A January report from Proofpoint, a security company based in the United States, says hackers affiliated with North Korea have been using an array of cyberattack methods, including phishing emails, to steal cryptocurrencies. 

Just by the titles of the emails, recipients would misunderstand them as job offers or salary raises, which is their strategy to lure more people into opening them. According to the report, the emails included malicious software that allows hackers to access recipients’ cryptocurrencies. The report named advanced persistent threat (APT) hacker group TA444 to be at the centre of these phishing emails. Compared to other hacker groups working with North Korea, TA444 has reportedly focused on money thefts and abuses, typical methods of cybercrime cases.

In 2022, the group started to use email campaign services for marketing, like SendInBlue and SendGrid, to deliver their malware to targeted victims. They also contacted their targets on social media, ranging from Facebook to LinkedIn, before sending those emails to have more people open their malware. Emails also appeared from legitimate senders, based on their email addresses and included links that replicated sender companies’ websites.

The report noted the increase in the volume of spam emails in 2022. “This spam wave alone nearly doubled the total volume of TA444 email messages we had observed in our data during 2022, so we were concerned about false positive detection, as well as understanding a potential change in TA444 objectives,” the researchers wrote.

This is not the first time North Korean hacker groups to send phishing emails carrying malware. In 2018, the U.S. Department of Justice released an exhaustive criminal complaint, explaining North Korean cyberattacks and the culprits, who also abused fake emails to entice victims.

Some of the successful cases introduced in the report previously made headlines as well 

For example, North Korea’s massive attack on Sony Pictures grabbed the media’s attention in September 2014, the year “The Interview”, an American movie about North Korea’s regime and the leader Kim Jong Un, was released. The complaint pointed out the North Korean hacker group Lazarus to be behind the attack, and it could break into the movie company’s computer systems by sending phishing emails (with sender email addresses of Facebook, Google, or other recruiters representing well-reputed companies, appearing to make job offers) to the employees.

North Korean hackers also targeted other financial institutions to steal money by sending fake emails. The FBI said in the complaint that the methods of these hackers to get through the network security were like the case of Sony Pictures. When they got into the system through fake emails, the hackers would identify a computer in charge of money transfers and authorise transfers to their accounts. Reports say the attempts to break into their systems had already started in October 2014, around the time when Sony Pictures was attacked, however. Bangladesh Bank was one of the victims of these cyberattacks, losing a total of $81 million in February 2016.

Crypto companies appeared to be not free from attacks, and some even allegedly helped the hackers get through online security systems. According to the reports, the U.S. Treasury Department recently imposed sanctions on cryptocurrency tumblers Tornado Cash and BlenderIO for assisting TA444’s money laundering, approximately $120 million worth of coins seized with illicit methods.

“TA444 and related clusters are assessed to have stolen nearly $400 million dollars’ worth of cryptocurrency and related assets in 2021,” the researchers from Proofpoint wrote in their report. “In 2022, the group surpassed that value in a single heist worth over $500 million, gathering more than $1 billion during 2022,” they added.

“North Korea, like other cryptocurrency enthusiasts, has weathered the declining value of cryptocurrencies, but remains engaged in its efforts to use cryptocurrency as a vehicle to provide usable funds to the regime.”

The crypto theft of North Korean hackers is also a serious problem this year. Chainalysis, an American blockchain analysis firm, said in its February report that hackers affiliated with North Korea stole more than $1.7 billion in 2022, which is almost four times bigger than the amount in 2021, which was $429 million. The firm added that the amount of North Korean theft took up more than 40% of the total stolen cryptocurrencies ($3.8 billion) in 2022, which was “the biggest year ever for crypto hacking”.