North Korea Crypto

North Korean Hackers Use LinkedIn AI Scams to Steal Over $10M

North Korean hackers, identified by Microsoft as the threat group Sapphire Sleet, have stolen more than $10 million worth of cryptocurrency through sophisticated social engineering and malware campaigns over a six-month period. LinkedIn is a central tool in these scams, with attackers using the platform’s professional network to deceive targets and steal sensitive information.

 

Sapphire Sleet has been linked to other notorious hacking groups like APT38 and BlueNoroff and has been operating since at least 2020. The group’s tactics have evolved, now including the use of artificial intelligence (AI) to craft fake profiles and impersonate recruiters or job seekers. These fake profiles are used to establish trust with potential targets before launching malicious attacks.

 

The group has posed as venture capitalists and financial firm recruiters, with one of their primary methods being to engage users with seemingly professional interests. They bait their targets into online meetings, but when they try to join the meeting, they are presented with error messages. If the target contacts the ‘support team’, they are sent malicious files, such as AppleScript (.scpt) or Visual Basic Script (.vbs), depending on the victim’s operating system. Once executed, these scripts download malware that grants attackers access to the victim’s credentials and cryptocurrency wallets.

 

Sapphire Sleet has also been linked to scams involving fake job offers. The attackers masquerade as recruiters from prestigious financial firms like Goldman Sachs. They send targets fake job applications and skills assessments hosted on compromised websites. Once the target signs in and downloads files, they inadvertently download malware that allows the hackers to infiltrate their system.

 

 

Be Careful Who You Hire

 

In addition to stealing directly from individuals, North Korea’s cyber  tactics extend into organised IT operations abroad. These efforts serve as a “triple threat” to their targets:

  1. Generating revenue through “legitimate” freelance work.
  2. Abusing access to intellectual property obtained via remote jobs.
  3. Facilitating data theft, including selling stolen information or demanding ransoms.

To bypass international restrictions, North Korean IT workers rely on facilitators to establish identities and accounts for remote job applications. These facilitators help create fake profiles on platforms like GitHub and LinkedIn, enabling North Korean operatives to present polished and professional portfolios. Often, the hackers have used AI tools like Faceswap to alter images and create professional-looking resumes and social media profiles. These AI-driven forgeries make the attackers’ profiles more convincing and difficult to distinguish from legitimate candidates. In some cases, voice-changing software has also been used to enhance the illusion of authenticity, allowing hackers to pose as real people more convincingly.

 

 

What Can Businesses and Individuals Do to Protect Themselves?

 

To protect against these types of attacks, both businesses and individuals must adopt stronger security practices. Some recommendations include:

  1. Regular Security Training: Employees should be trained to identify phishing emails, suspicious job offers, and unusual requests.
  2. Multi-Factor Authentication (MFA): Using MFA helps secure accounts, even if passwords are compromised.
  3. Verify Recruiters and Job Offers: Always verify the authenticity of job offers and recruitment messages, especially when they come from unverified or unsolicited sources. Also carefully vet any candidates for IT roles.
  4. Use Anti-Malware Software: Ensure that devices are protected with up-to-date anti-malware tools to detect and block harmful files.

 

As cyber criminals continue to refine their techniques, it’s crucial for businesses and individuals to remain vigilant, adopting both technological solutions and robust human vigilance to combat evolving threats.

 

For more information on protecting your business from social engineering attacks and improving your cyber security posture, contact OmniCyber Security today.

Contact us..

Related Articles