Author: Vince Quill, CoinTelegraph; Translated by: Deng Tong, Golden Finance

Hackers linked to the North Korean government have reportedly expanded a social engineering scam designed to steal cryptocurrency by infiltrating “hundreds” of large multinational information technology companies.

According to an article in TechCrunch, researchers at the Cyberwarcon cybersecurity conference discovered two North Korean hacking groups named "Sapphire Sleet" and "Ruby Sleet."

Sapphire Sleet targets individuals through a fraudulent employment scheme by posing as a legitimate recruiter and luring unsuspecting victims into interviews or other employment opportunities. The hackers then infect the user's computer with malware disguised as a picture document file (PDF) or malicious link at some point during the interview process.

Ruby Sleet successfully infiltrated aerospace and defense contractors in the United States, the United Kingdom, and South Korea to steal military secrets.

In addition, the report mentioned that North Korean IT employees used fake identities created using artificial intelligence, social media and voice-changing technology to infiltrate companies and carry out recruitment scams.

Cryptocurrency theft in November 2024. Source: Immunefi

North Korean hackers target crypto industry

Long before researchers at Cyberwarcon warned of North Korean hacking groups targeting information technology companies, hackers linked to the North Korean regime were using the same tactics to target cryptocurrency companies.

In August, on-chain sleuth ZackXBT claimed to have identified 21 developers, believed to be North Korean, who were working on various crypto projects using fake identities.

Then, in September, the FBI issued a warning that North Korean hackers were targeting cryptocurrency companies and decentralized finance projects with malware disguised as job opportunities. Once users downloaded the malware or clicked on a malicious link, their private keys would be stolen.

Most recently, in October, the Cosmos ecosystem faced concerns regarding its Liquid Stake module, which was allegedly built by North Korean developers.

Jacob Gadikian, a developer in the Cosmos ecosystem, said: “The people who built LSM are the most skilled and prolific cryptocurrency thieves in the world.” The threat of backdoors and other malicious lines of code prompted multiple security audits of the Cosmos Liquid Staking module.