Close Menu
Invest Intellect
    Facebook X (Twitter) Instagram
    Invest Intellect
    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Commodities
    • Cryptocurrency
    • Fintech
    • Investments
    • Precious Metal
    • Property
    • Stock Market
    Invest Intellect
    Home»Cryptocurrency»The Wallet Inspectors: The DPRK’s Sophisticated Campaign to Steal Cryptocurrency and How to Protect Yourself | Faegre Drinker Biddle & Reath LLP
    Cryptocurrency

    The Wallet Inspectors: The DPRK’s Sophisticated Campaign to Steal Cryptocurrency and How to Protect Yourself | Faegre Drinker Biddle & Reath LLP

    March 6, 20255 Mins Read


    On February 21, 2025, Bybit, one of the world’s largest cryptocurrency exchanges, suffered a cyberattack resulting in the theft of approximately $1.5 billion in Ethereum tokens.  This attack marked a new pinnacle in the criminal efforts of cyber actors tied to the Democratic People’s Republic of Korea (“North Korea” or the “DPRK”).  In recent years, these malicious actors have increasingly targeted the cryptocurrency industry, leveraging sophisticated tactics to steal and launder digital assets for the ultimate benefit of funding the North Korean government.  These high-profile and high-dollar-value exploits underscore the ongoing risk from the DPRK cyber threat and the need for private sector actors to implement appropriate cybersecurity measures to combat these threats.  The threat is particularly acute since most interactions with these actors raise the additional risk of committing a violation of U.S. sanctions, with corresponding civil and criminal legal exposure.

    This blog post delves into the details of recent cybercriminal activity attributed to actors tied to North Korea, their impact on the cryptocurrency sector, and the steps organizations should consider to mitigate those risks.

    Bybit, TraderTraitor, and the DPRK Cyberthreat

    The Bybit theft has been attributed by the Federal Bureau of Investigation to the DPRK cyber actors using a series of malware-laced cryptocurrency applications known as “TraderTraitor.”  The theft was wildly successful:  the amount stolen nearly doubles the amount attributed to cybercrime by DPRK-affiliated actors in the entirety of 2024.

    These North Korean cyber actors are known across the cybersecurity community as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima, and have been active for years.  According to a 2022 Joint Cybersecurity Advisory from the U.S. government (the “Joint Advisory”), these actors have targeted a variety of organizations associated with cryptocurrency, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, cryptocurrency trading companies, venture capital funds, and individual holders of large amounts of digital current or non-fungible tokens (NFTs).

    Their methods often involve social engineering, phishing campaigns, and exploitation of software vulnerabilities to gain unauthorized access to digital assets.  As explained in the same Joint Advisory—which includes substantial technical information and computer code for cybersecurity experts—the actors use a multi-step process to achieve their criminal objective:

    • Engage in a spear phishing message campaign targeting system administrators, software developers, and IT professionals. The messages are designed to look like employment recruiting efforts and encourage the targets to download a cryptocurrency application laced with malware (the “TraderTraiter applications”).
    • The TraderTraitor applications purport to be cryptocurrency trading or price prediction tools, and the campaigns feature websites with modern designs and advertisements to make it appear legitimate.
    • Once downloaded and used by the target, the TraderTraitor applications often deploy a remote access trojan (RAT) that can collect system information, execute commands, and download additional payloads.
    • Once compromised, the actors are able to steal private keys and other information that allows them to gain access to and steal cryptocurrency.

    The Bybit hack also highlights the alarming speed and efficiency at which North Korean hackers have been able to launder stolen funds.  It has been reported that, within 48 hours of the hack, at least $160 million had been funneled through illicit channels, surpassing $400 million by February 26, 2025.  Security experts and law enforcement have observed that the rapid laundering process involves multiple intermediary wallets, conversion into different cryptocurrencies, and the use of decentralized exchanges, cross-chain bridges and cryptocurrency mixers to obfuscate the digital trail.

    The DPRK, Bounty Programs & Sanctions

    One of the more unique issues with DPRK cybercrime is its interaction with the U.S. sanctions regime.  The U.S. government’s North Korea Sanctions Program, primarily administered by the Office of Foreign Assets Control (OFAC), prohibits virtually all transactions with an individual or entity affiliated with the DPRK government absent a license.  There are criminal penalties for willful violations of these sanctions, but even inadvertent violations create a risk of civil enforcement and significant financial penalties.  In this context, U.S. persons engaging in cryptocurrency transactions with actors tied to the Lazarus Group and TraderTraitor may risk violating U.S. sanctions, whether or not they are aware of their ties to the DPRK.

