{
	"id": "f7e4a968-e099-4096-a982-9d2a11d6f192",
	"created_at": "2026-04-06T00:21:50.483354Z",
	"updated_at": "2026-04-10T13:13:09.490743Z",
	"deleted_at": null,
	"sha1_hash": "9da928f724bb2945d6ab4f9ec890587b13f43f8d",
	"title": "North Korean cryptocurrency hackers expand target list",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35232,
	"plain_text": "North Korean cryptocurrency hackers expand target list\r\nBy Tonya Riley\r\nPublished: 2023-01-25 · Archived: 2026-04-02 11:22:32 UTC\r\nNorth Korean hackers known for cryptocurrency heists are expanding their targets to include education,\r\ngovernment and healthcare, according to researchers tracking the group. The activity could be a sign that the\r\ngroup, which is suspected in two high-profile cryptocurrency hacks in 2022, may have even bigger plans for 2023.\r\nResearchers at the cybersecurity firm Proofpoint observed in early December a massive wave of phishing emails\r\nfrom a cluster of North Korea-related hacking activity linked to TA444, the firm’s name for the group. The latest\r\ncampaign, which blasted more emails than researchers attributed to that group in all of 2022, tried to entice users\r\nto click a URL that redirected to a credential harvesting page.\r\nProofpoint could not disclose the specifics about targets for confidentiality reasons, but most related to finance in\r\nsome way. Documents attached in the emails included titles like “Profit and Loss,” “Invoice and statement\r\nreceipts” and “Salary adjustments.” The malicious emails also included lures mentioning “analyses of\r\ncryptocurrency blockchains, job opportunities at prestigious firms, or salary adjustments” according to the report.\r\nTo help avoid phishing detection tools, TA444 uses email marketing tools to engage with targets. \r\nResearchers say that the campaign is unusual for a few reasons. Technically, it deviates from the group’s previous\r\nactivity in that the hackers focused on trying to steal the target’s login and passwords rather than a direct\r\ndeployment of malware.\r\nThe bigger question is why a group known to be financially motivated would target government and education\r\nsectors alongside the far more lucrative financial sector. TA444, like other clusters of activity associated with the\r\nNorth Korean government, is almost exclusively financially motivated. In more recent years, North Korean\r\nhackers have honed in especially on the cryptocurrency industry.\r\nTA444 has overlapped with Lazarus, a group of North Korean hackers to which the FBI attributed a record $600\r\nmillion dollar cryptocurrency attack on Ronin Bridge, the infrastructure that connected the Axie Infinity video\r\ngame with the Ethereum blockchain. The FBI on Monday attributed a separate $100 million hack of the Harmony\r\nBridge to the group after the hackers recently tried to launder $60 million worth of currency stolen in the heist.\r\nThe December campaign comes on the heels of a noticeable shift in delivery tactics researchers began to notice in\r\nthe fall, demonstrating that the group might be taking on more of a “start-up” mentality, Proofpoint researchers\r\nwrote.\r\n“We can’t always derive the motive behind shifts in strategy. But we may have the answer later, when we see\r\nmore of these attacks,” said Alexis Dorais-Joncas, senior manager of threat research at Proofpoint. “It might be a\r\none-off. It might be a test to see how much success they could have hacking other types of organizations. But right\r\nnow, it’s not really clear to us why they are actually doing that.”\r\nhttps://cyberscoop.com/north-korean-cryptocurrency-hackers-education-government/\r\nPage 1 of 2\n\nResearchers at Kaspersky in December also noted North Korean hackers pivoting malware delivery methods.\r\nThey found that hackers had created numerous fake domains, most of them imitating Japanese venture capital\r\nfirms. Domains flagged by Proofpoint also included attempts to spoof Japanese financial institutions.\r\nProofpoint could not rule out that another actor had compromised TA444’s server or that the group was potentially\r\nmoonlighting for other purposes, which could signal more differentiation in targets going forward.\r\nSource: https://cyberscoop.com/north-korean-cryptocurrency-hackers-education-government/\r\nhttps://cyberscoop.com/north-korean-cryptocurrency-hackers-education-government/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyberscoop.com/north-korean-cryptocurrency-hackers-education-government/"
	],
	"report_names": [
		"north-korean-cryptocurrency-hackers-education-government"
	],
	"threat_actors": [
		{
			"id": "d14271be-be2e-4be7-9578-5b6196e35481",
			"created_at": "2023-11-21T02:00:07.355328Z",
			"updated_at": "2026-04-10T02:00:03.46613Z",
			"deleted_at": null,
			"main_name": "TA444",
			"aliases": [],
			"source_name": "MISPGALAXY:TA444",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "732597b1-40a8-474c-88cc-eb8a421c29f1",
			"created_at": "2025-08-07T02:03:25.087732Z",
			"updated_at": "2026-04-10T02:00:03.776007Z",
			"deleted_at": null,
			"main_name": "NICKEL GLADSTONE",
			"aliases": [
				"APT38 ",
				"ATK 117 ",
				"Alluring Pisces ",
				"Black Alicanto ",
				"Bluenoroff ",
				"CTG-6459 ",
				"Citrine Sleet ",
				"HIDDEN COBRA ",
				"Lazarus Group",
				"Sapphire Sleet ",
				"Selective Pisces ",
				"Stardust Chollima ",
				"T-APT-15 ",
				"TA444 ",
				"TAG-71 "
			],
			"source_name": "Secureworks:NICKEL GLADSTONE",
			"tools": [
				"AlphaNC",
				"Bankshot",
				"CCGC_Proxy",
				"Ratankba",
				"RustBucket",
				"SUGARLOADER",
				"SwiftLoader",
				"Wcry"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd",
			"created_at": "2022-10-25T16:07:23.766784Z",
			"updated_at": "2026-04-10T02:00:04.7432Z",
			"deleted_at": null,
			"main_name": "Bluenoroff",
			"aliases": [
				"APT 38",
				"ATK 117",
				"Alluring Pisces",
				"Black Alicanto",
				"Bluenoroff",
				"CTG-6459",
				"Copernicium",
				"G0082",
				"Nickel Gladstone",
				"Sapphire Sleet",
				"Selective Pisces",
				"Stardust Chollima",
				"T-APT-15",
				"TA444",
				"TAG-71",
				"TEMP.Hermit"
			],
			"source_name": "ETDA:Bluenoroff",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434910,
	"ts_updated_at": 1775826789,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9da928f724bb2945d6ab4f9ec890587b13f43f8d.pdf",
		"text": "https://archive.orkl.eu/9da928f724bb2945d6ab4f9ec890587b13f43f8d.txt",
		"img": "https://archive.orkl.eu/9da928f724bb2945d6ab4f9ec890587b13f43f8d.jpg"
	}
}