778 reports
Safe{Wallet} and Mandiant report that the February 21, 2025 incident tied to the Bybit heist involved compromise of a Safe developer laptop and hijacked AWS session tokens that bypassed MFA controls. The FBI attributed the theft to TraderTraitor, a DPRK-l…
The source analyzes test.lnk, a Konni-linked malware sample disguised as an HWP document about anti-money-laundering supervision for virtual asset service providers. The report lists the sample hashes and shows that the LNK contains embedded PowerShell ra…
Kudelski Security uses infrastructure analysis to show how analysts can cluster and revisit adversary networks over time, with a DPRK-relevant case study based on leaked North Korean IT worker PuTTY configuration data. The reconstructed infrastructure is …
AhnLab ASEC analyzes Lazarus intrusions against Windows web servers that were compromised and reused as command-and-control infrastructure. The report describes attacks on South Korean web servers where the actor installed web shells and C2 proxy scripts,…
North Korea was linked to the February 2025 Bybit theft of about USD 1.5 billion in Ethereum, and TRM observed the laundering operation moving at unusually high speed. Within days, hundreds of millions of dollars had been shifted through decentralized exc…
Logpresso compares two Korean-language document lure cases and separates them into APT37 and Konni activity based on file structure, execution flow, metadata, C2 behavior, and decryption keys. The APT37 case used a Hangul document titled around North Kore…
South Korea’s National Intelligence Service warns that North Korean hacking groups are using software supply-chain weaknesses to steal confidential data and core technology from government agencies and advanced enterprises. The advisory describes three in…
Nisos tracks a likely DPRK-affiliated IT worker network using GitHub to support fake personas seeking remote engineering and full-stack blockchain roles in Japan and the United States. The personas pose as Vietnamese, Japanese, and Singaporean nationals, …
Genians Security Center links a martial law-themed spear-phishing campaign to Kimsuky tradecraft. The report says emails sent to people working on North Korea-related issues delivered malware download links, used OS-specific distribution behavior for macO…
Elliptic describes the Bybit cold-wallet theft as a USD 1.46 billion cryptocurrency hack and focuses on rapid tracing of the stolen assets. The company says it labeled initial exploit addresses within 18 minutes of Bybit's confirmation, tracked fast laund…
The podcast episode discusses the Bybit cryptocurrency heist as a Lazarus Group operation centered on a malicious JavaScript supply-chain compromise of a developer. The available excerpt gives only high-level detail, tying the theft to the reported USD 1.…
Ketman's February 2025 activity statement reports seven Web3 companies or projects directly affected by confirmed DPRK IT workers. The group counted ten confirmed IT workers for the month and estimated that affected projects transferred about $50,000 in c…
Ketman frames DPRK IT worker risk around remote-first open source, DAO, crypto, and grant-funded organizations that hire through public channels or accept outside pull requests. The article distinguishes these workers from intrusion operators but warns th…
Silent Push reports that Lazarus-linked operators, including Contagious Interview or Famous Chollima and DPRK fake IT worker actors, continue to use Astrill VPN to mask their locations. Infrastructure and logs acquired from Contagious Interview showed Ast…
Privy's analysis reviews the Bybit incident as a web3 risk-assessment case centered on a cold-wallet transfer using a SAFE multisig wallet. The excerpt states that attackers compromised SAFE developer access, presented signers with what appeared to be a v…