Multiple threat activity clusters with ties to North Korea (also known as the Democratic People’s Republic or DPRK) are associated with attacks targeting organizations and individuals in the Web3 and cryptocurrency sectors.
“The focus on Web3 and cryptocurrency appears to be primarily financially motivated by the heavy sanctions imposed on North Korea,” Google-owned Mandiant said in a M-Trends report shared with 2025 Hacker News.
“These activities aim to generate financial benefits reportedly funding North Korea’s Weapons of Mass Destruction (WMD) programmes and other strategic assets.”
The cybersecurity company said that DPRK-Nexus threat actors have developed custom tools written in various languages such as Golang, C++, Rust, and other, and can infect windows, Linux, and MacOS operating systems.
It was found that at least three threat activity clusters tracked as UNC1069, UNC4899 and UNC5342 target members of the cryptocurrency and blockchain development community.
A brief explanation of each threat actor is below:
UNC1069 (active since at least April 2018) is known for sending fake meeting invitations, accessing victims’ digital assets and cryptocurrencies from reputable companies on Telegram, and providing job hunting campaigns known for sending out fake meeting invitations, accessing victims’ digital assets and cryptocurrencies by pretending to be investors, and providing previously hired campaigns. Compromising economic benefits (duplicate with Jade Sleit, Pukchong, Slow Pisces, Traderator, and UNC4899) UNC5342 (active since January 2024). It is known for employing job-related lures by recruiting developers to run malware-related projects (infectious disease interviews, and development #Popper, and famous cholima overlap, and famous
Another North Korean threat actor is UNC4736. This was attributed to the 3CX cascade supply chain attack in early 2023, picking up the blockchain industry by troilizing trading software applications.
Mandiant also said it has identified another cluster of North Korean activities that was tracked as UNC3782, which runs a massive phishing campaign targeting the cryptocurrency sector.
“In 2023, UNC3782 carried out phishing operations to Tron users, transferring assets worth 137 million US$ per day,” the company said. “UNC3782 launched a campaign in 2024 targeting Solana users and a page containing cryptocurrency drains.”
Cryptocurrency theft is one of several measures DPRK pursued to avoid international sanctions. Since at least 2022, an active threat cluster called UNC5267 has dispatched thousands of citizens to secure remote employment jobs in businesses in the US, Europe and Asia, while residing primarily in China and Russia.
The majority of IT workers are said to be affiliated with the 313 Ammunition Industry Bureau, which is responsible for North Korea’s nuclear program.
In addition to exploiting stolen identities, North Korean IT workers use fully manufactured personas to support their activities. This is also complemented by using real-time deepfark technology to create a compelling synthetic identity during job interviews.
“This offers two important operational benefits. First, a single operator can interview multiple times for the same position using different synthetic personas.”
“Secondly, it helps avoid it being identified and added to security bulletins and asking for notifications. In combination, it helps DPRK IT workers enjoy enhanced operational security and reduced detectability.”
The DPRK IT Worker Scheme takes insider threats to a whole new level, is designed to focus pay in Pyongyang to advance strategic goals, maintain long-term access to victim networks, and even force employers.
“They’ve also stepped up their fearful tor campaigns against employers, moving to run their operations on corporate desktops, networks and servers,” said Jamie Collier and Michael Barnhart of Google Threat Intelligence Group (GTIG) in a report last month.
“In addition to generating revenue for North Korea, they are now using privileged access to steal data and enable cyberattacks.”
In 2024, Mandiant identified suspects of DPRK IT workers using at least 12 personas while seeking employment in the US and Europe, and said they emphasized the effectiveness of relying on such unconventional methods to imbue falsely and infiltrating organizations.
“In at least one example, two false identity of work in a US company was considered, and one DPRK IT worker won better than the others,” the threat intelligence company noted. Another example is “four DPRK IT workers were employed within 12 months in one organization.”
Source link
