The Federal Bureau of Investigation (FBI) has issued a warning about an impending wave of “complex and elaborate” social engineering attacks orchestrated by North Korean operatives.
These attacks specifically target decentralized finance (DeFi) organization employees as part of an ongoing effort to steal cryptocurrency.
Target Selection
According to the FBI, state-sponsored hacking groups have conducted extensive research on targets connected to cryptocurrency exchange-traded funds. This reconnaissance work suggests that North Korea is preparing to launch “highly tailored, difficult-to-detect social engineering campaigns” against cryptocurrency-related businesses soon.
The level of sophistication in these attacks is particularly concerning. The FBI notes that the scammers display such “sophisticated technical acumen” that victims may not even realize they’ve been compromised until it’s too late.
North Korea’s Cryptocurrency Motivation
North Korea’s interest in cryptocurrency theft stems from the international sanctions imposed on the country to prevent the development of weapons of mass destruction.
These sanctions have effectively isolated North Korea from the global financial system. Cryptocurrency has emerged as a means for the nation to circumvent these restrictions, leading to numerous campaigns aimed at acquiring digital assets.
Evolving Tactics and Increased Sophistication
The FBI’s warning highlights the increasing refinement of North Korean hacking efforts. “Given the scale and persistence of this malicious activity, even those well-versed in cyber security practices can be vulnerable to North Korea’s determination to compromise networks connected to cryptocurrency assets,” the Bureau cautioned.
Here’s a great video from the Dark Net Diaries highlighting some of the history behind North Korea’s crypto scams:
Anatomy of a North Korean Social Engineering Attack
1. Target Identification
North Korean cybercriminals begin by scouting potential victims through social media accounts, with a particular focus on professional networking and employment-related platforms. This approach builds on previous tactics where hackers used fake LinkedIn job ads and posed as both job seekers and employers to trick victims into downloading malware from malicious GitHub repositories.
2. Initial Contact and Trust-Building
After identifying targets, the hackers initiate conversations in English, demonstrating a strong knowledge of crypto-related industries. They may pose as:
- A mutual professional connection
- An employee of a well-known company
- A recruiter
The primary goal is to deliver malware in a way that appears natural and non-threatening.
3. Long-Term Engagement
These scammers are not afraid to play the long game. The FBI notes, “If successful in establishing bidirectional contact, the initial actor, or another member of the actor’s team, may spend considerable time engaging with the victim to increase the sense of legitimacy and engender familiarity and trust.”
Red Flags: Identifying Potential North Korean Scams
The FBI has compiled a list of potential indicators that a North Korean social engineer may be attempting to scam you:
- Requests to execute code or download applications on company devices
- Asks to conduct “pre-employment tests” involving non-standard packages or scripts
- Unexpected job offers with unrealistically high compensation
- Unsolicited investment offers from prominent companies or individuals
- Insistence on using non-standard software for simple tasks
- Demands to run scripts to enable call or video functionalities
- Attempts to move professional conversations to other messaging platforms
- Unsolicited contacts containing unexpected links or attachments
Protecting Yourself and Your Organization
If you encounter any of these warning signs, the FBI recommends:
- Immediately isolating potentially compromised devices
- Contacting the FBI’s Internet Crime Complaint Center
- Notifying local law enforcement agencies
As a general precaution, avoid downloading documents, GitHub packages, or other files from individuals you meet on professional networking sites. Be wary of unsolicited job offers from well-known tech firms that seem too good to be true – they likely are.
The threat of North Korean social engineering attacks on the cryptocurrency industry remains high. As these tactics continue to evolve and become more sophisticated, individuals and organizations in the DeFi space must remain vigilant and prioritize cybersecurity measures to protect their digital assets.