{ "id": "e723d697-31b7-4377-a7ec-7f82481e5672", "created_at": "2026-04-06T03:36:54.392127Z", "updated_at": "2026-04-10T13:12:27.738673Z", "deleted_at": null, "sha1_hash": "634a479c82d3dd4c7dc9c30223627df0edfa3333", "title": "Internet Crime Complaint Center (IC3)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47882, "plain_text": "Internet Crime Complaint Center (IC3)\r\nPublished: 2024-09-03 · Archived: 2026-04-06 03:18:04 UTC\r\nThe Democratic People's Republic of Korea (\"DPRK\" aka North Korea) is conducting highly tailored, difficult-to-detect social engineering campaigns against employees of decentralized finance (\"DeFi\"), cryptocurrency, and\r\nsimilar businesses to deploy malware and steal company cryptocurrency.\r\nNorth Korean social engineering schemes are complex and elaborate, often compromising victims with\r\nsophisticated technical acumen. Given the scale and persistence of this malicious activity, even those well versed\r\nin cybersecurity practices can be vulnerable to North Korea's determination to compromise networks connected to\r\ncryptocurrency assets.\r\nNorth Korean malicious cyber actors conducted research on a variety of targets connected to cryptocurrency\r\nexchange-traded funds (ETFs) over the last several months. This research included pre-operational preparations\r\nsuggesting North Korean actors may attempt malicious cyber activities against companies associated with\r\ncryptocurrency ETFs or other cryptocurrency-related financial products.\r\nFor companies active in or associated with the cryptocurrency sector, the FBI emphasizes North Korea employs\r\nsophisticated tactics to steal cryptocurrency funds and is a persistent threat to organizations with access to large\r\nquantities of cryptocurrency-related assets or products.\r\nThis announcement includes an overview of the social engineering tactics North Korean state-sponsored actors\r\nuse against victims working in DeFi, cryptocurrency, and related industries; potential indicators of North Korean\r\nsocial engineering activity; mitigation measures for those most at risk; and steps to take if you or your company\r\nmay have been victimized.\r\nNorth Korean Social Engineering Tactics\r\nExtensive Pre-Operational Research\r\nTeams of North Korean malicious cyber actors identify specific DeFi or cryptocurrency-related businesses to\r\ntarget and attempt to socially engineer dozens of these companies' employees to gain unauthorized access to the\r\ncompany's network. Before initiating contact, the actors scout prospective victims by reviewing social media\r\nactivity, particularly on professional networking or employment-related platforms.\r\nIndividualized Fake Scenarios\r\nNorth Korean malicious cyber actors incorporate personal details regarding an intended victim’s background,\r\nskills, employment, or business interests to craft customized fictional scenarios designed to be uniquely appealing\r\nto the targeted person.\r\nNorth Korean fake scenarios often include offers of new employment or corporate investment. The actors may\r\nreference personal information, interests, affiliations, events, personal relationships, professional connections, or\r\nhttps://www.ic3.gov/PSA/2024/PSA240903\r\nPage 1 of 4\n\ndetails a victim may believe are known to few others.\r\nThe actors usually attempt to initiate prolonged conversations with prospective victims to build rapport and\r\ndeliver malware in situations that may appear natural and non-alerting. If successful in establishing bidirectional\r\ncontact, the initial actor, or another member of the actor’s team, may spend considerable time engaging with the\r\nvictim to increase the sense of legitimacy and engender familiarity and trust.\r\nThe actors usually communicate with victims in fluent or nearly fluent English and are well versed in the technical\r\naspects of the cryptocurrency field.\r\nImpersonations\r\nNorth Korean malicious cyber actors routinely impersonate a range of individuals, including contacts a victim\r\nmay know personally or indirectly. Impersonations can involve general recruiters on professional networking\r\nwebsites, or prominent people associated with certain technologies.\r\nTo increase the credibility of their impersonations, the actors leverage realistic imagery, including pictures stolen\r\nfrom open social media profiles of the impersonated individual. These actors may also use fake images of time\r\nsensitive events to induce immediate action from intended victims.\r\nThe actors may also impersonate recruiting firms or technology companies backed by professional websites\r\ndesigned to make the fake entities appear legitimate. Examples of fake North Korean websites can be found in\r\naffidavits to seize 17 North Korean domains, as announced by the Department of Justice in October 2023.\r\nIndicators\r\nThe FBI has observed the following list of potential indicators of North Korean social engineering activity:\r\nRequests to execute code or download applications on company-owned devices or other devices with\r\naccess to a company’s internal network.