Why trust Greenbot
North Korean hackers have stolen over $10 million in cryptocurrency using artificial intelligence (AI) driven scams on LinkedIn, Microsoft revealed at CYBER WARCON 2024. These state-sponsored groups are creating convincing fake identities, using AI-driven social engineering tactics, and stealing millions in cryptocurrency to fund North Korea’s weapons programs. Despite international sanctions, these hackers continue to evolve their tactics and pose a growing threat to global cybersecurity.
Fake Recruiters To Spread Malware
Microsoft reports that threat actor Sapphire Sleet is impersonating skills assessment portals to carry out its social engineering campaigns. The organization has been running since 2020, with connections from hacking groups APT38 and BlueNoroff. Over the past six months, the group reportedly stole over $10 million using AI-enhanced scams to access targets’ devices and steal cryptocurrency.
Their main tactic involves them posing as U.S. firms, recruiters, or venture capitalists. They claim an interest in a target user’s company and set up an online meeting. When the target attempts to join the meeting, error messages will prompt them to contact the room administrator. This administrator is actually the hacker, who then sends the victim a malicious script disguised as a solution to the problem.
“The threat actor sends the target user a sign-in account and password. In signing in to the website and downloading the code associated with the skills assessment, the target user downloads malware onto their device, allowing the attackers to gain access to the system,” Microsoft explained.
The FBI has taken action against these scams, seizing multiple domains associated with creating fake websites that mimic legitimate tech firms.
AI Tools Used for Identity Deception
Additionally, these hackers also had been posing as job seekers. AI tools such as Faceswap clean up their headshots to appear more professionally convincing in their resumes. This strategy helps them bypass identity checks when applying for remote IT jobs on platforms like LinkedIn, GitHub, and Upwork.
Through “legitimate” IT work, these workers will generate revenue, which will then fund North Korea’s weapons programs. Aside from that, they may also steal sensitive information and intellectual property from the companies they work for. Microsoft declares this a “triple threat,” as they earn money for the regime, access sensitive data, and potentially perform ransom in exchange for the stolen data.
“The North Korean IT workers appear to be very organized when it comes to tracking payments received. Overall, this group of North Korean IT workers appears to have made at least 370,000 US dollars through their efforts,” Microsoft stated. They continue to evolve their tactics, even now experimenting with AI voice-changing software.
The workers behind these scams have been operating in multiple countries, including Russia and China.
Microsoft emphasized that organizations need to be vigilant when hiring remote IT workers. They should implement measures to verify profiles and detect suspicious activity to protect against these increasingly sophisticated scams. North Korean threat actors continue to adapt and innovate, making them a persistent threat to both businesses and individuals worldwide.
