FBI: North Korean hackers targeting cryptocurrency employees

The FBI warned that North Korean state-sponsored threat actors are targeting employees of cryptocurrency organizations with sophisticated social engineering campaigns.

In a public service announcement (PSA) published Tuesday, the FBI detailed recent malicious activity against employees of decentralized finance (DeFi) and cryptocurrency companies it attributed to the Democratic People's Republic of Korea (DPRK). During the campaigns, the state-sponsored attackers used advanced social engineering tactics to infiltrate organizations and deploy malware to steal cryptocurrency.

"Teams of North Korean malicious cyber actors identify specific DeFi or cryptocurrency-related businesses to target and attempt to socially engineer dozens of these companies' employees to gain unauthorized access to the company's network," the FBI wrote in the PSA.

The PSA warned how sophisticated the social engineering techniques are and how they pose a "persistent threat to organizations" holding large amounts of virtual currency assets.

Based on observed activity, the FBI said the threat actors conduct extensive research on targets and incorporate personal details, which result in credible impersonations. The campaign has been ongoing over the "last several months."

The FBI said the North Korean threat actors learn about targeted victims through social media activity on employment-related platforms and impersonate "a range of individuals" to trick employees in targeted organizations into giving them sensitive access; the individuals could be contacts a victim may know, employment recruiters and even prominent people in the technology industry. To appear legitimate, they incorporate personal details such as background and skills during prolonged conversations.

Additionally, threat actors' communications exhibit fluent English, which makes attacks even harder to detect. The attackers are also well versed in the cryptocurrency field, the PSA warned.

"North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen," the FBI wrote in the PSA. "Given the scale and persistence of this malicious activity, even those well versed in cybersecurity practices can be vulnerable to North Korea's determination to compromise networks connected to cryptocurrency assets."

Campaigns included pictures stolen from public social media profiles to perpetuate the lure. The FBI included indicators of social engineering activity and mitigation steps in the PSA as well. Indicators included unsolicited employment and investment offers and requests to download applications on company-owned devices or to move conversations to other messaging platforms. In some cases, the FBI said threat actors manipulated the popularity of using video teleconference platforms.

The FBI urged cryptocurrency exchange companies to not store cryptocurrency wallet information on internet-connected devices, limit access to sensitive network documentation and require multiple factors of authentication and approvals. The PSA said raising awareness around the campaign is essential.

This is the latest activity regarding effective social engineering attacks from North Korean threat actors. In July, security awareness training company KnowBe4 caught a North Korean threat actor that posed as an IT worker on its AI team. In that incident, the threat actor used deepfake technology to hide his identity and a VPN to mask his location, which was not in the U.S.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.