North Korean hackers are targeting blockchain companies with malicious crypto-stealing apps

The U.S. government has warned that North Korean state-backed hackers known as the Lazarus Group are targeting organizations in the blockchain industry using trojanized cryptocurrency applications.

In a joint advisory issued on Monday, the FBI, CISA and the U.S. Treasury said they had observed the North Korean-backed threat actors targeting a variety of organizations in the blockchain and cryptocurrency industries, including crypto exchanges, cryptocurrency trading companies, venture capital funds that have invested in cryptocurrency and individuals known to hold large amounts of cryptocurrency or valuable non-fungible tokens (NFTs) and play-to-earn video games.

The warning comes just days after U.S. officials linked Lazarus to the recent theft of $625 million in cryptocurrency from Ronin, an Ethereum-based sidechain made for the popular play-to-earn game Axie Infinity, after exploiting a vulnerability in the network.

The North Korean-backed hackers are targeting employees of cryptocurrency companies using social engineering tactics across a variety of communication platforms. The advisory warns that the attackers would send highly targeted spoofed emails — known as “spearphishing” — that would include a high-paying job offer to try to entice the victim to download the trojanized cryptocurrency applications, an operation which the U.S. government refers to as “TraderTraitor.” This appears to be a continuation of the so-called “Dream Job” campaign that was first observed in 2020 and saw the hackers target workers in the defense, aerospace and chemical sectors.

These malicious apps propagate malware across the victim’s network environment and steal private keys or exploit other security gaps, which allows the hackers to carry out follow-on activities, such as making fraudulent blockchain transactions. The U.S. agencies highlight a number of malicious TraderTraitor apps used in these campaigns, including Dafom, CryptAIS, AlticGO, Esilet and CreAI deck, all of which purport to offer services such as portfolio building and real-time cryptocurrency price predictions.

The advisory, which also includes indicators of compromise (IOCs) and information on tactics, techniques and procedures (TTPs) employed in these attacks, urges organizations in the blockchain and cryptocurrency industries to strengthen their defenses.

“North Korean state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest, acquire sensitive cryptocurrency-intellectual property, and gain financial assets,” the agencies said. “These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.”

Last year, U.S. agencies shared information on malicious crypto-trading applications injected with AppleJeus malware, which was used by Lazarus to steal cryptocurrency from individuals and companies worldwide. North Korea has long used cryptocurrency-stealing operations to fund its nuclear weapons program.