Never short on innovation in its attacks, North Korea has launched a campaign targeting crypto developers. How does it work and how can you protect yourself?
North Korea targets crypto developers
Cryptocurrency hacks are unfortunately a common strategy for North Korea. The state uses teams of hackers to steal cryptocurrencies, particularly to finance its nuclear weapons program.
This fall, researchers at cybersecurity firm Socket sounded the alarm: hackers are currently targeting crypto developers. According to them, North Korea has targeted one of the most widely used software libraries in the world: the npm registry.
According to Socket, more than 300 malicious code packages were discovered on the registry, which is used to install and share JavaScript software.
Once installed, these packages discreetly execute malware that steals passwords, browser data, and keys linked to cryptocurrency wallets. According to the report, 5,000 downloads of these malicious packages took place before some of them were removed.
Beware of name changes
To allay suspicion, hackers use reputable names, changing one or two letters:
In the field of crypto recruitment, Web3 kits are also being targeted.
Here are some examples of typographical variants:
- ethers.js is imitated by typographical variants such as ethrs.js and ethres.js;
- web3.js becomes we3.js or wb3.js;
- systematic spelling mistakes on truffle (truffel), ganache (ganacche), and foundry (foudry), as well as hardhat-themed packages such as hardhat-deploy-notifier and hardhat-deploy-notification.
- Also imitations of brand names, for example metamask-api.
Fake LinkedIn accounts and scam networks
It should also be noted that criminals combine techniques. They sometimes use fake LinkedIn accounts of recruiters, a method we have already discussed with you.
We discovered that malicious actors were registering email addresses designed to resemble those of recruiters, HR managers, or “tech” profiles in order to better deceive developers and job seekers.
North Korea has elevated cryptocurrency hacking to an industrial level, with highly developed networks.
Targets include Web3, cryptocurrency, and blockchain developers, as well as candidates for technical positions approached by fake recruiters, leading to multi-stage compromises and financial losses.
GitHub, the owner of the npm registry, has confirmed that it is removing compromised packages as they appear, but there are too many of them and they are created too regularly for it to track them all.
The advice is therefore for developers to exercise the utmost caution: dependencies must be scanned before integration, and the use of automated verification tools must unfortunately become standard practice.
