Cybersecurity researchers have uncovered infrastructure links between the North Korean threat actors behind IT worker fraud schemes and the 2016 crowdfunding campaign.
New evidence suggests that threamoret groups based in Pyongyang may have carried out illegal money-making scams that preceded the exploitation of IT workers, according to the SecureWorks Counter Threat Unit (CTU). the report shared with The Hacker News.
The Scheme to defraud IT workerswhich came to light in late 2023, involves North Korean actors company penetration in the West and other parts of the world, secretly seeking work under fake identities to generate income for the sanctioned country. It is also tracked under the names Famous Chollima, Nickel Tapestry, UNC5267 and Wagemole.
IT staff, according to South Korea’s Ministry of Foreign Affairs (MoFA), were evaluated to be part of the 313th General Bureau, an organization under the Munitions Industry Department of the Workers’ Party of Korea.
Another notable aspect of these operations is that IT workers are commonly sent to China and Russia to work for shell companies such as Yanbian Silverstar and Volasys Silver Star, both of which have previously been exposed sanctioned by the Office of Foreign Assets Control (OFAC) of the Treasury Department in September 2018.
Both organizations were accused of participating in and facilitating the export of workers from North Korea for the purpose of making a profit for the Hermit Kingdom or the Workers’ Party of Korea and concealing the workers’ true nationalities from clients.
Sanctions were also imposed on Yanbian Silverstar’s North Korean CEO, Jong Sung-hwa, for his role in controlling “the flow of profits to several development groups in China and Russia.”
In October 2023 the US government announced the seizure of 17 Internet domains posing as US IT companies to defraud businesses at home and abroad, allowing North Korean IT workers to hide their true identities and locations when applying for jobs online a freelancer.
Among the seized domains was a site called “silverstarchina(.)com”. An analysis of historical WHOIS records by Secureworks revealed that the registrant’s mailing address matches the reported location of Yanbian Silverstar’s offices located in Yanbian Prefecture, and that the same registrant’s email address and mailing address were used to register other domain names.
One of those domains is kratosmemory(.)com, which was previously used in connection with a 2016 IndieGoGo crowdfunding campaign that was later found to be a scam after backers received neither the product nor compensation from the seller. The campaign had 193 backers and raised $21,877 in funds.
“People who donated to this campaign didn’t get anything they were promised,” one comment on crowdfunding page claims. “They didn’t get any updates either. It was a complete scam.”
The cybersecurity company also noted that the WHOIS information for the registrar kratosmemory(.)com was updated around mid-2016 to reflect a different person named Dan Molding, who matches IndieGoGo user profile for the Kratos scam.
“This 2016 campaign is low-effort and low-cost compared to more sophisticated schemes by North Korean IT operatives operating at the time of publication,” Secureworks said. “However, it demonstrates an earlier example of North Korean threat actors experimenting with various money-making schemes.”
The event comes as Japan, South Korea and the US issued a joint warning to the blockchain industry regarding the ongoing attack on various actors in the sector by cyber actors from the Democratic People’s Republic of Korea (DPRK) to steal cryptocurrencies.
“Advanced persistent threat groups linked to North Korea, including Lazar’s group(…) continue to demonstrate a pattern of malicious behavior in cyberspace, conducting numerous cybercriminal campaigns to steal cryptocurrency and targeting exchanges, digital asset custodians and individual users,” the governments said. said.
Some of the companies targeted in 2024 are included DMM Bitcoin, UpbitRain Management, WazirX and Radiant Capital, resulting in the theft of over $659 million in cryptocurrency. The announcement marks the first official confirmation that North Korea is behind it WazirX hackIndia’s largest cryptocurrency exchange.
“This is a critical moment. We call for swift international action and support to recover the stolen assets.” — WazirX Founder Nishal Shetty placed at X. “Rest assured, we will leave no stone unturned in our pursuit of justice.”
Last month, blockchain firm Chainalysis also found that North Korea-linked threat actors stole $1.34 billion in 47 cryptocurrency breaches in 2024, compared to $660.50 million in 20 incidents in 2023.
