The FBI has warned of a sophisticated, hard-to-detect cyberattack campaign targeting digital asset exchange-traded funds and related financial products. North Korean hackers have been identified as the perpetrators, using social engineering techniques to steal cryptocurrency.

North Korean hacker groups are conducting large-scale social engineering campaigns targeting employees in the DeFi, cryptocurrency, and similar industries, the FBI said in a September 3 alert. Their goal is to deploy malware and steal companies’ cryptocurrency. The FBI stressed that even cybersecurity-savvy individuals can fall victim to the sophistication and persistence of these attacks.

The FBI said North Korean hackers have conducted extensive research on multiple targets related to digital asset exchange-traded funds (ETFs) over the past several months. The research included preparations that suggest the hackers may be planning cyberattacks against companies involved in ETFs or other cryptocurrency-related financial products.

Sophisticated scam tactics and precautions

North Korean hackers use sophisticated social engineering tactics, often targeting victims with high technical knowledge. They create personalized fake scenarios, often with attractive job offers, lucrative investment proposals, or requests for pre-employment technical testing.

To increase their credibility, they use personal information collected from social networks, impersonating employers, reputable technology companies, or even acquaintances of the victim. Attacks often take a long time to build trust before asking the victim to download malware or execute malicious code on a device with access to the company network.

To minimize risk, the FBI recommends that companies and individuals in the cryptocurrency space be cautious of requests for personal information, thoroughly verify their identity before making transactions, do not download software or files from untrusted sources, and implement strong security measures to protect information and assets.

The FBI also provided a list of signs of North Korean social engineering activity and recommended specific precautions for companies operating in the cryptocurrency space. Recommendations include establishing strict identity verification procedures, not storing cryptocurrency wallet information on Internet-connected devices, limiting access to sensitive information, and conducting regular security reviews.

Earlier in August, security expert ZachXBT uncovered a complex scheme in which North Korean hackers impersonated cryptocurrency developers and stole $1.3 million from a project’s treasury. The stolen funds were then laundered through multiple transactions, and a deeper investigation revealed a network of more than 25 compromised projects linked to individuals sanctioned by the Office of Foreign Assets Control (OFAC).

In addition to targeting individuals, North Korean hackers have also been found to target major cryptocurrency projects through zero-day exploits and sophisticated phishing campaigns. Microsoft reported that North Korean hackers exploited a zero-day vulnerability in Chromium's V8 JavaScript engine to target cryptocurrency organizations.