{
	"id": "c1755077-9f4d-4fe0-ad0e-4be753ea65dc",
	"created_at": "2026-04-06T00:17:47.352389Z",
	"updated_at": "2026-04-10T13:11:41.610213Z",
	"deleted_at": null,
	"sha1_hash": "4c5e880fb7a18580200309c4bdf20814f2c6cdc2",
	"title": "How we proved North Korea's blockchain malware campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1117298,
	"plain_text": "How we proved North Korea's blockchain malware campaign\r\nBy ana.lobzhanidze\r\nPublished: 2025-12-17 · Archived: 2026-04-05 18:47:33 UTC\r\nWhen malware lives on servers, law enforcement can seize them. When it’s hosted on domains, registrars can take\r\nthem down. But when threat actors embed malware directly in blockchain transactions, they create something\r\nunprecedented: infrastructure that’s permanent, globally distributed, and impossible to remove.\r\nNorth Korean threat actors have done exactly that. In Parts 1-3 of this investigation series, Ransom-ISAC\r\ndocumented the technical sophistication of Cross-Chain TxDataHiding, a technique for embedding malware\r\npayloads and command-and-control instructions in blockchain transactions. The malware analysis was\r\ngroundbreaking. But it left one critical question unanswered: who’s behind it?\r\nPart 4 answers that question. Crystal Intelligence proved North Korean attribution by doing something traditional\r\nblockchain forensics doesn’t: we followed the money backward.\r\n(Read the technical analyses: Part 1, Part 2, Part 3.)\r\nThe attribution challenge\r\nTraditional malware attribution relies on infrastructure fingerprinting: server configurations, domain registration\r\npatterns, hosting provider choices, IP addresses. But when the infrastructure IS the blockchain itself, those\r\nindicators vanish. Blockchain transactions are pseudonymous. Anyone can post data. The technical signatures tell\r\nyou what happened, not who did it.\r\nThis is where financial intelligence becomes essential. While malware analysis reveals the technique, financial\r\nforensics reveals the threat actor.\r\nFollowing the money backward\r\nTraditional blockchain forensics starts with stolen cryptocurrency and traces where it goes: through mixers, across\r\nchains, into exchanges. Crystal reversed the approach.\r\nWe started with the wallets posting malware transactions and asked: where did their operational funding come\r\nfrom?\r\nWe identified addresses paying transaction fees for malware-containing transactions across Binance Smart Chain,\r\nTRON, Aurora, and Ethereum. Then we traced their funding sources backward through cross-chain bridges, swap\r\nservices, and layered transactions. The infrastructure funding patterns revealed something traditional forward-tracing would never catch: multi-year operational planning.\r\n“Traditional blockchain forensics traces stolen funds forward. We reversed it: starting with\r\noperational wallets and tracing funding backward revealed connections invisible to standard\r\nhttps://crystalintelligence.com/investigations/how-we-proved-north-koreas-blockchain-malware-campaign/\r\nPage 1 of 7\n\nmethods.“\r\n– Nick Smart, Chief Intelligence Officer, Crystal Intelligence\r\nAbove: Visualization showing cross-chain transaction flow from TQdwohPCWqqfCUaCispyV1NaUZ1HgiJPUy to\r\nmultiple addresses Source: Crystal Expert\r\nWhat the financial trail revealed\r\nSome infrastructure wallets had been dormant since 2021. Not months, but years. They held funds, waiting, before\r\nsudden activation in 2024-2025 for malware operations. This isn’t opportunistic cybercrime. It’s strategic nation-state planning.\r\nThe operational funding moved across multiple blockchains using bridges and swap services, demonstrating\r\nsophisticated understanding of blockchain monitoring gaps. Between October 2024 and April 2025, funds flowed\r\nthrough legitimate services in patterns that looked normal in isolation but revealed operational discipline when\r\nanalyzed comprehensively.\r\nTransaction timing showed weekday activity during standard working hours. Operations began in early June 2025\r\nand continued through November with rotating command-and-control servers. The behavioral patterns were\r\nconsistent, methodical, disciplined.\r\nhttps://crystalintelligence.com/investigations/how-we-proved-north-koreas-blockchain-malware-campaign/\r\nPage 2 of 7\n\nAbove: Temporal analysis heatmap showing transaction activity by day of week and hour, plus weekly\r\ntransactions chart showing activity patterns from June through November 2025\r\nThen we found the smoking gun: direct financial connections to known North Korean operations.\r\nOperational wallets linked to addresses involved in documented DPRK cryptocurrency thefts, including the Bybit\r\ntheft, the largest cryptocurrency theft to date. The financial flows connected to known hubs for North Korean\r\nlaundering operations: Huione, Xinbi Guarantee, and BlackU. These aren’t circumstantial similarities. They’re\r\ndirect financial relationships.\r\nOne operational wallet was accessed via IP address 188.43.33.249 in Vladivostok, Russia—geolocating to the site\r\nof the former US Consulate. This aligns perfectly with known DPRK internet routing through TransTeleCom\r\ninfrastructure established in 2017, when North Korea diversified its internet access through Russia.\r\nhttps://crystalintelligence.com/investigations/how-we-proved-north-koreas-blockchain-malware-campaign/\r\nPage 3 of 7\n\nAbove: Bridging activity showing fund flows eventually connecting to DPRK theft addresses. Source: Crystal\r\nExpert\r\nThe full scope of financial flows revealed significant operational funding:\r\nAbove: Fund flow showing received vs. sent funds breakdown: $81,515.28 through various sources flowing to\r\ndestinations including Mixing Service (1.9%), Liquidity Pools (83.7%), and other services. Source: Crystal Expert\r\nThey’re not just using this technique; they’re perfecting it\r\nBut financial patterns weren’t the only unusual discovery.