Full Report
Mainly North Korean hackers stole over $2bn from crypto platforms in 2024, says Chainalysis
Analysis Summary
# Threat Actor: North Korean State-Sponsored Hackers (General Activity)
## Attribution & Identity
The primary threat actor discussed is associated with **North Korea (DPRK)**. They are identified as dominating cryptocurrency theft in 2024, accounting for 61% of the $2.2bn stolen. The article also mentions related activity linked to "North Korean IT workers." (While specific APT groups like Lazarus are not named, the context strongly points to state-backed entities).
## Activity Summary
* **2024 Cryptocurrency Theft:** Stole the majority (61%) of the $2.2bn stolen from cryptocurrency platforms globally in 2024, marking the fifth straight year crypto hackers stole over $1bn.
* **Activity Surge and Slowdown:** Total thefts saw a 21% year-on-year increase. Activity significantly slowed *after* the June meeting between Kim Jong-un and Vladimir Putin, possibly due to an agreement to release frozen North Korean assets.
* **Evolving Exploit Size:** Attacks yielding large sums ($50m-$100m, and above $100m) occurred more frequently in 2024 compared to 2023, suggesting they are getting "better and faster at massive exploits."
* **Increased Low-Value Attacks:** A growing density of hacks yielding lower amounts (around $10,000) linked to infiltrated IT workers was also observed.
## Tactics, Techniques & Procedures
- **Infiltration via Employment:** North Korean IT workers infiltrate crypto and Web3 companies to compromise networks, operations, and integrity.
- **Deception and Social Engineering:** Use of **false identities**.
- **Supply Chain/Third-Party Manipulation:** Utilizing **third-party hiring intermediaries**.
- **Remote Work Exploitation:** Manipulating "remote work opportunities to gain access."
- **Advanced TTPs:** Mentioned generically as using "sophisticated tactics, techniques, and procedures."
- **MITRE ATT&CK IDs:** Not specified in the article.
## Targeting
- **Sectors:** Cryptocurrency platforms, Web3 companies.
- **Geography:** Global (based on where crypto platforms are targeted).
- **Victims:** Cryptocurrency firms.
## Tools & Infrastructure
- **Malware families used:** Not specified in the article.
- **Infrastructure (C2, domains, IPs):** Not specified in the article, other than confirming the theft of cryptocurrency assets.
## Implications
North Korean actors are demonstrating increasing sophistication and efficiency in executing massive cryptocurrency exploits. The observed shift toward larger, more frequent high-value attacks indicates rapid maturation in their capabilities, despite a temporary slowdown linked to geopolitical maneuvering. Their successful infiltration of companies via employment vectors poses a significant insider threat risk.
## Mitigations
- **Employee Vetting:** Rigorously vet prospective employees, especially those seeking remote work or IT roles within crypto/Web3 firms.
- **Key Management:** Improve **private key hygiene**.
- **Industry Cooperation:** Engage in **data-sharing initiatives**.
- **Tooling:** Implement **advanced tracing tools**.
- **Training:** Conduct **targeted training** for security teams.
- **Partnerships:** Foster stronger partnerships with law enforcement for rapid response.