Tag:

Hackers

Decrypt logo
NFT Gaming

DOJ Seeks $7.7 Million Forfeiture in Crypto From North Korean Hackers Masquerading as IT Workers

by admin



In brief

Here are 3 very concise bullet points:

• DOJ seized $7.74 million in crypto laundered by North Korean IT workers who used fake identities to get jobs at U.S. companies.

• Workers were paid in stablecoins, then laundered funds through various methods before sending proceeds to the North Korean government.

• Security experts say this growing threat uses AI-generated personas and deepfake technology, potentially generating hundreds of millions annually for the regime.

The U.S. Department of Justice last week filed a civil forfeiture claim for $7.74 million in crypto laundered by North Korean IT workers who fraudulently gained employment with companies in the U.S. and abroad.

The U.S. government seized the funds as part of an operation against a North Korean scheme to evade sanctions, with authorities indicting a North Korean Foreign Trade Bank representative, Sim Hyon Sop, in connection with the scheme in April 2023.

According to the DOJ, North Korean IT workers gained employment at U.S. crypto companies using fake or fraudulently obtained identities, before laundering their income through Sim for the benefit of the regime in Pyongyang.

The forfeiture complaint also details that the IT workers had been deployed in various locations around the world, including in China, Russia and Laos.

By hiding their true identities and locations, the workers were able to secure employment with blockchain firms, who generally paid them in stablecoins—USDC or Tether.

“For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S. sanctions and bankroll its weapons programs,” said Sue J. Bai, the head of the DOJ’s National Security Division.

The Department of Justice also reports that the IT workers used several methods to launder their fraudulent income, including setting up exchange accounts with fictitious IDs, making multiple small transfers, converting from one token to another, buying NFTs, and mixing their funds.

Once ostensibly laundered, the funds were then sent to the North Korean government via Sim Hyon Sop and Kim Sang Man, the CEO of a company operating under North Korea’s Ministry of Defense.

The DOJ indicted Sim Hyon Sop on two separate charges in April 2023, including conspiring with North Korean workers to earn income via fraudulent employment and, secondly, conspiring with OTC crypto traders to use the fraudulently generated income to purchase goods for North Korea.

The FBI Chicago Field Office and FBI’s Virtual Assets Unit are investigating the cases related to the forfeiture complaint, which the DoJ filed with the U.S. District Court for the District of Columbia.

“The FBI’s investigation has revealed a massive campaign by North Korean IT workers to defraud U.S. businesses by obtaining employment using the stolen identities of American citizens, all so the North Korean government can evade U.S. sanctions and generate revenue for its authoritarian regime,” said Roman Rozhavsky, the Assistant Director of the FBI’s Counterintelligence Division.

While the precise extent of fraudulent North Korean IT work is not fully established, most experts agree that the problem is becoming more significant.


A growing threat in North Korea

“The threat posed by North Korean IT workers posing as legitimate remote employees is growing significantly – and fast,” explains Chainalysis Head of National Security Intelligence Andrew Fierman, speaking to Decrypt.

As evidence of just how “industrialized and sophisticated” the threat has become, Fierman cites the example of the DoJ’s December indictment of 14 North Korean nationals, who had allegedly also operated under false IDs and earned $88 million through a six-year scheme.

“While it’s difficult to pin an exact percentage of North Korea’s illicit cyber revenue to fraudulent IT work, it’s clear from government assessments and cybersecurity research that this method has evolved into a reliable stream of income for the regime – especially when paired with espionage goals and follow-on exploits,” he says.

Other security specialists concur that the threat of illicit North Korean IT employees is becoming more prevalent, with Michael Barnhart – Principal i3 Insider Investigator at DTEX Systems – telling Decrypt that their tactics are becoming more sophisticated.

“These operatives aren’t just a potential threat, they have actively embedded themselves within organizations already, with critical infrastructure and global supply chains already compromised,” he says.

Barnhart also reports that North Korean threat actors have even begun establishing “front companies posing as trusted third parties”, or embedding themselves into legitimate third parties that may not utilize the same rigorous safeguards as other, larger organizations.

Interestingly, Barnhart estimates that North Korea may be generating hundreds of millions in revenue each year from fraudulent IT work, and that any recorded figures or sums are likely to be underestimated.

“The saying of ‘you don’t know what you don’t know’ comes into play, as each day a new scheme to earn money is discovered,” he explains. “Additionally, much of the revenue is obfuscated to look like elements of cyber criminal gangs or completely legitimate seeming efforts, which muddle the overall attribution.”

And while Thursday’s forfeiture claim indicates that the U.S. Government is managing to get more of a handle on North Korea’s operations, the increasing sophistication of the latter suggests that American and international authorities may continue playing catchup for a while yet.

As Andrew Fierman says, “What’s especially concerning is how seamlessly these workers are able to blend in: leveraging generative AI for fake personas, deepfake tools for interviews, and even support systems to pass technical screenings.”

In April, Google’s Threat Intelligence Group revealed that North Korean actors had expanded beyond the U.S. to infiltrate themselves in cryptocurrency projects in the UK, Germany, Portugal and Serbia.

This included projects developing blockchain marketplaces, AI web apps and Solana smart contracts, with accomplices in the UK and U.S. helping operatives to bypass ID checks and receive payments via TransferWise and Payoneer.

Edited by Stacy Elliott.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.



