North Korea ran a Trojan infested cryptobot trading platform.
A security firm recently uncovered a plot by North Korean hackers to set up a fake crypto exchange.
Security vendor Volexity, which is supported by Malwarebytes, claims the infamous Lazarus hacking group, said to be based in Pyongyang, is likely behind the attack.
What was going on?
Volexity said Lazarus launched a fake bot-trading exchange in June this year.
Volexity claimed that BloxHolder was a clone of the bona fide trading platform HaasOnline. Below you can witness yourself the examples of near-identical webpages and word-for-word-identical text from the two sites as evidence.
Note: Haasonline is a bona fide cryptobot trading platform that has been around for years.
How did the Trojan Work?
BloxHolder users were prompted to accept a Microsoft installer file that had been altered to contain a variant of the AppleJeus trojan.
AppleJeus, first identified by Kaspersky Labs in 2018, harvests information about the systems it infects. It is able to collect details on computer addresses, computer names, and OS versions. This initial access step later allows hackers to steal cryptoassets.
Cryptonews.com discovered that virus-blocking software such as MacAfee, Avast and the South Korean Ahn Labs all flag the website as a “trojan-infested” or “risky” website.
Volexity added that it had “identified several other Microsoft Installer files with cryptocurrency themes that are linked to this campaign.”
South Korea’s SBS noted that Lazarus allegedly reports to the Pyongyang-run Reconnaissance General Bureau. The bureau is believed to be the North Korean intelligence agency charged with operating the nation’s clandestine operations.
Why North Korea is doing this?
They has been ramping up their cyber capabilities in recent years in an effort to evade sanctions and raise funds for its regime.
North Korea has been using a variety of methods to steal crypto assets, including spear-phishing attacks, and fake social media accounts.
It is part of a larger scheme that also includes Trojan-infested wallets and phishing attacks on South Korean exchanges. The goal of the scheme is to steal cryptocurrency from investors and then convert it into fiat currency, which can be used to finance North Korea’s illicit activities.
How to avoid getting scammed by North Korea’s fake exchange
To avoid getting scammed by North Korea’s fake crypto exchanges or bot trading platforms, do your research before investing any money. Be sure to check whether an exchange is registered and regulated by a reputable authority, and only use exchanges or trading platforms that have positive reviews from other users. If something sounds too good to be true, it probably is — so beware of any such promises.
Below is a list of reputable crypto bot trading platforms and exchanges that I have been using for several years now.
tldr: In summary, North Korean hackers belonging to the Lazarus group were caught setting up a fake crypto exchange called BloxHolder, which was a clone of the legitimate trading platform HaasOnline. The exchange prompted users to accept a Microsoft installer file that contained a variant of the AppleJeus trojan, which harvested information about the systems it infected. This allowed the hackers to steal crypto assets. North Korea has been ramping up its cyber capabilities to evade sanctions and raise funds for its regime through various methods, including fake crypto exchanges and bot trading platforms. To avoid getting scammed by North Korea’s fake exchanges, it is important to do thorough research and only use exchanges or trading platforms that are registered and regulated by reputable authorities.
The above references an opinion and is for information purposes only. It is not intended to be investment advice and may contain affiliate links. Seek a duly licensed professional for investment advice.
Other articles for you:
How to use this little-known feature of Tradingview to pick coins for your trades
Most of you who have been trading crypto, stocks or forex are familiar with Trading View and you probably already use…