North Korean scammers plan wave of stealth attacks on crypto companies, FBI warns

The FBI has warned that North Korean operatives are plotting "complex and elaborate" social engineering attacks against employees of decentralized finance (DeFi) organizations, as part of ongoing efforts to steal cryptocurrency.

State-sponsored crews have researched targets connected to cryptocurrency exchange-traded funds, and conducted other reconnaissance work, we're told. This suggests that North Korea is likely to attempt "highly tailored, difficult-to-detect social engineering campaigns" against cryptocurrency-related businesses in the near future, the US investigative agency wrote on Tuesday.

The scammers display such "sophisticated technical acumen" that victims may not even realize they’ve been attacked until it's too late.

North Korea has for years tried to steal assets from cryptocurrency outfits because international sanctions designed to stop it developing weapons of mass destruction mean the murderous autocracy is all but excluded from the global financial system. The nation has found cryptocurrency helps it get around those restrictions, so has launched many campaigns to acquire digi-dollars.

The FBI is concerned that those efforts have become more refined.

"Given the scale and persistence of this malicious activity, even those well-versed in cyber security practices can be vulnerable to North Korea's determination to compromise networks connected to cryptocurrency assets," the FBI warned.

Here's how the social engineering attacks typically go down.

North Korean cyber criminals scout out their targets by stalking would-be victims' social media accounts, "particularly on professional networking or employment-related platforms."

These services and job boards are familiar territory for Pyongyang's hackers. Previously, they've used fake LinkedIn job ads and posed as both jobseekers and/or employers to trick victims into downloading infostealers and other malware from malicious GitHub repos.

Kim Jong Un's cyber-scourges next initiate conversations with targets they've identified. Correspondence is sent in English and displays strong knowledge of crypto-related industries. Sometimes the crims pose as a mutual professional connection, an employee of a well-known company, or a recruiter. Whatever ruse they use, the goal is delivering malware in a way that "may appear natural and non-alerting."

• Security biz KnowBe4 hired fake North Korean techie, who got straight to work ... on evil
• US 'laptop farm' man accused of outsourcing his IT jobs to North Korea to fund weapons programs
• North Korea likely behind takedown of Indian crypto exchange WazirX
• North Korea building cash reserves using ransomware, video games

The scammers aren't afraid to play a long game. "If successful in establishing bidirectional contact, the initial actor, or another member of the actor's team, may spend considerable time engaging with the victim to increase the sense of legitimacy and engender familiarity and trust," according to the FBI.

The Bureau has also compiled a list of potential indicators that a North Korean social engineer is attempting to scam you:

• Requests to execute code or download applications on company-owned devices or other devices with access to a company's internal network;
• Asks to conduct a "pre-employment test" or debugging exercise that involves executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories;
• Employment offers from prominent cryptocurrency or technology firms that are unexpected or involve unrealistically high compensation without negotiation;
• Offers of investment from prominent companies or individuals that are unsolicited or have not been proposed or discussed previously;
• Insistence of using non-standard or custom software to complete simple tasks easily achievable through the use of common applications (like video conferencing or connecting to a server);
• Demands to run a script to enable call or video teleconference functionalities supposedly blocked due to a victim's location;
• Proposes to move professional conversations to other messaging platforms or applications;
• Unsolicited contacts that contain unexpected links or attachments.

If you experience, or have experienced, any of these things, isolate potentially compromised devices ASAP and contact the FBI's Internet Crime Complaint Center along with local law enforcement agencies.

And as a general rule, don't download documents, GitHub packages, or other files from someone you meet on LinkedIn. Sadly, unsolicited job offers from well-known tech firms that offer compensation packages that seem too good to be true probably always are. ®