\r\nRequests to conduct a \"pre-employment test\" or debugging exercise that involves executing non-standard\r\nor unknown Node.js packages, PyPI packages, scripts, or GitHub repositories.\r\nOffers of employment from prominent cryptocurrency or technology firms that are unexpected or involve\r\nunrealistically high compensation without negotiation.\r\nOffers of investment from prominent companies or individuals that are unsolicited or have not been\r\nproposed or discussed previously.\r\nInsistence on using non-standard or custom software to complete simple tasks easily achievable through\r\nthe use of common applications (i.e. video conferencing or connecting to a server).\r\nRequests to run a script to enable call or video teleconference functionalities supposedly blocked due to a\r\nvictim's location.\r\nRequests to move professional conversations to other messaging platforms or applications.\r\nUnsolicited contacts that contain unexpected links or attachments.\r\nMitigations\r\nhttps://www.ic3.gov/PSA/2024/PSA240903\r\nPage 2 of 4\n\nTo lower the risk from North Korea’s advanced and dynamic social engineering capabilities, the FBI recommends\r\nthe following best practices for you or your company:\r\nDevelop your own unique methods to verify a contact's identity using separate unconnected\r\ncommunication platforms. For example, if an initial contact is via a professional networking or\r\nemployment website, confirm the contact's request via a live video call on a different messaging\r\napplication\r\nDo not store information about cryptocurrency wallets — logins, passwords, wallet IDs, seed phrases,\r\nprivate keys, etc. — on Internet-connected devices.\r\nAvoid taking pre-employment tests or executing code on company owned laptops or devices. If a pre-employment test requires code execution, insist on using a virtual machine on a non-company connected\r\ndevice, or on a device provided by the tester.\r\nRequire multiple factors of authentication and approvals from several different unconnected networks prior\r\nto any movement of your company's financial assets. Regularly rotate and perform security checks on\r\ndevices and networks involved in this authentication and approval process.\r\nLimit access to sensitive network documentation, business or product development pipelines, and company\r\ncode repositories.\r\nFunnel business communications to closed platforms and require authentication — ideally in person —\r\nbefore adding anyone to the internal platform. Regularly reauthenticate employees not seen in person.\r\nFor companies with access to large quantities of cryptocurrency, the FBI recommends blocking devices\r\nconnected to the company’s network from downloading or executing files except specific whitelisted\r\nprograms and disabling email attachments by default.\r\nResponse\r\nIf you suspect you or your company have been impacted by a social engineering campaign similar to those\r\ndiscussed in this announcement, or by any potential North Korea-related incident, the FBI recommends the\r\nfollowing actions:\r\nDisconnect the impacted device or devices from the Internet immediately. Leave impacted devices\r\npowered on to avoid the possibility of losing access to recoverable malware artifacts.\r\nFile a detailed complaint through the FBI Internet Crime Complaint Center (IC3) at www.ic3.gov.\r\nProvide law enforcement as many details as you can regarding the incident, including screenshots of\r\ncommunications with the malicious cyber actors. If possible, take screenshots of (or otherwise save)\r\nidentifiers, usernames, online accounts, and any other details about the actors involved.\r\nDiscuss options for incident response and forensic examination of impacted devices with law enforcement.\r\nIn some situations, law enforcement may recommend taking advantage of private incident response\r\ncompanies.\r\nShare your experience with colleagues, if appropriate, to raise awareness and broaden the public's\r\nunderstanding of the significant malicious cyber threat emanating from North Korea.\r\nFor related information and additional details on North Korea's malicious cyber activity, see FBI press releases\r\nfrom September 2023, August 2023, and January 2023, as well as Joint Cybersecurity Advisories released in June\r\n2023 and April 2022.\r\nhttps://www.ic3.gov/PSA/2024/PSA240903\r\nPage 3 of 4\n\nSource: https://www.ic3.gov/PSA/2024/PSA240903\r\nhttps://www.ic3.gov/PSA/2024/PSA240903\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.ic3.gov/PSA/2024/PSA240903" ], "report_names": [ "PSA240903" ], "threat_actors": [], "ts_created_at": 1775446614, "ts_updated_at": 1775826747, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/634a479c82d3dd4c7dc9c30223627df0edfa3333.pdf", "text": "https://archive.orkl.eu/634a479c82d3dd4c7dc9c30223627df0edfa3333.txt", "img": "https://archive.orkl.eu/634a479c82d3dd4c7dc9c30223627df0edfa3333.jpg" } }