BlueNorOff, a subset of the North Korean regime-sponsored hacker group Lazarus, poses as venture capitalists (VCs) interested in investing in cryptocurrency startups. According to a US Army report published in 2020, BlueNorOff is a group of approximately 1,700 hackers financially motivated by the North Korean government and involved in financial crime. Their modus operandi typically involves long-term assessments of target systems and, consequently, attacks designed to drain the victim of as much financial resources as possible.
Confirmed attacks by this group have taken place in South Korea, Taiwan, Turkey, India, and Mexico, but the most notorious is the 2016 attack, in which the group attempted to transfer approximately $1 billion using the SWIFT network from an account belonging to Bangladesh Bank held at the Federal Reserve Bank of New York. Only after transferring over $100 million did the New York branch of the Federal Reserve Bank block the remaining transactions, due to suspicions arising from misspellings in the transfer descriptions.
According to recent reports, the BlueNorOff group has created over 70 fake domains intended to impersonate investment firms and banks. These domains are most often disguised as well-known Japanese companies (e.g., Beyond Next Ventures, Mizuho Financial Group) and American ones. The primary targets of hackers posing as investment firms are startups actively utilizing smart contract technology, related to DeFi and FinTech. Since 2017, North Korean hackers have allegedly stolen over $1.2 billion, including $626 million this year alone. The group's latest method involves sophisticated phishing. Impersonating an investment firm, the hackers contact the management of a startup seeking capital, and during the conversation, they provide the client with a .doc file, suggesting a standard Word document, or, as appropriate, a .pptx file, to simulate a presentation. Opening a document disguised as an offer, contract, or any other document typically expected in connection with the investment process results in a malware infection of the device. From that point on, BlueNorOff monitors the company's ongoing operations, planning an attack. When the company attempts to transfer significant funds in cryptocurrencies, the hackers intercept the transactions, change the recipient's address, and simultaneously set the transaction value to the highest possible amount.
Global intelligence agencies, particularly the South Korean National Intelligence Service, suggest that North Korea is using the stolen funds to protect its economy from increasingly stringent United Nations sanctions. It is also possible that they are being used to develop its nuclear program.
The above once again confirms that in the world of cryptocurrencies, one must always act with the utmost caution. Not only when dealing with various service providers, but also with potential investors.
This alert is for informational purposes only and does not constitute legal advice.
author:
