Crypto Startups Beware: That VC Email Might Be North Korean Hackers

Cybersecurity researchers say this North Korean hacker crew likely won’t slow down its crypto-phishing campaign anytime soon


Sashkin/ modified by Blockworks


Members of a notorious hacker crew with links to North Korea have been posing as venture capitalists in a bid to phish — and steal from — crypto startups.

A subunit of North Korean cyberwarfare agency Bureau 121, called BlueNoroff, has now deployed more than 70 domains during its phishing campaign overall, with a recent focus on Japan’s financial sector.

“[BlueNoroff] created numerous fake domains that look like venture capital and bank domains. Most of the domains imitate Japanese venture capital companies, indicating that the group has an extensive interest in Japanese financial entities,” cybersecurity firm Kaspersky said.

The hackers have imitated venture capital firms such as Beyond Next Ventures and Angel Bridge, as well as banking giants Bank of America and Mizuho Financial Group. 

BlueNoroff has also adopted new malware strains that rely on different file types to bypass Windows system flags, employing .iso and .vhd extensions instead of Word documents. 

The malware, usually delivered via email, is hidden inside those files, which release a malicious PDF or PowerPoint presentation once opened. Additional malware is then downloaded directly to the target machine, installing backdoors and executing commands to steal sensitive data and high system privileges.

The US Army in 2020 estimated that BlueNoroff is made up of roughly 1,700 individuals operating around the world. Authorities say it aims to pull off “financial cybercrime by concentrating on long-term assessment and exploiting enemy network vulnerabilities.” 

“This group exploits the systems for financial gain for the regime or to take control of the system.”

Kaspersky’s researchers have tracked BlueNoroff’s crypto efforts since 2018 — two years after the group attempted to steal $1 billion from the central bank of Bangladesh, though making off with just $63 million.

In January, Kaspersky detailed instances of the hackers pretending to be Barry Silbert’s crypto hedge fund Digital Currency Group in phishing attempts, among numerous other digital asset firms including Emurgo, a Cardano-focused software firm, and Ant Capital.

Fake BlueNoroff phishing document cites purported investments in crypto exchange bitFlyer

Fellow Bureau 121 subunit Lazarus Group is believed to be responsible for major hacks on crypto startups, including the $500 million Axie Infinite and $100 million Harmony incidents this year.

BlueNoroff itself has been responsible for crypto thefts worth millions of dollars from crypto startups, Kaspersky has said.

The reports align with others from October, in which Japanese authorities disclosed a spate of Lazarus-linked phishing and social engineering attacks on local crypto funds, some of which amounted to lost capital.

“As we can see from our latest finding, this notorious actor has introduced slight modifications to deliver their malware. This also suggests that attacks by this group are unlikely to decrease in the near future,” researchers said.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.


Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Research Report Templates.png


ZKPs enable efficient offchain transaction processing and validation, resulting in increased throughput and reduced fees. Solana's ZK Compression leverages ZKPs to minimize onchain storage costs, while Sui's zkLogin streamlines user onboarding by replacing complex key management with familiar OAuth credentials.


Plus, is Polymarket this cycle’s breakthrough mainstream app?


The crypto asset manager lowered its planned fee from 0.25% to 0.15%, undercutting its competitors


Plus, a look at planned ETH ETF fees and how they differ from their BTC counterparts


North Korea suspected in breach of Indian exchange’s multisig wallet


Plus, Sanctum’s CLOUD token has officially launched — but not without problems


It’s not yet clear whether Donald Trump is pumping bitcoin. But an unofficial memecoin is still seeing benefit.