Daily Attempts of North Korean Cybercriminals to Infiltrate Binance

Daily Attempts of North Korean Cybercriminals to Infiltrate Binance – Identifying Methods Used for Detection

In the rapidly evolving world of cryptocurrencies, a formidable adversary has emerged: North Korean hackers. These cybercriminals, known for their sophisticated tactics, are causing concern among major crypto exchanges.

According to Binance's Chief Security Officer, Jimmy Su, North Korean attackers pose the single biggest threat to crypto companies. Exchanges are responding to this threat by sharing intelligence related to security in Telegram and Signal groups, flagging poisoned libraries and emerging DPRK techniques.

North Korean state actors often use a combination of technical expertise in blockchain and crypto systems, social engineering, identity deception, and global laundering networks to conduct long-term, large-scale thefts and money laundering operations against crypto exchanges.

One of the methods they employ is exploiting deep internal knowledge of crypto exchange infrastructures. For instance, they hacked a Bybit supplier to alter wallet addresses, leading to the infamous $1.4 billion hack. The stolen Ethereum was laundered through decentralized exchanges stealthily.

Another tactic is hijacking supplier or partner systems to intercept transactions. This strategy leverages trust relationships within the crypto ecosystem to bypass standard security measures.

North Korean hackers also use advanced laundering chains involving both decentralized and mainstream exchanges to convert stolen funds into other cryptocurrencies and move them across platforms, making recovery difficult.

Employing fake identities and social engineering, North Korean IT operatives create multiple fake identities and assume positions of trust within crypto projects to gain internal access. Some have masqueraded as engineers from credible firms like Polygon Labs or OpenSea to infiltrate projects remotely.

Targeting remote work policies of major exchanges like Coinbase, North Korean hackers attempt to get hired under North Korean or fake identities, then use that employment to access internal systems. Exchanges have responded by requiring in-person onboarding, citizenship verifications, and real-time video to block malicious attempts.

Exploiting weak regulatory frameworks and lax KYC/AML enforcement within many cryptocurrency exchanges and decentralized platforms, North Korean hackers are able to launder and move stolen funds with minimal scrutiny. They also leverage third-party regional financial ecosystems with less stringent controls to facilitate their operations.

Dispatching IT workers abroad under false pretenses, North Korean hackers disguise their origins and use VPNs and other software to appear as local developers or remote workers, thus supporting broader cyber operations including crypto breaches.

Recent tactics include sending fake job offers to crypto employees, often posing as DeFi projects, investment firms, or offering high-level jobs. During fake interviews, North Korean hackers claim that the call has "some kind of video or voice issues," before sending the victim a link to update their Zoom, infecting their device with malware.

So far this year, $1.6 billion in crypto has been stolen via these methods, according to Wiz's Director of Strategic Threat Intelligence. If a worker at Binance doesn't appear to ever sleep, it might be a sign they're part of the Lazarus Group, believed to be responsible for many large-scale hacks in the crypto industry.

Binance is taking steps to combat these threats. They train their employees to report every phishing attempt made on them and discard suspicious resumes daily based on their tendency to use certain resume templates. They also have methods to detect North Korean applicants, such as asking them to put their hand over their face, but do not want to reveal all of their tricks out of fear that attackers may be reading this article.

Despite these efforts, North Korean attackers continue to pose a significant threat to the crypto industry. They are using AI and voice changers to appear as any kind of developer during interviews, and are shifting their focus and resources onto the crypto industry due to its large dollar amount. Binance claims to have never hired a nation-state actor, but monitors current employees for suspicious behavior.

References:

[1] Chainalysis 2021 Crypto Crime Report [2] Polygon Labs Security Blog [3] Coinbase Security Blog [4] Decrypt [5] The Diplomat [6] Wiz [7] Binance Security Blog