296 reports
ESRC observed a North Korea-origin hacking attempt that impersonated an active police investigator and used a PDF-style civil servant ID lure. Unlike a 2017 police-impersonation attack against a Bitcoin exchange that attached a separate malicious file, th…
Lazarus used a signed macOS executable in a fake Coinbase job-offer campaign aimed at financial-technology and Web3 workers. ESET found a universal Intel/Apple silicon build that dropped FinderFontsUpdater.app, a safarifontagent downloader, and a decoy “C…
Chainalysis' mid-year 2022 crypto crime update finds that overall illicit cryptocurrency volume fell less sharply than legitimate market activity, but stolen funds grew significantly. Through July 2022, hacks had stolen about $1.9 billion from crypto serv…
The most infamous of them is the North Korean hacking outfit LAZARUS GROUP, which presents a significant danger to the Blockchain ecosystem. Circle: In the first half of 2022, 18 ETH addresses were blacklisted and the USDC-ERC20 assets On April 14, the US…
The attribution-bias presentation uses OlympicDestroyer as a case study in misleading technical evidence and false attribution. It notes that OlympicDestroyer contained artifacts that resembled Lazarus or Bluenoroff wiper malware, including event-related …
PwC's Black Hat USA presentation examines job-themed social engineering used by advanced threat actors, with particular attention to North Korea-linked activity tracked as Black Artemis or temp.Hermit. The material describes malicious recruiter-style lure…
Kaspersky linked a 2021 Maui ransomware incident to Andariel, also known as Silent Chollima or Stonefly, with low to medium confidence based on DTrack deployment, 3proxy use, and overlap with prior activity. In the Japanese victim environment, the actor d…
ESRC reported a North Korea-linked phishing campaign impersonating a major South Korean portal's cloud file-sharing invitation service. The targets were mainly experts and journalists working on North Korea-related issues, and the lure referenced North Ko…
NSHC’s June 2022 ThreatRecon roundup identified three SectorA clusters, the report’s North Korea/DPRK-relevant section, among 34 threat actor groups observed from May 21 to June 20. SectorA02 targeted people working on North Korea-related policy issues in…
OFAC sanctioned Tornado Cash for providing mixing services used to launder more than $7 billion in virtual currency, including proceeds from major cyber-enabled thefts. Treasury stated that Tornado Cash was used to launder over $455 million stolen by Laza…
Suspected Lazarus operators targeted deBridge Finance employees with a phishing email impersonating co-founder Alex Smirnov and claiming to share salary-adjustment information. The lure used an HTML file posing as a PDF and a Windows LNK masquerading as a…
Nomad traced the bridge compromise to an implementation bug in the Replica contract that let forged messages pass authentication. Unproven messages could resolve to bytes32(0), and the initializer had set confirmAt[bytes32(0)] to 1, so acceptableRoot(byte…
Nomad Bridge published post-incident bounty guidance for hackers after the bridge exploit, offering white-hat treatment to parties returning most stolen funds. The report is operationally relevant CTI for cryptocurrency incident response because it docume…
The report describes H0lyGh0st ransomware as activity linked to a newly observed North Korean attack group with suspected ties to Andariel. The extracted PDF notes sandbox-evasion capability, use of public open-source components, public-key encryption for…
Harmony's incident summary says the Horizon Bridge attacker began moving bridged assets on June 23, 2022, after compromising at least two of four bridge-validator private keys. The stolen USDC, ETH, USDT, BNB, and other assets were funneled through wallet…