Source link

0 comments
0 FacebookTwitterPinterestEmail
Representational image of a cybercriminal
Gaming Gear

Hackers are hijacking forgotten subdomains to spread malware through trusted sites; this overlooked trick could hit you next

by admin



  • Outdated DNS records create invisible openings for criminals to spread malware through legitimate sites
  • Hazy Hawk turns misconfigured cloud links into silent redirection traps for fraud and infection
  • Victims think they’re visiting a real site, until popups and malware take over

A troubling new online threat is emerging in which criminals hijack subdomains of major organizations, such as Bose, Panasonic, and even the US CDC (Centers for Disease Control and Prevention), to spread malware and perpetrate online scams.

As flagged by security experts Infoblox, at the center of this campaign is a threat group known as Hazy Hawk, which has taken a relatively quiet but highly effective approach to compromise user trust and weaponize it against unsuspecting visitors.

These subdomain hijackings are not the result of direct hacking but rather of exploiting overlooked infrastructure vulnerabilities.


You may like

An exploit rooted in administrative oversight

Instead of breaching networks through brute force or phishing, Hazy Hawk exploits abandoned cloud resources linked to misconfigured DNS CNAME records.

These so-called “dangling” records occur when an organization decommissions a cloud service but forgets to update or delete the DNS entry pointing to it, leaving the subdomain vulnerable.

For example, a forgotten subdomain like something.bose.com might still point to an unused Azure or AWS resource, and if Hazy Hawk registers the corresponding cloud instance, the attacker suddenly controls a legitimate-looking Bose subdomain.

This method is dangerous because misconfigurations are not typically flagged by conventional security systems.

The repurposed subdomains become platforms for delivering scams, including fake antivirus warnings, tech support cons, and malware disguised as software updates.

Hazy Hawk doesn’t just stop at hijacking – the group uses traffic distribution systems (TDSs) to reroute users from hijacked subdomains to malicious destinations.

These TDSs, such as viralclipnow.xyz, assess a user’s device type, location, and browsing behavior to serve up tailored scams.

Often, redirection begins with seemingly innocuous developer or blog domains, like share.js.org, before shuffling users through a web of deception.

Once users accept push notifications, they continue to receive scam messages long after the initial infection, establishing a lasting vector for fraud.

The fallout from these campaigns is more than theoretical and has affected high-profile organizations and firms like the CDC, Panasonic and Deloitte.

Individuals can guard against these threats by refusing push notification requests from unfamiliar sites and exercising caution with links that seem too good to be true.

For organizations, the emphasis must be on DNS hygiene. Failing to remove DNS entries for decommissioned cloud services leaves subdomains vulnerable to takeover.

Automated DNS monitoring tools, especially those integrated with threat intelligence, can help detect signs of compromise.

Security teams should treat these misconfigurations as critical vulnerabilities, not minor oversights.

You might also like



Source link

0 comments
0 FacebookTwitterPinterestEmail
A Starter Guide to Protecting Your Data From Hackers and Corporations
Product Reviews

A Starter Guide to Protecting Your Data From Hackers and Corporations

by admin


How do I deal with having to have a new account for every service and website? Should I be using new email addresses?

A new email address for every account is a big undertaking! I’d recommend having an email address for the accounts that are most important to you and then having one that you use to sign up for things that are less important. There are also services that will let you create “burner” emails that you can use to sign-up with services, and if you use an Apple device there’s a “Hide My Email” setting.

What tips would you offer to those looking to keep their digital privacy while crossing the US border (or otherwise entering or exiting the States)?

It really depends on what levels of risk you as an individual could face. Some people traveling across the border are likely to face higher scrutiny than others—for instance nationality, citizenship, and profession could all make a difference. Even what you’ve said on social media or in messaging apps could potentially be used against you.

Personally, the first thing I would do is think about what is on my phone: the kind of messages I have sent (and received), what I have posted publicly, and log out (or remove) what I consider to be the most sensitive apps from my phone (such as email). A burner phone might seem like a good idea, although this isn’t the right idea for everyone and it could bring more suspicion on you. It’s better to have a travel phone—one that you only use for travel that has nothing sensitive on it or connected to it.

My colleague Andy Greenberg and I have put together a guide that covers a lot more than this: such as pre-travel steps you can take, locking down your devices, how to think about passwords, and minimizing the data you are carrying. It’s here. Also, senior writer Lily Hay Newman and I have produced a (long) guide specifically about phone searches at the US border.

Would you recommend against having a device like Alexa in your home? Or are there particular products or steps you can take to make a smart device more secure?

Something that’s always listening in your home—what could go wrong? It’s definitely not great for overall surveillance culture.

Recently Amazon also reduced some of the privacy options for Alexa devices. So if you’re going to use a smart speaker, then I’d look into what each device’s privacy settings are and then go from there.

How do you see people’s willingness to hand over information about their lives to AI playing into surveillance?

The amount of data that AI companies have—and continue to—hoover up really bothers me. There’s no doubt that AI tools can be useful in some settings and to some people (personally, I seldom use generative AI). But I would generally say people don’t have enough awareness about how much they’re sharing with chatbots and the companies that own them. Tech companies have scraped vast swathes of the web to gather the data they claim is needed to create generative AI—often with little regard for content creators, copyright laws, or privacy. On top of this, increasingly, firms with reams of people’s posts are looking to get in on the AI gold rush by selling or licensing that information.



Source link

0 comments
0 FacebookTwitterPinterestEmail
Close