The United States, Japan, and South Korea have issued warnings about North Korean threat actors actively and aggressively targeting the cryptocurrency industry. In a joint advisory, the countries said a group of threat actors linked to the Democratic People’s Republic of Korea (DPRK) continue to wage numerous cybercrime campaigns to steal cryptocurrencies. These bad actors, including the Lazarus hacking group, which the U.S. believes has been deploying cyberattacks across the globe since 2009, are targeting “exchanges, digital asset managers and individual users.” And apparently they stole $659 million in cryptocurrency assets in 2024 alone.
North Korean hackers have been using “well-disguised social engineering attacks” to infiltrate targets’ systems, the countries said. They also warned that attackers could gain access to systems owned by the private sector by posing as freelance IT workers. In 2022, the United States issued guidance on how to identify potential workers from North Korea. Examples include how they typically log in from multiple IP addresses, how to transfer money to an account in China, how to request cryptocurrency payments, discrepancies with background information, and sometimes uncontactability during expected business hours.
Once in, malicious actors can typically deploy malware, such as keyloggers and remote access tools, to steal login credentials and ultimately virtual currency that they can control and sell. On where the stolen money goes: The United Nations issued a 2022 report revealing investigators’ findings that North Korea was using money stolen by related threat actors to fund its missile program. “Our three governments are working together to prevent North Korean theft, including from private industry, and recover stolen funds, with the ultimate goal of preventing illicit profits from North Korea’s illicit weapons of mass destruction and ballistic missile programs,” the United States and Japan said. “He said. And Korea said:
