Multiple threatening clusters related to North Korea (aka the Democratic People’s Republic of Korea or the DPRK) were associated with attacks aimed at organizations and persons in Web3 and cryptocurrency.
‘The main attention on the Web3 and the cryptocurrency appears – Note In his M-Trends report for 2025, Hacker News shared.
“These activities are aimed at obtaining financial income, the financing of the North Korean mass destruction program and other strategic assets.”
Cybersecurity firm said DPRK-NEXUSEUS DEGROM Actor has developed custom tools written in different languages such as Golang, C ++ and Rust, and are able to infect Windows, Linux and Macos operating systems.
At least three clusters were found to be monitored as UNC1069, UNC4899 and UNC5342, aimed at the members of the cryptocurrency and blockchain development community, in particular, focusing on developers working on projects on the Internet to get illegal access to the internet and for organizations. use them.
A brief description of each threat subjects is below –
- UNC1069 (Active with at least April 2018), which is aimed at various industries for financial benefits using social engineering, sending fake meetings and presenting as investors from reputable companies in Telegram to access digital assets and cryptocurrency
- UNC4899 (Active since 2022), which is known by organizations on work with the topics that deliver malicious software within the intended coding task and previously put compromises of supply chains for financial income (covered Jade Sno, Pukhong, slow pipes, tradeTraitor and unc489)
- UNC5342 (Active since January 2024), which is also known for using work related to cheat developers to launch malware (intersecting with contagious interview, depeptivevevevelment, dev#popper and famous Cholima)
Another North Korean actor threatening notes UNC4736The allocated Blockchain industry by trajoning the trade software and has been associated with a cascade supply chain attack at 3CX in early 2023.
Mandiant said he also identified a separate cluster of North Korean activity, which is traced as the UNC3782, which conducts large -scale phishing companies aimed at the cryptocurrency sector.
“In 2023, the UNC3782 conducted phishing -operations against TRON users and handed over $ 137 million in one day,” the company said. “UNC3782 launched the company in 2024 to aim at Solana users and send them to pages that contained cryptocurrencies.”
Theft of cryptocurrencies is one of the several funds that the DPRK pursues in international sanctions Sidestep. At least since 2022, an active cluster threatened, called UNC5267 He sent thousands of his citizens to ensure remote work in companies in the US, Europe and Asia, mainly living in China and Russia.
It is said that the main piece of IT workers is related to 313 total ammunition department, which is responsible for the North Korea nuclear program.
North Korean IT -workers except use stolen identityUsed fully fabricated characters to support their activities. It is also supplemented by the use of Deepfake technology in real time to create compelling synthetic identity during the interview.
“This offers two key prompt preferences. First, it allows one operator several times interviews in the same position using different synthetic – Note.
‘By -second, it helps operatives avoid identification and adding security and Wanted messages. In conjunction, this helps DPRK workers enjoy expanded surgical safety and reduced severity. “
“They also strengthened the demanding companies against employers, and they switched to operations in corporate virtual labor starts, networks and servers,” “Jami Coler and Michael Barnhart” Google (GTIG) and Michael Barnhart – Note In the report last month.
“Now they use their privileged access to the theft and allow cyberattacks except for profit for North Korea.”
In 2024, Mandiant stated that he had determined the suspicious IT worker of the DPRK, using at least 12 characters, seeking work in the US and Europe, emphasizing the effectiveness of such non -traditional methods for penetration of organizations under false affiliations.
“At least, in one case, two false identities were considered to work in the American company, and one IT worker DPRK won over the second,” the company said. In another case, “Four suspected IT workers of the DPRK were employed during the 12-month period in one organization.”
