North Korean Cybercrime Group APT43 Uses Cloud Mining Services to Launder Crypto

Cybersecurity firm Mandiant has reported that the North Korea-based cybercrime operator Advanced Persistent Threat (APT43) is using “stolen crypto to mine for clean crypto.”

Mandiant, a Google-owned cybersecurity firm, has been tracking the ATP43 for the past five years and has identified the group as an independent identity.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

What is a Bitcoin Faucet? Pros & Cons Explained (With Animations)

SUBSCRIBE

ON YOUTUBE

The group's activities suggest that its members are part of North Korea’s spy agency Reconnaissance General Bureau, whose primary activities include espionage, hacking private industries, think tanks, and academics in South Korea, Japan, the US, and Europe. The group employs phishing tactics to steal the victim’s credentials and install malware on their computer systems.

However, Mandiant discovered that APT43 is also involved in a sideline profit-focused cybercrime, which includes stealing cryptocurrency to raise funds for the North Korean regime or to fund the group’s operations.

APT43 steals and launders enough cryptocurrency to buy operational infrastructure in a manner aligned with North Korea’s juche state ideology of self-reliance, therefore reducing fiscal strain on the central government.

The report reveals that ATP43 pays the stolen digital tokens into a “hashing service” that allows users to rent cloud-based mining services, receiving newly mined cryptocurrencies. These new coins do not have any apparent ties to criminal activity.

This method allows the group to cash out the stolen funds while preventing them from being frozen or seized. A Mandiant Threat intelligence analyst Joe Dobson described the procedure as “breaking the chain,” explaining that it avoids any “forensic trail of evidence” on the blockchain networks.

Mandiant started noticing signs of APT43’s crypto laundering activities in August 2022. Since then, it has identified tens of thousands of dollars worth of cryptocurrency sent to cloud mining providers such as Hashing24 and NiceHash.

The cybersecurity firm identified American Express Cards, PayPal, and “Bitcoin likely derived from previous operations" as the payment methods used for various purchases.

APT43 is also accused of using Android malware to steal the credentials of customers looking for crypto loans in China.

It appears that North Korean hackers are also connected to a recent Euler Finance attack. On March 17th, the hacker behind the Euler Finance attack moved 100 Ether (ETH) to an address previously linked to North Korean hackers.