BlueNoroff, a subgroup of North Korean state-sponsored hacking group Lazarus, is impersonating venture capitalists (VCs) in a new phishing scheme targeting cryptocurrency start-ups.
BlueNoroff has created over 70 fake domains posing as VC firms and banks, with most pretending to be Japanese companies and others assuming the identity of US and Vietnamese firms.
The fake VCs then use malware to target start-ups dealing with smart contracts, DeFi, blockchain and the fintech industry.
The group is also using software to bypass Microsoft’s Mark-of-the-Web technology, which warns users when opening files downloaded from the internet.
BlueNoroff’s goal is to intercept large cryptocurrency transfers by changing the recipient’s address and draining the account in a single transaction.
North Korean hackers have stolen an estimated KRW 1.5tn ($1.2bn) in crypto assets since 2017, with KRW 800bn ($626m) stolen so far this year.