778 reports
ASEC observed RokRAT being distributed through malicious Hangul HWP documents instead of the LNK-based delivery more commonly associated with this malware. One lure used North Korea grain distribution content and embedded ShellRunas.exe and credui.dll as …
OFSI assesses that UK cryptoasset firms are almost certainly under-reporting suspected financial sanctions breaches and face direct compliance exposure from cryptoasset-related sanctions risks. The assessment states it is highly likely that UK-based crypt…
Cyvers assesses the $44.2 million CoinDCX operational-wallet breach as showing hallmarks of North Korea's Lazarus Group targeting centralized cryptocurrency exchanges. The attacker staged funds from Tornado Cash through FixedFloat, Polygon, and Solana, se…
The source analyzes a Konni-attributed LNK malware sample disguised as a Hangul document named like a funds source statement. Its embedded PowerShell searches for a specifically sized .lnk file, extracts XOR-decoded payload data from offsets in that file,…
CoinDCX said one internal operational account used for liquidity provisioning on a partner exchange was compromised in a sophisticated server breach on July 19, while customer wallets remained segregated and unaffected. The exchange reported about $44 mil…
NSHC observed SectorA activity against development environments and high-risk social sectors during the May 21 to June 20, 2025 collection period. The group used GitHub, Supabase, ethers.js, NPM, fake NFT projects, and freelance-proposal lures to pursue s…
Chainalysis identifies the DPRK-linked $1.5 billion ByBit theft as the defining event in a record-breaking first half of 2025 for cryptocurrency service hacks. The ByBit breach accounted for about 69% of all funds stolen from services year-to-date and pus…
Elliptic estimates that illicit and high-risk cross-chain laundering through DEXs, bridges and no-KYC swap services has exceeded $21.8 billion, nearly tripling in two years. The report identifies North Korean cyber threat actors among the drivers of this …
AhnLab’s June 2025 APT trend roundup highlights several North Korea-linked operations, including GitHub PAT abuse against private repositories and remote IT worker schemes using forged credentials, RMM tools, VPNs, and accomplices. The excerpt describes K…
Hacken links Lazarus Group, also tracked as APT38, Labyrinth Chollima, and HIDDEN COBRA, to a sustained shift from earlier disruptive operations into large-scale cryptocurrency theft between 2021 and 2025. The excerpt highlights attacks against Bithumb, R…
BigONE detected abnormal asset movements on July 16 and said a third-party attack had targeted part of its hot-wallet assets. The exchange stated that private keys remained secure, the attack path had been identified and contained, and no further losses w…
Canadian authorities warned that North Korean state-affiliated IT workers pose as legitimate freelancers to obtain remote roles in software development, IT support, animation, databases, online platforms, hardware, and firmware. The advisory says these wo…
zeroShadow and partner organizations describe how North Korean cyber actors, broadly identified as Lazarus Group and including the TraderTraitor subgroup, continue stealing and laundering cryptocurrency at scale. The source says TraderTraitor laundered mo…
The Hangro VPN investigation examined four service IPs that share a certificate for CN=hangro.net.kp on port 7443 and appear to require certificate-based authentication. Reverse engineering an older Hangro client found local certificate retrieval from 127…
NSHC's 2024 SectorA review describes North Korea-linked groups pursuing strategic intelligence collection and financial gain, with SectorA05/Kimsuky and SectorA01/Lazarus the most active groups in the excerpt. Kimsuky focused on spear-phishing South Korea…