North Korean Hackers Stole Millions from Cryptocurrency Startups Worldwide

Startups have it hard enough, but now it looks like cybercriminals are making it even harder to not only achieve success but just stay afloat. There has been an uptick in activity from North Korean cybercriminals in recent years, particularly those suspected of having government ties.

Cybercrime against businesses based in the U.S. and internationally seems to be a significant income line for the cash-strapped dictatorship. Cyber-attacks may also be a revenge tactic for ongoing sanctions and embargoes as well as a means to fund its weapon programs.

The U.S. and other governments have directly blamed North Korea for being behind the infamous WannaCry ransomware attack, one of the most damaging global cyberattacks ever. And, no North Korean-based actor has been more prolific than the cybercrime gang Lazarus and its various offshoots.


Developing an effective response capability to ransomware requires taking specific steps for prevention, preparation, detection, verification, containment, eradication, and recovery. With LIFARS Ransomware Response Package, you will have the tools, processes, and team at your disposal to stand ready for even the most devious ransomware attack.


Up to now, the majority of these threat actors’ activities have been focused on big business. However, BlueNoroff, believed to be a sub-division of Lazarus, has been found targeting small to medium businesses. The group is mainly aiming to drain these businesses of their crypto assets.

The Russian cybersecurity company, Kaspersky, is monitoring this campaign against S.M.B.s. Dubbed “SnatchCrypto,” Kaspersky has noted that it seems to have been going since at least 2017. The primary motivation appears to be financial, with BlueNorroff primarily targeting FinTech startups. So far, victims have come from China, Hong Kong, India, Poland, Russia, Singapore, Slovenia, the Czech Republic, the U.A.E., the U.S., Ukraine, and Vietnam. However, the group seems to be able and willing to target businesses regardless of location or nationality.

The researchers have warned that BlueNoroff seems to be a highly sophisticated threat actor with extensive resources and complex infrastructure. So far, their primary attack vector appears to be targeting employees directly through phishing campaigns to download malware disguised as a document or digital contract. To do this, threat actors pretend to be legitimate venture capital firms, often carrying out elaborate and lengthy social engineering attempts.

Typically, the initial infection features a Windows backdoor and surveillance malware. Lazarus has been known for its insidious A.P.T. (Advanced Persistent Threat) attacks which BlueNoroff is taking full advantage of. Eventually, this allows them to access these startups’ internet-connected hot wallets. They then quickly send crypto to crypto wallets owned by the DPRK (Democratic Peoples Republic of Korea). From here, the funds go through a carefully planned laundering process involving multiple mixers to make it nearly impossible to trace.

To protect their business interests and crypto funds, Kaspersky advised several measures:

  • Provide employees with proper cybersecurity hygiene training and resources on how to spot phishing and social engineering attempts.
  • Carry out cybersecurity audits to assess your perimeter as well as internal networks.
  • A malicious modification of the Metamask Chrome extension can be used to identify an infection.
  • Install and run anti-APT and E.D.R. (Endpoint Detection and Response) solutions.

Generally, it’s also recommended to store as little of your crypto funds in internet-connected hot wallets as possible. It is best to hold your funds in offline “cold wallets” or even physical devices where it’s nearly impossible to access unauthorized.