North Korean Hackers Posed As VCs To Steal $34 Million From Crypto Startup, FBI Says #CriptoNews

The Lazarus Group, a crew of North Korean government-backed hackers behind the WannaCry ransomware attack, have a new tactic, according to the FBI. After bagging over $3 billion from earlier crypto heists, its hackers are now impersonating venture capitalists to get time and access with crypto executives in order to install malicious code.

North Korea-linked hacking groups have previously posed as recruiters or job-seekers to set up a video call with a staff from crypto companies and use the meeting to push infected files or code on their targets. That’s helped the Pyongyang-linked crews steal over $3 billion since 2017. But impersonating VCs appears to be a new strategy.

The FBI stated in an forfeiture application filed at the United States District Court for the District of Columbia in November that North Korea’s Lazarus group had allegedly stolen over $34 million of tokens from a crypto startup by pretending to be a “prominent” Hong Kong-based VC known to invest in crypto. The hackers used a fake Telegram account to contact the startup’s CEO in November 2023. The person being impersonated by the North Korean hackers was not named by the FBI.

“During these communications, the CEO clicked on a link to join a video conference with the individual purporting to be VC but the link did not seem to work. The imposter then sent the CEO a script file to fix the problem, which the CEO executed,” said Justin M. Vallese, FBI Special Agent, in the court filing.

The script installed malware known as CryptoMimic that gave the hackers remote access to one of the startup’s computers. There the hackers allegedly found a text that contained the private keys for 5,000 addresses holding crypto tokens worth over $17 million. “The perpetrators seemingly deleted this file from the employee’s computer, eliminating access by the company,” said Vallese.

The FBI did not identify the name of the startup in its court filing but stated that one of the crypto currencies stolen in the March 2024 heist was a token called NFP launched by a Binance-backed crypto startup NFPrompt, which makes AI-generated NFTs. The company tweeted on March 15 that “a group of hackers compromised some wallets, including those of NFP’s contract administrators,” accompanied by an illustration of a penguin in a trench coat with a sheriff’s badge.

NFPPrompt did not respond to a request for comment. The FBI declined to comment.

The FBI linked the CryptoMimic malware used in the attack back to servers located in North Korea, and traced tokens stolen from the startup to accounts on crypto exchanges Binance and MEXC. The accounts were frozen and now $3.2 million of cryptocurrencies is in the custody of the FBI.

The court filing does not reveal how the remaining $17 million claimed to have been stolen was lost, or what happened to the rest of the missing cryptocurrency.

The FBI issued a warning in September that North Korea was “aggressively targeting” crypto companies using social engineering tactics. “North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen,” the FBI warned in its update. United Nations sanctions monitors said earlier this year that cyber attacks between 2017 and 2023 focused on crypto companies had netted North Korea over $3 billion, The Guardian reported.

In the past, North Korean hackers have posed as recruiters or job-seekers to gain time, access, and knowledge of targets. Forbes reported earlier this month that $16 million was stolen from Bahrain-based based cryptocurrency exchange Rain.com by Lazarus Group hackers who had reached out to its staff over LinkedIn. Sometimes, North Korean developers even land jobs at companies using fake identities and virtual private networks to disguise their location.

Security researchers from Microsoft and Recorded Future both warned last year that North Korean hackers updated their tactics to include posing as venture capitalists and investment bankers. The FBI’s court filing to recover tokens stolen from NFPPrompt is the first reported incident of a successful hack using the tactic.