{ "id": "a67e8610-a8c3-4dc6-9774-7d5792130088", "created_at": "2026-04-06T00:19:53.033327Z", "updated_at": "2026-04-10T03:35:51.163307Z", "deleted_at": null, "sha1_hash": "a0f4ad4ca18c2c8ca9ced5e1bd5979b0c9ddedf7", "title": "North Korea's Top APT Swindled $1B From Crypto Investors in 2022", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2742968, "plain_text": "North Korea's Top APT Swindled $1B From Crypto Investors in\r\n2022\r\nBy Nate Nelson\r\nPublished: 2023-01-25 · Archived: 2026-04-05 13:49:25 UTC\r\nSource: Cavan Images via Alamy Stock Photo\r\nThe blockchain industry hemorrhaged money last year, with the global market for cryptocurrencies plummeting\r\n63%. But investors didn't only lose money to half-baked coins and overhyped NFTs.\r\nIn a report published today, researchers from Proofpoint detailed how North Korean state-backed hackers\r\nmanaged to siphon more than $1 billion dollars in cryptocurrencies and other blockchain assets in the 2022\r\ncalendar year (all the more impressive considering how depressed those assets had become).\r\nProofpoint attributed the success of the TA444 group and related clusters — variously referred to as APT38,\r\nBluenoroff, BlackAlicanto, Stardust Chollima, and Copernicium — to their startup-like approach.\r\nHallmarks, the researchers said, include \"rapid iteration, testing products on the fly, and failing forward.\" The\r\ngroup regularly experiments with new methods of intrusion, and has cycled through different and better malware\r\nin recent years.\r\nhttps://www.darkreading.com/remote-workforce/north-korea-apt-swindled-1b-crypto-investors-2022\r\nPage 1 of 3\n\n\"While we do not know if the group has ping-pong tables or kegs of some overrated IPA in its workspace,\" the\r\nauthors wrote, \"TA444 does mirror the startup culture in its devotion to the dollar and to the grind.\"\r\nTA444's Evolving Threat\r\nThere's an element of \"move fast and break things\" to TA444.\r\nIn recent years, the group has iterated on their social engineering tactics many times over. Sometimes it sent\r\nprivate messages from hijacked LinkedIn accounts of representatives from legitimate companies, other times it\r\nabused email marketing tools in order to circumvent spam filters. It has engaged with victims in English, but also\r\nJapanese, Polish, and Spanish.\r\nIn one oddball case, it email-blasted organizations across the US healthcare, education, finance, and government\r\nsectors, using barebones, typo-laden phishing lures. At best, their lures made reference to specific brand names in\r\nthe industry, sometimes promising salary increases or job opportunities, but the efforts here were mainly\r\nrudimentary.\r\nWhere other cybercrime groups may focus on perfecting social lures and delivery mechanisms, researchers\r\nexplained that malware creation is where TA444 really distinguishes itself.\r\nTheir collection of post-exploitation backdoors has included the msoRAT credential stealer, the SWIFT money\r\nlaundering framework DYEPACK, and various passive backdoors and virtual \"listeners\" for receiving and\r\nprocessing data from target machines.\r\n\"This suggests that there is an embedded, or at least a devoted, malware development element alongside TA444\r\noperators,\" according to the report.\r\nNorth Korea: The OG Crypto Bro\r\nTo supplement its maladroit command economy, the government of North Korea has long used hackers for\r\nfundraising, targeting wherever a financial opportunity happens to lie. That includes everything from retailers in\r\nthe United States to the SWIFT banking system, and, in one notorious case, the entire world.\r\nBecause cryptocurrency companies offer few safeguards against theft, transactions are generally irreversible, and\r\nparties to those transactions are difficult to identify, the industry is rife with financially motivated cybercrime.\r\nNorth Korea has been dipping into this well for years, with campaigns against startups, botnets that mine coins,\r\nand ransomware campaigns soliciting crypto payments.\r\nLast year, though, the scale of the theft reached a new level. Blockchain research firm Chainalysis assessed that\r\nthe country stole nearly $400 million dollars in cryptocurrency and blockchain assets in 2021. In 2022, they\r\nsurpassed that figure with a single attack — against a blockchain gaming company called SkyMavis — estimated\r\nto be worth over $600 million at the time. Add in other attacks throughout the calendar year, and their total haul\r\nreaches 10 figures.\r\n\"While we may poke fun at its broad campaigns and ease of clustering,\" the researchers warned, \"TA444 is an\r\nastute and capable adversary.\"\r\nhttps://www.darkreading.com/remote-workforce/north-korea-apt-swindled-1b-crypto-investors-2022\r\nPage 2 of 3\n\nProofpoint's report noted that monitoring for MSHTA, VBS, Powershell, and other scripting-language execution\r\nfrom new processes or files can help detect TA444 activity. It also recommended using best practices for\r\na defense-in-depth approach to combat TA444 intrusions: Using network security monitoring tools, using robust\r\nlogging practices, a good endpoint solution, and an email monitoring appliance, in addition to training the\r\nworkforce to be aware of heist activity that stems from contact on WhatsApp or LinkedIn. \r\n\"Additionally, given the credential phishing campaign activity we observed, enabling MFA authentication on all\r\nexternally accessible service would help limit the impact of credentials eventually getting stolen,\" the researchers\r\nsaid via email.\r\nAbout the Author\r\nContributing Writer\r\nNate Nelson is a journalist and scriptwriter. He writes for \"Darknet Diaries\" — the most popular podcast in\r\ncybersecurity — and co-created the former Top 20 tech podcast \"Malicious Life.\" Before joining Dark Reading,\r\nhe was a reporter at Threatpost.\r\nSource: https://www.darkreading.com/remote-workforce/north-korea-apt-swindled-1b-crypto-investors-2022\r\nhttps://www.darkreading.com/remote-workforce/north-korea-apt-swindled-1b-crypto-investors-2022\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.darkreading.com/remote-workforce/north-korea-apt-swindled-1b-crypto-investors-2022" ], "report_names": [ "north-korea-apt-swindled-1b-crypto-investors-2022" ], "threat_actors": [ { "id": "810fada6-3a62-477e-ac11-2702f9a1ef80", "created_at": "2023-01-06T13:46:38.874104Z", "updated_at": "2026-04-10T02:00:03.129286Z", "deleted_at": null, "main_name": "STARDUST CHOLLIMA", "aliases": [ "Sapphire Sleet" ], "source_name": "MISPGALAXY:STARDUST CHOLLIMA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d14271be-be2e-4be7-9578-5b6196e35481", "created_at": "2023-11-21T02:00:07.355328Z", "updated_at": "2026-04-10T02:00:03.46613Z", "deleted_at": null, "main_name": "TA444", "aliases": [], "source_name": "MISPGALAXY:TA444", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434793, "ts_updated_at": 1775792151, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a0f4ad4ca18c2c8ca9ced5e1bd5979b0c9ddedf7.pdf", "text": "https://archive.orkl.eu/a0f4ad4ca18c2c8ca9ced5e1bd5979b0c9ddedf7.txt", "img": "https://archive.orkl.eu/a0f4ad4ca18c2c8ca9ced5e1bd5979b0c9ddedf7.jpg" } }