How North Korean hackers stole billions in crypto while posing as VCs, IT workers

A new wave of cybercrime linked to North Korea has emerged, with hackers posing as venture capitalists, recruiters, and remote IT workers to steal cryptocurrency and corporate secrets. At Cyberwarcon, a Washington DC conference on cybersecurity threats, researchers revealed that these tactics have helped fund North Korea’s weapons program while bypassing international sanctions.  

The regime’s hackers have stolen billions in cryptocurrency over the last decade, all while dodging detection through carefully constructed fake identities.

The Tactics: Fake VCs, recruiters, and IT workers

North Korean hacking groups use sophisticated methods to infiltrate targets. One group, dubbed “Sapphire Sleet” by Microsoft, impersonates venture capitalists and recruiters. After luring victims into virtual meetings, they trick them into downloading malware disguised as tools to fix technical glitches or complete skills assessments. Once installed, the malware provides access to sensitive data, including cryptocurrency wallets. In just six months, these tactics netted at least $10 million in stolen funds.

More troubling is the infiltration of global organisations by hackers posing as remote IT workers. These individuals create convincing online profiles, complete with AI-generated images and resumes, to land jobs at major companies. Once hired, they leverage facilitators based in the US to handle company-issued laptops and earnings, bypassing sanctions. Facilitators set up farms of these laptops, allowing North Korean hackers to remotely access systems while hiding their true locations.

More from Tech

How ChatGPT is becoming everyone’s BFF and why that’s dangerous America ready for self-driving cars, but it has a legal problem

How they got caught

Despite their elaborate setups, North Korean hackers have made mistakes that exposed their operations. Microsoft uncovered a treasure trove of internal documents from a publicly accessible repository belonging to one of the hackers. These files included detailed guides, false identities, and records of stolen funds, providing a blueprint for the operation.

Other slip-ups were uncovered by researchers like Hoi Myong and SttyK, who engaged directly with suspected North Korean operatives. In one instance, a hacker posing as Japanese made linguistic errors and had a mismatched digital footprint, with an IP address in Russia but claims of a Chinese bank account. Such inconsistencies have helped security teams identify and dismantle fake profiles.

Crypto theft funding weapons programs

North Korea’s hackers operate under minimal risk due to existing sanctions, which limit the country’s exposure to further penalties. Groups like “Ruby Sleet” target aerospace and defence companies to steal technology that advances the regime’s weaponry. Meanwhile, IT worker schemes provide a triple threat: generating revenue, stealing intellectual property, and extorting companies.

The US and its allies have taken action, levying sanctions and prosecuting individuals running laptop farms. However, researchers warn that organisations must improve their employee vetting processes. AI-generated deepfakes, stolen identities, and evolving tactics make North Korea’s hackers a persistent and dangerous threat.

Editor’s Picks

1

North Korean hackers helping South Asian criminals, drug lords with money laundering networks, UN says 2

North Korea-backed hackers conduct espionage campaign against US, India and more, intel agencies warn

“They’re not going away,” Microsoft’s James Elliott cautioned, underscoring the need for vigilance as these operations grow increasingly sophisticated.