Cyber Blog

A North Korean hacking group, Sapphire Sleet, has reportedly stolen over $10 million worth of cryptocurrency through sophisticated social engineering campaigns over a six-month period. According to Microsoft, the group used fake LinkedIn profiles and AI tools to target victims, continuing North Korea’s trend of leveraging cybercrime to evade international sanctions and generate revenue.

Posing as Recruiters and Job Seekers

Sapphire Sleet, active since at least 2020, operates under the broader hacking umbrellas of APT38 and BlueNoroff. The group creates fake LinkedIn profiles, posing as recruiters from major financial firms like Goldman Sachs or as job seekers, to carry out their schemes. Their tactics include:

• Impersonating Recruiters: Victims are lured into completing fake skills assessments hosted on attacker-controlled websites. Upon signing in and downloading the “assessment,” malware is installed on the victim’s device, granting attackers access to credentials and cryptocurrency wallets.
• Masquerading as Venture Capitalists: The group pretends to be interested in target companies and sets up fraudulent online meetings. Victims are shown error messages during the meeting setup and are tricked into downloading malicious files under the guise of troubleshooting.

AI-Powered Deception

The group has also turned to artificial intelligence to enhance its operations. Using tools like Faceswap, Sapphire Sleet alters photos and documents stolen from victims to create convincing, professional-looking personas. These fabricated identities are used in resumes or LinkedIn profiles to apply for jobs, often with multiple fake personas linked to a single operation.

In some cases, they experiment with AI-powered voice-changing software to further enhance their credibility.

Broader Operations

Microsoft describes North Korea’s broader cyber efforts as a “triple threat”:

1. Legitimate Work: North Korean IT workers secure legitimate freelance or remote jobs, funneling earnings back to the regime.
2. Intellectual Property Theft: These workers abuse their access to steal sensitive data from employers.
3. Ransom-Fueled Data Theft: They target valuable corporate data, sometimes demanding ransoms for its return.

These workers rely on “facilitators” to bypass restrictions, such as creating accounts on freelance platforms and acquiring tools like phone numbers and bank accounts—resources unavailable in North Korea.

Organized Cybercrime

The hacking campaigns are meticulously organized. Microsoft notes that the IT workers closely track payments, earning at least $370,000 from their job schemes alone. Combined with their hacking activities, these efforts significantly fund the North Korean regime.

Protecting Against Threats

The findings highlight the growing sophistication of North Korean cybercrime, particularly in integrating AI and social engineering. Organizations and individuals are advised to remain vigilant, verify online profiles, and avoid downloading files from unverified sources to mitigate such risks.