    How to Mitigate Risk

    As recommended by experts including the FBI and CISA, the private sector should consider a number of steps to mitigate the risk of being targeted and successfully attacked by the DPRK:

    • Stay apprised of cybersecurity advisories from law enforcement and incorporate the information they provide—such as the list of Ethetereum addresses released by the FBI related to the ByBit hack—into your security program.
    • Applying “defense-in-depth security,” including security principles such as least access models and network segmentation to prevent lateral movement.
    • Maintaining a timely vulnerability and patch management program.
    • Enforcing credential requirements and multi-factor authentication (MFA) (but note that MFA vulnerabilities have been exploited by sophisticated cyber actors).
    • Educate your employees to recognize and reject social engineering techniques and phishing attempts.
    • Disable HTML in emails, scan email attachments, and monitor or restrict access to newly registered domains.
    • If you are hacked, be mindful of the additional risk of a potential sanctions violation and seek expert legal counsel to assist with both the incident mitigation efforts and strategic decisions surrounding any potential response to the threat actors.



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

    Related Posts

    France arrests five over cryptocurrency kidnapping

    Cryptocurrency

    SEC-Davao monitoring 4 entities allegedly involved in cryptocurrency scams

    Cryptocurrency

    Russia Developing Cross-Border Digital Payment with BRICS

    Cryptocurrency

    Regal Investments Commits $30 Million to Cryptocurrency Prop Trading Initiative

    Cryptocurrency

    Banks must build trust to thrive in digital age 

    Cryptocurrency

    Digital Pound? Bailey’s Right to Be Wary

    Cryptocurrency
    Leave A Reply Cancel Reply

    Top Picks
    Cryptocurrency

    Check rates of Bitcoin, Ethereum, Dogecoin, Solana

    Cryptocurrency

    Dogecoin Fails To Gain Momentum As DOGE Investors Shift Into New Cryptocurrency Priced $0.0021

    Cryptocurrency

    Cynthia Lummis’ Bitcoin Reserve Legislation Gets Support From Riot Platforms Executive: ‘I’m More Bullish On BTC For The Next 20 Years’

    Editors Picks

    Barclays initie la couverture de Harel Insurance avec un potentiel de hausse de 30%

    June 19, 2025

    Top Performing Long-Term Dividend Stocks • Benzinga

    April 17, 2025

    The Energy Costs of Cryptocurrency

    March 18, 2025

    la performance du projet gazier GTA réduit le nombre de puits à forer

    May 7, 2025
    What's Hot

    Genova Property envisage de nouvelles obligations vertes et propose une offre de rachat des obligations existantes -Le 13 mars 2025 à 17:55

    March 13, 2025

    Capstone Copper Corp demande l’arrêt des négociations -Le 10 mars 2025 à 02:31

    March 9, 2025

    Defendant pleads guilty to cryptocurrency fraud

    March 24, 2025
    Our Picks

    Envirotech Vehicles, Inc. Enters Into Agreement To Receive U.S.-Made Heavy Lift Agricultural Drone And Plans To Commence U.S. Drone Manufacturing

    May 8, 2025

    Next Cryptocurrency to Explode, 23 May — Four, Moo Deng, Oasis Network, Celestia

    May 23, 2025

    Driving Digital Transformation through Advanced Data-Driven Decision-Making in Utilities

    April 25, 2025
    Weekly Top

    La première place pour les électriques à l’EcoGreen Energy 2025

    June 21, 2025

    Gold Cup | Le onze probable du Canada

    June 21, 2025

    Here Are My Top 3 High-Yield Energy Dividend Stocks to Buy Now

    June 21, 2025
    Editor's Pick

    European Dividend Stocks To Watch In June 2025

    June 17, 2025

    Les blue bonds, une fausse bonne idée

    May 22, 2025

    A Crypto Cold War? How the U.S. Reserve Could Influence Global Digital Finance • Daily Market News 🗞️

    April 4, 2025
    © 2025 Invest Intellect
    • Contact us
    • Privacy Policy
    • Terms and Conditions

    Type above and press Enter to search. Press Esc to cancel.