Full Report
Secureworks Counter Threat Unit (CTU) has identified links between North Korean IT workers and fraudulent crowdfunding activities, with the group known as Nickle Tapestry orchestrating scams to support North Korean interests
Analysis Summary
# Threat Actor: Nickle Tapestry
## Attribution & Identity
The threat actor group associated with the fraudulent crowdfunding activity is identified by Secureworks Counter Threat Unit (CTU) as **Nickle Tapestry**. This actor is described as comprising multiple clusters of activity operated on behalf of **North Korean interests**. This activity is linked conceptually to the North Korean "fake IT workers scheme."
## Activity Summary
Secureworks CTU exposed a connection between the North Korean fake IT workers scheme and **fraudulent crowdfunding activity** linked to Nickle Tapestry. This specific scam managed to raise approximately **$20,000**. This operation is cited as an earlier example of North Korean threat actors experimenting with money-making schemes preceding their broader use of fraudulent IT workers.
## Tactics, Techniques & Procedures
The article primarily discusses the objective and context of the operation rather than specific technical TTPs.
- **Fraudulent Crowdfunding:** Utilizing specific schemes to solicit and acquire funds.
- **Experimentation with Money-Making Schemes:** Demonstrating an evolution in illicit funding mechanisms used by the actor set.
- *Note: Specific TTPs related to malware, exploitation, or standard cyber operations (e.g., MITRE ATT&CK IDs) were not detailed in the provided snippet.*
## Targeting
- **Sectors:** Financial/Investment sector (due to the crowdfunding nature).
- **Geography:** Not explicitly mentioned, but the actor is North Korean state-aligned.
- **Victims:** Individuals or entities providing funding through the fraudulent crowdfunding platform(s).
## Tools & Infrastructure
- **Malware families used:** None explicitly mentioned in the summary provided.
- **Infrastructure (C2, domains, IPs):** Specific infrastructure details were not provided in the snippet.
## Implications
This finding indicates that North Korean threat actors, specifically those linked to Nickle Tapestry, have been involved in exploiting crowdfunding platforms as a means of illicit financing. This represents an **evolutionary step in their money-making schemes**, utilizing financial fraud tactics potentially earlier than more publicized activities like the IT worker scheme. The observed tendency to leverage evolving techniques (like the later use of deepfakes and AI mentioned by Secureworks) suggests adaptability in their financial pursuit operations.
## Mitigations
- Vigilance against new or non-traditional funding solicitation schemes, especially those exhibiting characteristics similar to known North Korean fronts.
- Increased scrutiny of crowdfunding campaigns that appear heavily pushed or utilize unusual onboarding procedures, given the historical context of state-sponsored financial exploitation.