Security Experts:

Connect with us

Hi, what are you looking for?



US: Hackers Continue Aiding North Korea Generate Funds via Cryptocurrency Attacks

North Korean state-sponsored hacking group Lazarus continues to target blockchain and cryptocurrency organizations in recent campaigns, the United States government warns.

North Korean state-sponsored hacking group Lazarus continues to target blockchain and cryptocurrency organizations in recent campaigns, the United States government warns.

Also referred to as Hidden Cobra, Lazarus is an advanced persistent threat (APT) group blamed for numerous high-profile attacks, including the $81 million Bangladesh bank theft, and numerous assaults on cryptocurrency exchanges.

In a continuation of the “Dream Job” campaign that was initially observed in 2020, when it was targeting defense and governmental companies in Israel and globally, the hackers have switched to companies in the chemical sector, and are now targeting employees of cryptocurrency companies with spear-phishing messages that promise high-paying jobs.

Mainly targeting individuals in system administration or software development/IT operations (DevOps), the messages mimic recruitment efforts and are meant to lure the recipient into downloading a trojanized cryptocurrency application.

In a joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Treasury Department note that, as of April 2022, the campaign – which they refer to as “TraderTraitor” – has “targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry.”

The US agencies, which have shared indicators of compromise (IOCs) and information on tactics, techniques, and procedures (TTPs) employed in these attacks, say that the campaign will likely continue to target “cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.”

The US State Department announced recently that it’s offering rewards of up to $5 million for information that leads to the disruption of such activities.

TraderTraitor, the US says, refers to a series of malicious applications that were written in JavaScript and which leverage the Node.js runtime environment and the Electron framework to work cross-platform. These apps also borrow code from various open-source projects and are accompanied by websites that advertise features such as cryptocurrency trading and price prediction capabilities.

[ READ: U.S. Gov Blames North Korea Hackers for $600M Cryptocurrency Heist ]

The malicious applications contain functions designed to fetch and run a payload that may be an updated variant of the Manuscrypt RAT (targeting Windows and macOS) or a custom remote access trojan (RAT) capable of harvesting system information and downloading an additional payload.

“Post-compromise activity is tailored specifically to the victim’s environment and at times has been completed within a week of the initial intrusion,” the joint advisory reads.

Malicious applications identified in these attacks include DAFOM (allegedly a cryptocurrency portfolio application), TokenAIS and CryptAIS (purporting to create a portfolio of AI-based cryptocurrency trading), AlticGO, Esilet (supposedly offering live cryptocurrency prices and predictions), and CreAI Deck (claiming to be a platform for artificial intelligence and deep learning).

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

Related: North Korean .Gov Hackers Back With Fake Pen-Test Company

Related: UK Cybersecurity Firm Says North Korean Attacks on Israel Successful

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.