Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label North Korea cyberattacks. Show all posts
North Korea cyberattacks
Crypto cryptocurrency cryptocurrency hacks cryptocurrency scam cryptocurrency theft cryptocurrency wallet Cyber Attacks Hacker attack North Korea North Korea cyberattacks

North Korea-Linked Hackers Behind $2.1 Billion in Crypto Theft in Early 2025

 

A new report from blockchain analytics firm TRM Labs reveals that hackers stole an unprecedented $2.1 billion in cryptocurrency during the first half of 2025—marking the highest amount ever recorded for a six-month period. A staggering 70% of the total, or around $1.6 billion, has been attributed to cybercriminal groups sponsored by North Korea. 

According to TRM Labs’ “H1 2025 Crypto Hacks and Exploits” report, this figure surpasses the previous record set in 2022 by 10%, pointing to an escalating trend in high-stakes cybercrime. The report also emphasizes how North Korea has solidified its role as the leading state-backed threat actor in the cryptocurrency ecosystem.  

“These thefts are not just criminal—they’re tools of statecraft,” the report states, highlighting how stolen crypto plays a strategic role in funding the sanctioned regime’s national objectives, including its controversial weapons program. 

Much of this year’s unprecedented losses stem from a single massive incident: the $1.5 billion hack targeting Ethereum and related assets held by the crypto exchange Bybit in February. This attack is being considered the largest theft in the history of the cryptocurrency sector.  

Safe, a provider of multi-signature wallet solutions, traced the breach back to a compromised laptop belonging to one of its senior developers. The device was reportedly infected on February 4 after interacting with a malicious Docker project. The infiltration ultimately allowed attackers to gain unauthorized access to private keys.  

Both U.S. law enforcement and TRM Labs have linked the Bybit attack to North Korean hackers, aligning with prior assessments that the regime increasingly relies on crypto theft as a state-funded operation. 

This event drastically skewed the average size of crypto heists for 2025 and emphasized the changing nature of these attacks—from purely profit-driven motives to broader geopolitical strategies. 

TRM Labs noted that 80% of all crypto losses in 2025 were due to infrastructure breaches, with attackers exploiting vulnerabilities in systems that store private keys and seed phrases—essential components in controlling digital wallets. 

Analysts warn that such incidents signal a shift in the threat landscape. “Crypto hacking is becoming less about financial gain and more about political symbolism or strategic advantage,” TRM concluded. 

As the year continues, security experts urge crypto platforms and users to enhance infrastructure protection, especially against sophisticated, nation-backed threats that blur the line between cybercrime and cyberwarfare.
Read more »
North Korea cyberattacks
cyberattacks trending news malware Malware attacks News North Korea North Korea Hackers North Korea cyberattacks

North Korean Hackers Target Fintech and Gaming Firms with Fake Zoom Apps

 

A newly uncovered cyber campaign is targeting organizations across North America, Europe, and the Asia-Pacific by exploiting fake Zoom applications. Cybersecurity experts have traced the operation to BlueNoroff, a notorious North Korean state-backed hacking group affiliated with the Lazarus Group. The campaign’s primary focus is on the gaming, entertainment, and fintech sectors, aiming to infiltrate systems and steal cryptocurrency and other sensitive financial data. 

Attack strategy 

The attack begins with a seemingly innocuous AppleScript disguised as a routine maintenance operation for Zoom’s software development kit (SDK). However, hidden within the script—buried beneath roughly 10,000 blank lines—are malicious commands that quietly download malware from a counterfeit domain, zoom-tech[.]us. 

Once the malware is downloaded, it integrates itself into the system through LaunchDaemon, granting it persistent and privileged access at every system startup. This allows the malware to operate covertly without raising immediate alarms. The malicious software doesn’t stop there. It fetches additional payloads from compromised infrastructure, presenting them as legitimate macOS components like “icloud_helper” and “Wi-Fi Updater.” 

These files are designed with anti-forensics techniques to erase temporary files and conceal their activity, all while maintaining a hidden backdoor for remote control and data exfiltration. This deceptive approach is particularly dangerous in remote work environments, where minor software issues are often resolved without deep inspection—making it easier for such malware to slip past unnoticed. 

Motives behind the attack

BlueNoroff’s intent appears financially driven. The malware specifically searches for cryptocurrency wallet extensions, browser-stored login credentials, and authentication keys. In one known incident dated May 28, a Canadian online gambling platform fell victim to this scheme after its systems were compromised via a fraudulent Zoom troubleshooting script. 

Protection Measures for Organizations Given the growing sophistication of such campaigns, security experts recommend several protective steps: 

• Independently verify Zoom participants to ensure authenticity. 

• Block suspicious domains like zoom-tech[.]us at the firewall level. 

• Deploy comprehensive endpoint protection that can detect hidden scripts and unauthorized daemons. 

• Invest in reliable antivirus and ransomware protection, especially for firms with cryptocurrency exposure. 

• Use identity theft monitoring services to detect compromised credentials early. 

• Train employees to recognize and respond to social engineering attempts. 

• Secure digital assets with hardware wallets instead of relying on software-based solutions alone.
Read more »
spear-phishing campaigns
forceCopy malware information stealer Kimsuky hackers malware APT43 North Korea cyberattacks spear-phishing campaigns

Kimsuky Hackers Deploy forceCopy Malware in Spear-Phishing Attacks

 

North Korea-linked hacking group Kimsuky has been identified conducting targeted spear-phishing campaigns to distribute an information stealer known as forceCopy, according to the latest findings from the AhnLab Security Intelligence Center (ASEC).

The cyberattacks begin with phishing emails that contain a Windows shortcut (LNK) file, disguised as a Microsoft Office or PDF document. Once opened, the file executes PowerShell or mshta.exe, a legitimate Microsoft binary used to run HTML Application (HTA) files. This process facilitates the download and execution of additional malware from an external source.

According to ASEC, the attack chain ultimately results in the deployment of PEBBLEDASH, a well-known trojan, and a customized version of the RDP Wrapper, an open-source Remote Desktop utility.

Additionally, the attackers utilize proxy malware, which enables them to maintain persistent Remote Desktop Protocol (RDP) communication with external networks.

Kimsuky has also been observed employing a PowerShell-based keylogger to capture keystrokes and a new stealer malware, forceCopy, designed to extract files from directories linked to web browsers.

"All of the paths where the malware is installed are web browser installation paths," ASEC noted. "It is assumed that the threat actor is attempting to bypass restrictions in a specific environment and steal the configuration files of the web browsers where credentials are stored."

The use of RDP Wrapper and proxy malware marks a strategic shift for Kimsuky, which has traditionally relied on custom backdoors for gaining control over compromised systems.

The APT group, also referred to as APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima, is believed to be affiliated with North Korea’s Reconnaissance General Bureau (RGB), the country's primary foreign intelligence agency.

Kimsuky has been active since at least 2012, primarily executing social engineering attacks capable of evading email security protections. In December 2024, cybersecurity firm Genians reported that the group has been distributing phishing emails originating from Russian services to facilitate credential theft.
Read more »
Subscribe to: Posts (Atom)