{
	"id": "f774c32d-f792-4b68-885c-1a8550b3c0b5",
	"created_at": "2026-04-10T03:20:41.214306Z",
	"updated_at": "2026-04-10T13:13:05.293491Z",
	"deleted_at": null,
	"sha1_hash": "db7a4bf1dae5b69e89e9f8468b47bc60f567f9a4",
	"title": "CryptoCore Group – ClearSky Cyber Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39879,
	"plain_text": "CryptoCore Group – ClearSky Cyber Security\r\nPublished: 2020-06-24 · Archived: 2026-04-10 02:54:17 UTC\r\nA Threat Actor Targeting Cryptocurrency Exchanges\r\nIn this research, we present a hidden and persistent group, that has been targeting crypto-exchanges, mainly in the\r\nUS and Japan since as early as 2018. The actor has successfully stolen millions’ worth of cryptocoins. We named\r\nit as “CryptoCore” (or “Crypto-gang”), aka “Dangerous Password”, “Leery Turtle”. The CryptoCore report mainly\r\nfocuses on the group’s profile, modus operandi, and digital infrastructure.\r\nRead the full report: CryptoCore Group\r\nCryptoCore operations timeline\r\nIntroducing CryptoCore\r\nCryptoCore is a group that targets almost exclusively cryptocurrency exchanges and companies working with\r\nthem via supply-chain attack. The CryptoCore group is known for having accumulated a sum of approximately 70\r\nmillion USD from its heists on exchanges. We estimate that the group managed to rake in more than 200 million\r\nUSD in two years.\r\nThis group is not extremely technically advanced, yet it seems to be swift, persistent, and effective, nevertheless.\r\nWe assess it to be active at least since May 2018, judging from the timestamp of the first known relevant sample,\r\nand it maintained steady activity since then. Its activity has receded in the first half of 2020, one possible reason\r\nbeing the limitations induced by the COVID-19 pandemic, but it didn’t stop completely.\r\nAttribution\r\nhttps://www.clearskysec.com/cryptocore-group/\r\nPage 1 of 2\n\nWe have been tracking CryptoCore group campaigns for almost two years, with no conclusive understanding of\r\nthe operators’ origin; however, we assess with medium level of certainty that the threat actor has links to the East\r\nEuropean region, Ukraine, Russia or Romania in particular.\r\nModus Operandi\r\nThe key goal of CryptoCore’s heists is to gain access to cryptocurrency exchanges’ wallets, be it general corporate\r\nwallets or wallets belonging to the exchange’s employees. For this kind of operation, the group begins with an\r\nextensive reconnaissance phase against the company, its executives, officers and IT personnel. While the group’s\r\nkey infiltration vector to the exchange is usually through spear-phishing against the corporate network, the\r\nexecutives’ personal email accounts are the first to be targeted. Infiltrating the personal email accounts is an\r\noptional phase; however, it’s a matter of hours to weeks until the spear-phishing email is sent to a corporate email\r\naccount of an exchange’s executive.\r\nThe spear-phishing is typically carried out by impersonating a high-ranking employee either from the target\r\norganization or from another organization (e.g. advisory board) with connections to the targeted employee. After\r\ngaining an initial foothold, the group’s primary objective is obtaining access to the victim’s password manager\r\naccount. This is where the keys of crypto-wallets and other valuable assets – which will come handy in lateral\r\nmovement stages – are stored. The group will remain undetected and maintain persistence until the multi-factor\r\nauthentication of the exchange wallets will be removed, and then act immediately and responsively.\r\nCryptoCore Digital Infrastructure – Graph\r\nThe following Maltego graph visualizes CryptoCore digital infrastructure, mainly dedicated IP addresses linked to\r\nC\u0026C domains via passive DNS. The long, chain-like structure of the graph demonstrates a strong connection\r\nbetween network indicators, which in turn corroborates our findings. (click to enlarge)\r\nContact Us\r\nTo all future targeted cryptocurrency exchanges, we encourage your IR team to validate malicious activity with\r\nour findings to fingerprint and mitigate additional CryptoCore operations. For further help, please reach us out at\r\ninfo@clearskysec.com.\r\nRead the full report: CryptoCore Report\r\nSource: https://www.clearskysec.com/cryptocore-group/\r\nhttps://www.clearskysec.com/cryptocore-group/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.clearskysec.com/cryptocore-group/"
	],
	"report_names": [
		"cryptocore-group"
	],
	"threat_actors": [],
	"ts_created_at": 1775791241,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db7a4bf1dae5b69e89e9f8468b47bc60f567f9a4.pdf",
		"text": "https://archive.orkl.eu/db7a4bf1dae5b69e89e9f8468b47bc60f567f9a4.txt",
		"img": "https://archive.orkl.eu/db7a4bf1dae5b69e89e9f8468b47bc60f567f9a4.jpg"
	}
}