Why are North Korean hackers targeting crypto startups?

Just as technology has evolved over the years, so has cybercrime. Some of the most successful cybercrime teams today hail from the Democratic People’s Republic of Korea (DPRK), a totalitarian state ruled by dictator Kim Jong-un.

Researchers discovered in January 2022 that a major North Korean hacker group was targeting cryptocurrency startups in multiple countries and stealing millions of dollars in the process.

What is SnatchCrypto?

Dubbed SnatchCrypto, this series of attacks against crypto startups was uncovered by researchers from Russian cybersecurity firm Kaspersky.

The campaign is believed to be led by BlueNorOff, a unit part of the infamous North Korean cybercrime group Lazarus Group, also known as Guardians of Peace or Whois Team.

To execute its attacks, BlueNorOff (also known as APT38, Stardust Chollima, BeagleBoyz, and NICKEL GLADSTONE) uses sophisticated social engineering techniques and impersonates legitimate entities, tricking its targets into downloading malicious files.

RELATED: What is Social Engineering? This is how you could be hacked

For example, the group can share a document via Google Drive. The file may look perfectly legitimate and have a name like “Digital Investment Strategy”.


The group can also hack into another company and send an email from an address belonging to that company to their target. In one example, hackers compromised a registered business and took control of its social media accounts. Using these profiles, they sent supposed commercial offers in the form of malicious documents to their targets.

BlueNorOff does not always compromise another company to attack its targets. In fact, more often than not, it simply impersonates companies and then distributes malicious files.

These attacks tend to work because blockchain-based startups often receive company-related letters, contracts, offers, and similar files from unknown sources, according to Kaspersky.

The documents themselves seem, and sometimes even are, legitimate. If the victim opened them while not connected to the internet, they wouldn’t even be infected with malware.

Word document with arm holding north korean flag

However, if the target is connected to the Internet and opens a file distributed by BlueNorOff, another macro-enabled document is downloaded to the target’s computer and as a result, malware is deployed.

Once they infiltrate the target, hackers monitor its activities for weeks or even months. And when the target is about to make a large crypto transaction, the hackers are notified, allowing them to intercept said transaction and essentially empty the target’s crypto wallet.

Why is BlueNorOff targeting crypto startups?

It’s nearly impossible to track cryptocurrency transactions, so it’s no wonder hacker groups like BlueNorOff have targeted companies that deal in crypto.

According to a report by blockchain analytics firm Chainalysis, the Lazarus Group mined around $400 million worth of digital assets from businesses around the world in 2021 alone. accounts controlled by North Korea, then laundered by the government.

Related: How Do Cybercriminals Use Cryptocurrency?

Kim Jong-un’s regime, heavily sanctioned by Western governments, is said to have used the funds for its nuclear weapons and ballistic missile programs.

According to Chainalysis, the North Korean government “supports large-scale cryptocurrency-enabled crime,” making it a major threat to the crypto industry as a whole.

Defend against BlueNorOff

According to Kaspersky, in order to protect themselves from BlueNorOff and similar hacker groups, organizations must first educate their employees about social engineering and phishing attacks, and provide comprehensive cybersecurity training.

Organizations should also perform regular cybersecurity audits and invest in robust protection to identify attacks early and prevent theft.

In general, every company must pay particular attention to its cybersecurity hygiene, regularly update all its software and invest in reliable data backup solutions.

CD, hard drive, flash drive and floppy disk on a wooden surface
Forget Cloud Storage: Here’s Why You Should Switch to Local Backups

Cloud storage is convenient, but what if you lose access to your data? Here’s why you should stick with local storage.

Read more

About the Author

Previous Canada issues alert on new malware targeting Ukraine. Here's what it means - National
Next A VPN Troubleshooting Guide: Solve All Your VPN Problems