodging detection through carefully constructed fake identities.

The Tactics: Fake VCs, recruiters, and IT workers

North Korean hacking groups use sophisticated methods to infiltrate targets. One group, dubbed “Sapphire Sleet” by Microsoft, impersonates venture capitalists and recruiters. After luring victims into virtual meetings, they trick them into downloading malware disguised as tools to fix technical glitches or complete skills assessments. Once installed, the malware provides access to sensitive data, including cryptocurrency wallets. In just six months, these tactics netted at least $10 million in stolen funds.

More troubling is the infiltration of global organisations by hackers posing as remote IT workers. These individuals create convincing online profiles, complete with AI-generated images and resumes, to land jobs at major companies. Once hired, they leverage facilitators based in the US to handle company-issued laptops and earnings, bypassing sanctions. Facilitators set up farms of these laptops, allowing North Korean hackers to remotely access systems while hiding their true locations.

How they got caught

Despite their elaborate setups, North Korean hackers have made mistakes that exposed their operations. Microsoft discovered a wealth of internal documents in a publicly accessible repository, which belonged to one of the hackers. These files included detailed guides, false identities, and records of stolen funds, providing a blueprint for the operation.

Researchers like Hoi Myong and SttyK, who engaged directly with suspected North Korean operatives, uncovered other slip-ups. In one instance, a hacker posing as Japanese made linguistic errors and had a mismatched digital footprint, with an IP address in Russia but claims of a Chinese bank account. Such inconsistencies have helped security teams identify and dismantle fake profiles.

Crypto theft funding weapons programs

North Korea’s hackers operate under minimal risk due to existing sanctions, which limit the country’s exposure to further penalties. Groups like “Ruby Sleet” target aerospace and defence companies to steal technology that advances the regime’s weaponry. Meanwhile, IT worker schemes provide a triple threat: generating revenue, stealing intellectual property, and extorting companies.

The US and its allies have taken action, levying sanctions and prosecuting individuals running laptop farms. However, researchers warn that organisations must improve their employee vetting processes. AI-generated deepfakes, stolen identities, and evolving tactics make North Korea’s hackers a persistent and dangerous threat.

Share your love
Facebook
Twitter
LinkedIn
WhatsApp

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

error: Unauthorized Content Copy Is Not Allowed