\r\nThe blockchain analysis revealed something unexpected: unusual data embedded in transactions that had nothing\r\nto do with malware operations. Medical records. Chest X-rays. Legal documents. Audio files. None connected to\r\nactual attacks.\r\nThis is testing. Threat actors systematically experimenting with different file types, sizes, and encoding methods\r\nto understand what blockchain networks accept and how data persists across different chains. They’re not just\r\ndeploying a technique—they’re actively developing it.\r\nhttps://crystalintelligence.com/investigations/how-we-proved-north-koreas-blockchain-malware-campaign/\r\nPage 4 of 7\n\nThe presence of these artifacts raises intriguing questions. Some researchers have speculated whether such\r\nembedded data could function as a modern ‘numbers station’—a method intelligence agencies use to\r\ncommunicate with agents overseas through broadcasts of encoded data that appear meaningless to observers.\r\nWhile DPRK is known to operate traditional numbers stations, whether these blockchain artifacts serve a\r\ncommunication function remains uncertain. What’s clear is systematic experimentation with the technique’s\r\ncapabilities.\r\nAbove: Examples of unusual artifacts embedded in blockchain transactions – medical records, chest X-rays, legal\r\ndocuments, and test images used for systematic testing of file types and encoding methods.\r\nWhy this changes everything\r\nThis represents Phase 3 in North Korean cryptocurrency operations.\r\nPhase 1 (2016-2020) focused on theft – direct exchange hacks and DeFi exploits.\r\nPhase 2 (2020-2024) focused on laundering – sophisticated obfuscation using mixers, bridges, and layered\r\ntransactions.\r\nPhase 3 (2025-present) focuses on building permanent operational infrastructure ON blockchains.\r\nThe implications ripple across industries. Security teams monitoring emails, websites, and servers can’t see threats\r\nliving on blockchains. Compliance teams watching for suspicious transaction patterns miss infrastructure funding\r\nthat looks normal. The crypto industry faces a fundamental challenge: the same properties that make blockchains\r\nvaluable – permanence, censorship resistance, global accessibility – make them attractive for adversary\r\ninfrastructure. \r\nAnd this technique will spread. What North Korea demonstrates today, other nation-state actors and cybercriminal\r\ngroups will adapt tomorrow.\r\nhttps://crystalintelligence.com/investigations/how-we-proved-north-koreas-blockchain-malware-campaign/\r\nPage 5 of 7\n\nAbove: Figure showing wallet relationships and connections to South Korean exchanges and DeFi services.\r\nSource: Crystal Expert\r\nAbove: Unusual on-chain artifacts. Figure visualization of polygon transactions with unusual message-encoded\r\ndata and different bridging methods being tested. Source: Crystal Expert\r\nBuilding on emerging research\r\nThis research builds on emerging understanding of blockchain-based malware techniques. In 2023, Mandiant\r\ndocumented ‘etherhiding’—hiding malicious code in blockchain data. Crystal’s investigation reveals the broader\r\noperational picture: not just isolated techniques, but systematic infrastructure development, cross-chain\r\ndistribution, multi-year planning, and verified attribution to specific nation-state actors through financial forensics.\r\nWhen threat actors build infrastructure on blockchains, financial intelligence becomes essential to attribution. This\r\ninvestigation demonstrates that permanent, blockchain-based malware infrastructure is no longer theoretical—it’s\r\noperational. And proving attribution requires following the money, not just analyzing the code.\r\nhttps://crystalintelligence.com/investigations/how-we-proved-north-koreas-blockchain-malware-campaign/\r\nPage 6 of 7\n\n—\r\nAbout this investigation\r\nThis is Part 4 of the Cross-Chain TxDataHiding investigation series, produced in collaboration between Crystal\r\nIntelligence and Ransom-ISAC.\r\nRead the full series:\r\nPart 1: Novel tradecraft and C2 infrastructure\r\nPart 2: Malware payload analysis\r\nPart 3: Infrastructure fingerprinting and attribution\r\nPart 4: Financial intelligence and blockchain forensics (this post)\r\nContributors: Nick Smart (Chief Intelligence Officer, Crystal Intelligence), Andrii Sovershennyi (Senior Analyst,\r\nCrystal Intelligence), François-Julien Alcaraz, Yashraj Solanki, Tammy Harper, and Ellis Stannard.\r\nAccess the investigation: Crystal Expert users can view detailed blockchain analysis and visualizations at\r\nexpert.crystalintelligence.com\r\nFind out how Crystal Intelligence’s investigation, compliance, and advisory solutions can help your organization\r\nnegotiate the evolving crypto regulation landscape by booking a demo here.\r\nSource: https://crystalintelligence.com/investigations/how-we-proved-north-koreas-blockchain-malware-campaign/\r\nhttps://crystalintelligence.com/investigations/how-we-proved-north-koreas-blockchain-malware-campaign/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://crystalintelligence.com/investigations/how-we-proved-north-koreas-blockchain-malware-campaign/"
	],
	"report_names": [
		"how-we-proved-north-koreas-blockchain-malware-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434667,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4c5e880fb7a18580200309c4bdf20814f2c6cdc2.pdf",
		"text": "https://archive.orkl.eu/4c5e880fb7a18580200309c4bdf20814f2c6cdc2.txt",
		"img": "https://archive.orkl.eu/4c5e880fb7a18580200309c4bdf20814f2c6cdc2.jpg"
	}
}