Into cryptocurrency In this ecosystem, coins have a history, traced in the immutable blockchains that support their economy. The only exception, in a certain sense, is cryptocurrency freshly generated thanks to the computing power of its owner. So it seems that North Korean hackers have started adopting a new trick to launder the coins they steal from their victims around the world: paying for their dirty, stolen coins to services that allow them to mine new ones innocent.
Today, cybersecurity firm Mandiant released a report on a prolific North Korean state-sponsored hacking group it now calls APT43, sometimes known as Kimsuky and Thallium. The group, whose activities suggest its members work in service of North Korea’s General Reconnaissance Office spy agency, has focused primarily on espionage, hacking think tanks, academics and private companies from the United States to Europe, South Korea and Japan. at least 2018, primarily with phishing campaigns designed to harvest victims’ credentials and install malware on their machines.
Like many North Korean hacker groups, APT43 also stays away from profit-driven cybercrime, according to Mandiant, stealing any cryptocurrencies that could enrich the North Korean regime or even just fund the hackers’ own operations. hackers. And as regulators around the world have tightened their grip on the exchanges and laundering services that thieves and hackers use to cash in criminally tainted coins, APT43 appears to be trying a new method to cash in the funds it steals all by preventing them from being seized or frozen: It funnels stolen cryptocurrency into “hash services” that allow anyone to rent time on the computers used to mine cryptocurrency, thereby harvesting newly mined coins which have no apparent connection to criminal activity.
This mining trick allows APT43 to take advantage of the fact that cryptocurrency is relatively easy to steal while avoiding the forensic trail of evidence it leaves on blockchains, which can make it difficult for thieves to cash out. “It breaks the chain,” says Joe Dobson, threat intelligence analyst at Mandiant. “It’s like a bank robber stealing money from a safe, then going to a gold miner and paying the miner with the stolen money. Everyone is looking for money while the bank robber walks around with fresh, newly mined gold.
Mandiant claims to have started seeing signs of APT43’s mining-based laundry technique in August 2022. Since then, tens of thousands of dollars of crypto have been pumped into hashing services, services like NiceHash and Hashing24, which allow anyone to buy and sell computing power. to calculate the mathematical strings called “hashes” that are needed to mine most cryptocurrencies, from what it considers APT43 crypto wallets. Mandiant says it has also seen similar amounts flow into APT43 wallets from mining “pools,” services that allow miners to contribute their hash resources to a group that pays a cut of any cryptocurrency the group collectively mines. . (Mandiant declined to name the hashing services or mining pools in which APT43 participated.)
In theory, payouts from these pools should be clean, with no connection to APT43’s hackers – that appears, after all, to be the aim of the group’s laundering exercise. But in some cases of operational negligence, Mandiant says it found that funds were nonetheless mixed with cryptocurrencies in wallets that it had previously identified through its years-long tracking of APT43 hacking campaigns.