A North Korean Hacking Group Is Targeting Crypto Startups

north korean hacker cover 768x403 1

Key Takeaways

  • Cybersecurity firm Kaspersky says that the hacking group BlueNoroff is primarily targeting crypto startups in a report released earlier today.
  • The group has used phishing campaigns to make crypto startups install software updates with backdoor access.
  • Though Kaspersky did not say how much cryptocurrency has been stolen, previous reports provide some estimates.

Share this article

BlueNoroff, a North Korean hacking group, is now primarily targeting crypto startups, according to a report from cybersecurity firm Kaspersky.

BlueNoroff Is Solely Targeting Crypto Startups

The North Korean hacking group known as BlueNoroff is almost exclusively targeting cryptocurrency startups, according a new report from Kapersky.

BlueNoroff is a hacking group with ties to the larger crybercrime group Lazarus, which has been known to have strong ties with North Korea in the past. It initially targeted banks and the SWIFT payment network, beginning with an attack on Bangladesh’s Central Bank in 2016.

But now, BlueNoroff has “shifted [its] focus…to solely cryptocurrency businesses” rather than traditional banks, Kaspersky says.

According to the report, the hacking group has historically begun each attack by “stalking and studying successful cryptocurrency startups” through prolonged phishing campaigns involving emails and internal chats.


BlueNoroff has impersonated several existing cryptocurrency businesses including Cardano’s commercial arm, Emurgo, and the New York VC firm Digital Currency Group. It has also impersonated Beenos, Coinsquad, Decrypt Capital, and Coinbig.

Kaspersky noted that those companies were not compromised during the attacks.

Hackers Would Use Backdoors

After gaining the trust of the targeted startup and the members, the hackers would have the company install a modified software update with backdoor access, allowing for further intrusion.

Then, the group would use the backdoor to collect user credentials and monitor user keystrokes. This monitoring of user activity would last “for weeks or months,” Kaspersky says.

BlueNoroff would often exploit CVE-2017-0199 in Microsoft Office, which allows Visual Basic scripts to be executed in Word documents. The group would also replace browser wallet add-ons, such as Metamask, with compromised versions.

These strategies allowed the company to steal company funds as well as “set up a vast monitoring infrastructure” that notified the group of large transactions.

How Much Has Been Stolen?

Kaspersky did not state how much had been stolen via these attacks. However, Costin Raiu of Kaspersky previously identified bZx as one target of BlueNoroff’s SnatchCrypto campaign. That exchange saw $55 million stolen from it in November 2021.

The U.S. Treasury has also suggested that BlueNoroff, along with Lazarus and other subgroup, stole $571 million in cryptocurrency from five exchanges between January 2017 and September 2018. BlueNoroff stole over $1.1 billion dollars from financial institutions by 2018, the Treasury said in the same report.

Incidentally, the analytics firm Chainalysis today suggested that North Korean hackers stole $400 million in 2021. However, this report mentioned only Lazarus generally, not BlueNoroff specifically.

Disclosure: At the time of writing, the author of this piece own BTC, ETH, and other cryptocurrencies.

Share this article