Our findings show that APT group uses separate infrastructure for hosting phishing and C2 servers, which have links to DPRK based Lazarus APT group and CryptoCore APT group involved in compromising multiple cryptocurrency exchanges. The APT group uses spear phishing techniques via email to get a foothold on the victim machine that results in downloading multiple payloads from the phishing or C2 server to exfiltrate information. Phishing Infrastructure In order to understand the phishing infrastructure of the APT group, we gathered multiple bit[.]ly links used by the threat actor group and obtained the subsequent redirected phishing urls resolved by the bitly service and their resolved ip addresses shown in Fig 7. Based on the indicators of compromise (IOC’s) generated from our investigation, we found a number of matching IOC’s with 2 other research articles based on threat actor groups targeting cryptocurrency organizations using a similar modus operandi uncovered by us.