Phishing, Malware

FBI: North Korean hackers transferred $40 million in stolen cryptocurrency funds in one day

Pedestrians walk past a display of cryptocurrency Bitcoin on Feb. 15, 2022, in Hong Kong. The FBI released a list of six known Bitcoin wallets known to have received millions in funds stolen by North Korean hackers. (Photo by Anthony Kwan/Getty Images)

Cryptocurrency companies should already be on guard against North Korean hackers.

Outfits linked to the Democratic People’s Republic of Korea have been bombarding the sector for years, viewing the loosely regulated cryptocurrency space as a prime target for digital theft that is swiftly rerouted to the country’s military and nuclear weapons programs that form Pyongyang’s power base.

Even by those standards, the Hermit Kingdom has been on a tear recently, according to the FBI. The bureau said Tuesday that TraderTraitor and Lazarus Group (an umbrella term for state-aligned North Korean hacking groups) have stolen more than 1,580 Bitcoins (worth over $40 million) over the past 24 hours alone.  

The agency included a list of six known Bitcoin wallets where illegal funds were being transferred. Other recent incidents observed by law enforcement and linked to these groups include the thefts of $100 million in virtual currency from Atomic Wallet, $60 million from the Alphapo payment platform and $37 million CoinsPaid. All three incidents took place in June.  

A list of cryptocurrency wallets associated with recent thefts by North Korea-aligned hackers BlueNoroff. (Source: FBI)
A list of cryptocurrency wallets associated with recent thefts by North Korea-aligned hackers BlueNoroff. (Source: FBI)

The FBI “believes the DPRK may attempt to cash out the bitcoin” in the near future, and is warning U.S. cryptocurrency companies to look for suspicious transactions and contact law enforcement if they identify signs of potential compromise.

“Private sector entities should examine the blockchain data associated with these addresses and be vigilant in guarding against transactions directly with, or derived from, the addresses,” the bueau wrote in a release.

TraderTraitor is one of North Korea’s greatest weapons in its “hack for profit” schemes, and has a long and successful history of targeting cryptocurrency companies and other sectors for financial gain.

The group, also known as APT38 or BlueNoroff, was blamed by U.S. authorities last year for a $620 million heist of Etherium coin in March 2022, and is perhaps most notorious for the 2016 Bank of Bangladesh hack that saw the group make off with more than $80 million in stolen funds. They’ve also shown a propensity for impersonating venture capital firms in the U.S. and Japan to conduct spearphishing attacks on businesses.

According to a U.S. Cybersecurity and Infrastructure Security Agency advisory last year, BlueNoroff has focused on the cryptocurrency space since at least 2020, usually beginning “with a large number of spearphishing messages sent to employees” who work in system administration, software development and IT operations. These messages are often crafted to look like recruitment offers for high-paying jobs. They trick victims into downloading cryptocurrency trading and pricing applications embedded with malware.

The FBI and the State Department have advertised multi-million dollar rewards for tips that can help disrupt North Korean hacking operations.

The advice given by government agencies to combat these threats mostly amounts to emphasizing basic block and tackling in cybersecurity: timely patching, enforcing “least privilege” access policies, multifactor authentication and training users on phishing attacks.

CISA also recommends the deployment of endpoint detection and response on work-related devices, implementing enhanced email and domain protections that can conduct reputation checks on suspicious domains and block newly registered ones, disabling Macros in applications like Microsoft Word and monitoring third-party application downloads by employees.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.