The FBI has announced that the Democratic People’s Republic of Korea is engaging in social engineering campaigns targeting employees in the DeFi and cryptocurrency sectors.
The FBI has announced that the Democratic People’s Republic of Korea (DPRK) is conducting social engineering campaigns targeting employees in the DeFi and cryptocurrency industries to distribute malware and steal digital assets from companies.
North Korean cybercriminals have developed complex and difficult-to-detect social engineering schemes. Their methods are advanced enough to compromise individuals with strong technical training. Despite knowledge of cybersecurity practices, many in the cryptocurrency industry remain vulnerable to these persistent and targeted attacks, according to the FBI.
In recent months, North Korean cybercriminals have conducted extensive research into entities related to cryptocurrency exchange-traded funds (ETFs), raising concerns that the country is preparing for cyberattacks on companies that deal with ETFs and other cryptocurrency-related financial products.
The FBI has identified North Korea as a continuing threat to organizations that handle significant cryptocurrency assets. The country employs a range of advanced tactics to infiltrate networks and steal funds.
Social engineering techniques used by North Korean actors
North Korean cybercriminal teams are focusing on identifying specific companies related to DeFi and cryptocurrencies. They target multiple employees of these companies, with the aim of gaining unauthorized access to the company’s networks. Before making contact, they often gather intelligence on social media platforms, especially those used for professional networking.
These actors create individualized fictional scenarios, incorporating personal details about the target’s career or business interests. Common strategies include offering new job opportunities or investment deals. Attackers often reference information that only a few people are likely to know, creating a sense of legitimacy.
Once initial contact is established, attackers attempt to establish a bond with the victim. This relationship can last for a long time, as the goal is to distribute the malware in a way that seems natural. Attackers often communicate fluently in English and display a high level of understanding of cryptocurrency-related topics.
Identity theft techniques
North Korean cybercriminals are known to impersonate various people, including business contacts that the target may recognize. They use stolen images from social media and sometimes invent urgent events to compel their targets to act quickly.
They may also pose as recruitment firms or technology companies, relying on fake websites to boost their credibility. There are documented cases of North Korean domains being seized due to their involvement in these malicious activities.
If a company suspects it has been targeted by a North Korean social engineering campaign, the FBI recommends immediately disconnecting affected devices from the internet, but leaving them turned on to preserve evidence. It advises reporting the incident to the FBI’s Cybercrime Complaint Center and providing detailed information, including screenshots of communications with the attackers.
