- North Korean hackers scale from the USA to the UK and EU, according to GTIG
- They are now also embedding themselves in crypto and AI projects across the UK, Germany, Portugal, and Serbia
- By embedding themselves under false identities, they gain access to the projects’ data
According to GTIG, North Korean hackers scale from the USA to the UK and EU, expanding and refining their strategies, getting into crypto and AI projects under false identities, and gaining direct access to data.
At the same time, they earn money as legitimate employees, and working through corporate virtual machines and getting paid via payment getaways and cryptocurrencies makes them much harder to track. Later, they abuse their access, steal data, and blackmail employers, creating a new, indirect strategy that requires special attention.
What Does the GTIG Report Highlight?
The GTIG report reveals that hackers associated with DPRK who are hired as developers and tech specialists by a number of crypto and AI startups pose a potential threat to their employers by initially being hired for malicious purposes. The report highlights that such specialists are mostly hired by the following:
- Development of an artificial intelligence (AI) web application leveraging Electron, Next.js, AI, and blockchain technologies
- Development of a Nodexa token hosting plan platform using Next.js, React, CosmosSDK, and Golang, as well as the creation of a job marketplace using Next.js, Tailwind CSS, MongoDB, and Node.js
- Further blockchain-related projects involved Solana and Anchor/Rust smart contract development and a blockchain job marketplace built using the MERN stack and Solana
- Contributions to existing websites by adding pages using Next.js and Tailwind CSS
- Development of an artificial intelligence (AI) web application leveraging Electron, Next.js, AI, and blockchain technologies
Why Does Their Track Go Unsolved?
Here, the report highlights the most important thing: Attackers have built an entire infrastructure to help them cover their tracks. In particular, they use facilitators who help them defeat identity verification and receive funds fraudulently in the U.S. and Europe. This is accomplished by using fake passports, using intermediary platforms to find jobs, and payment gateways like TransferWise and Payoneer, as well as cryptocurrency.
Another important factor that helps them stay in the shadows is the abuse of BYOD policies, which allows access to an organization’s systems and data through virtual machines from your own device. Of course, this is a big potential risk, unlike corporate devices with firmware that prohibits the installation of third-party software (yes, it will not be impossible for a high-end hacker to break a corporate device system, but quality security measures enable to detect this and timely warn the employer about suspicious manipulations).
Moreover, it doesn’t just apply to high-profile teams like Lazarus Group – including the one responsible for the recent Bybit hack (which was not technically a hack of the platform itself, but rather a social engineering manipulation) – but also to smaller private teams like TraderTraitor and AppleJeus.
Conclusion
The level of cyber threats has already increased in 2024, even in initially much more secure and resilient technologies and systems like blockchain-based solutions. All of this puts employers in a very dangerous position where they find it extremely difficult to recruit new employees and need to take extra measures while respecting the line between operational efficiency and internal security.
Stay tuned for updates, be adaptive in the rapidly evolving financial and crypto landscape, and keep your strategy grounded and balanced.
