Jan 15, 2025Ravie LakshmananBlockchain / Cryptocurrency

Cybersecurity researchers have identified infrastructure links between the North Korean threat actors behind the fraudulent IT worker schemes and a 2016 crowdfunding scam.

The new evidence suggests that Pyongyang-based threamoret groups may have pulled off illicit money-making scams that predate the use of IT workers, SecureWorks Counter Threat Unit (CTU) said in a report shared with The Hacker News.

The IT worker fraud scheme, which came to light in late 2023, involves North Korean actors infiltrating companies in the West and other parts of the world by surreptitiously seeking employment under fake identities to generate revenue for the sanctions-hit nation. It’s also tracked under the names Famous Chollima, Nickel Tapestry, UNC5267, and Wagemole.

The IT personnel, per South Korea’s Ministry of Foreign Affairs (MoFA), have been assessed to be part of the 313th General Bureau, an organization under the Munitions Industry Department of the Workers’ Party of Korea.

Another notable aspect of these operations is that the IT workers are routinely dispatched to China and Russia to work for front companies such as Yanbian Silverstar and Volasys Silver Star, both of which were previously subjected to sanctioned by the Treasury Department’s Office of Foreign Assets Control (OFAC) in September 2018.

Both entities have been accused of engaging in and facilitating the exportation of workers from North Korea with the goal of generating revenue for the Hermit Kingdom or the Workers’ Party of Korea and obfuscating the workers’ true nationality from clients.

Sanctions were also imposed against Yanbian Silverstar’s North Korean CEO Jong Song Hwa for his role in controlling the “flow of earnings for several teams of developers in China and Russia.”

In October 2023, the U.S. government announced the seizure of 17 internet domains that impersonated U.S.-based IT services companies so as to defraud businesses in the country and abroad by allowing North Korean IT workers to conceal their true identities and locations when applying online to do freelance work.

Among the domains that were confiscated included a website named “silverstarchina[.]com.” Secureworks’s analysis of historical WHOIS records has revealed that the registrant’s street address matches the reported location of Yanbian Silverstar offices located in the Yanbian prefecture and that the same registrant email and street address were used to register other domain names.

One of those domains in question is kratosmemory[.]com, which has been previously used in connection with a 2016 IndieGoGo crowdfunding campaign that was later found to be a scam after the backers neither received a product nor a refund from the seller. The campaign had 193 backers and raised funds to the tune of $21,877.

“The people who donated to this campaign have not gotten anything that was promised to them,” one of the comments on the crowdfunding page claims. “They have not received any updates as well. This was a complete scam.”

The cybersecurity company also noted that the WHOIS registrant information for kratosmemory[.]com was updated around mid-2016 to reflect a different persona named Dan Moulding, which matches the IndieGoGo user profile for the Kratos scam.

“This 2016 campaign was a low-effort, small monetary-return endeavor compared to the more elaborate North Korean IT worker schemes active as of this publication,” Secureworks said. “However, it showcases an earlier example of North Korean threat actors experimenting with various money-making schemes.”

The development comes as Japan, South Korea, and the U.S. issued a joint warning to the blockchain technology industry regarding the persistent targeting of various entities in the sector by Democratic People’s Republic of Korea (DPRK) cyber actors to conduct cryptocurrency heists.

“The advanced persistent threat groups affiliated with the DPRK, including the Lazarus Group, […] continue to demonstrate a pattern of malicious behavior in cyberspace by conducting numerous cybercrime campaigns to steal cryptocurrency and targeting exchanges, digital asset custodians, and individual users,” the governments said.

Some of the companies targeted in 2024 included DMM Bitcoin, Upbit, Rain Management, WazirX, and Radiant Capital, leading to the theft of more than $659 million in cryptocurrency. The announcement marks the first official confirmation that North Korea was behind the hack of WazirX, India’s largest cryptocurrency exchange.

“This is a critical moment. We urge swift international action and support to recover the stolen assets,” WazirX founder Nischal Shetty posted on X. “Rest assured, we will leave no stone unturned in our pursuit of justice.”

Last month, blockchain intelligence firm Chainalysis also revealed that threat actors affiliated with North Korea have stolen $1.34 billion across 47 cryptocurrency hacks in 2024, up from $660.50 million across 20 incidents in 2023.