​The FBI warned today of North Korean hacking groups aggressively targeting cryptocurrency companies and their employees in sophisticated social engineering attacks to deploy malware designed to steal their crypto assets.

According to the FBI, their social engineering tactics are highly targeted and difficult to detect, even for those with advanced cybersecurity expertise.

Over the last several months, North Korean threat actors have been observed conducting extensive research on potential targets, focusing on individuals connected to cryptocurrency exchange-traded funds (ETFs) and other related financial products. This level of pre-operational staging suggests that they’re preparing for potential attacks on companies associated with cryptocurrency ETFs and similar assets.

The law enforcement agency also warned that organizations dealing with substantial quantities of cryptocurrency are also at risk of being targeted by North Korean hacking groups aiming to breach networks and steal funds.

Among the social engineering tactics these state-sponsored groups use, the FBI highlights their meticulously planned attacks, which start with identifying specific DeFi and cryptocurrency businesses to target. In the next attack stage, they target their employees in social engineering attacks that often involve offers of new employment or investment opportunities, leveraging detailed personal information to boost credibility and appeal.

“The actors usually communicate with victims in fluent or nearly fluent English and are well versed in the technical aspects of the cryptocurrency field,” the FBI warns.

“North Korean malicious cyber actors routinely impersonate a range of individuals, including contacts a victim may know personally or indirectly. Impersonations can involve general recruiters on professional networking websites, or prominent people associated with certain technologies.”

The attackers are well-versed in the cryptocurrency industry’s technical aspects and have also been observed using stolen images and professionally crafted websites to make their schemes look legitimate at first glance.

The FBI also provided a list of potential indicators of North Korean social engineering activity and the best practices that companies in the cryptocurrency industry and their employees should follow to lower the risk of compromise in such attacks.

Since the start of the year, the FBI has also warned of scammers posing as employees of crypto exchanges to target unsuspecting victims and cybercriminals posing as law firms offering cryptocurrency recovery services.

It also warned of fake remote job ads used to steal cryptocurrency and against using unlicensed cryptocurrency transfer services that can result in financial loss if law enforcement takes down these platforms.

Billions worth of cryptocurrency stolen since 2017

As Recorded Future analysts revealed in December, North Korean-backed state hacking groups like Kimsuky, Lazarus Group, Andariel, and others have stolen an estimated $3 billion worth of cryptocurrency in a long string of hacks targeting the crypto industry since 2017.

“In 2022 alone, North Korean threat actors were accused of stealing $1.7 billion in cryptocurrency, equivalent to 5% of the country’s economy or 45% of its military budget,” Recorded Future said.

Since stealing $82.7 million from South Korean exchanges Bithumb, Youbit, and Yapizon in 2017, North Korean hackers have been linked to many other crypto heists, including ones against the Harmony blockchain bridge ($100 million in losses), the Nomad bridge ($190 million in losses), the Qubit Finance bridge ($80 million in losses), Atomic Wallet ($35 million), AlphaPo ($60 million in two separate attacks), and CoinsPaid ($37 million).

The FBI also linked the hacking of Axie Infinity’s Ronin network bridge, the largest crypto hack ever, which resulted in the theft of $620 million, to North Korean hacking groups Lazarus and BlueNorOff (aka APT38).