Does Blockchain have all the sauces? It was a few years ago. But it returns, with a new taste, which could well be bitter… North Korean hackers have adopted a very ingenious method to steal cryptocurrencies and personal information.
They start by sending fake job offers to developers and other professionals. When the victim downloads the file to “pass the technical test”, they unknowingly install spyware. And this is where North Korean hackers are doing something new. On the one hand, they use a technique called EtherHiding, described for the first time in 2023. On the other hand, they are, a priori, the first state hackers to use this technique.
In fact, the downloaded malware is hidden in what is called a “smart contract” on the blockchain. Smart contracts are computer programs, called autonomous, because they are executed automatically when a condition is met, without requiring the intervention of a third party. For example, you purchase a ticket, provide the requested amount and the ticket is issued instantly.
The smart contract is recorded on the blockchain, making it immune and transparent, making it difficult to track. Think of the smart contract as a vault: malicious hackers store a virus there that they can update, while remaining almost invisible and very difficult to stop. Because, by the way, it is extremely difficult to remove an element, no matter how harmful it is.
Much more traditionally, once installed on the victim’s computer, spyware can steal passwords, banking information, credit cards and, especially, cryptocurrency wallets such as MetaMask or Phantom. It then sends all this information to hackers, who can use it to steal money or spy on the victim.
“An escalation in the threat landscape”
This new tactic, revealed by researchers from the Google Threat Intelligence Group (GTIG), worries specialists. Cybersecurity researchers point out that this method is very new and sophisticated, as it uses “several blockchains at the same time”, making attacks difficult to track.
Hackers can also easily modify your software, change your settings, and continue stealing data without being detected. However, North Korea’s strategy of cyberattacks against cryptocurrency holders is not new. At the end of 2024, the FBI was already warning about the sophisticated schemes of the “Lazarus Group”, which was attributed with the record theft of $1.5 billion in digital assets.
Fake ads on Linkedin or Telegram
After several major attacks, the North Korean group Lazarus remains a difficult target to neutralize. Active since 2009, he became known in 2014 with the attack on Sony Pictures and then in 2016 with the theft of $81 million from the central bank of Bangladesh, planned over a year. Its name, inspired by the biblical character Lazarus, refers to the resistance of its viruses, known to be particularly difficult to eliminate.
Today, hackers are using an unprecedented modus operandi, consisting of approaching professionals through Linkedin or Telegram with fake job offers and using blockchain. Victims are invited to record a video in an unknown location, thinking they are responding to a technical test, and then some are immediately robbed of digital funds, illustrating the dangerousness and subtlety of these campaigns. Also a means for the diplomatically isolated country to attract fresh capital.
Source: BFM TV
