- A North Korean crypto hacking group has turned to cloud mining to wash its funds
- Mandiant reports that APT43 is using cloud mining services to obscure funds stolen primarily through a malicious Android app
- The group uses cloud mining to clean the illicitly acquired crypto
Google-owned cybersecurity service Mandiant has discovered that APT43, a North Korean cybercrime operator, is leveraging cloud mining to launder illicitly obtained cryptocurrency. The group has been reportedly employing a tactic in which they use “illicitly obtained cryptocurrency to mine for legitimate cryptocurrency”, according to researchers. Mandiant has been monitoring this Advanced Persistent Threat (APT) group since 2018 and has recently elevated its classification to an independent entity, identifying it as a significant player in the cybersecurity landscape that is known to collaborate with other threat groups.
APT43 Involved in Espionage
Mandiant reports that APT43 is a cyber operator known for its support of the North Korean regime, combining moderate technical capabilities with aggressive social engineering tactics, especially targeting government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues.
The group also believes that APT43 funds itself through cybercrime operations, which align with its primary mission of collecting strategic intelligence and employs various tactics, including the creation of numerous fraudulent and spoofed personas, to support its operations. APT43 also collaborates with other North Korean espionage operators on various missions, highlighting its significant role in the regime’s cyber apparatus.
APT43 has focused its attention on cryptocurrency and cryptocurrency-related services, but unlike APT38, which is believed to be primarily focused on generating funds for the North Korean regime, APT43 appears to engage in these activities to sustain its own operations. The company suspects that it uses a malicious Android app to most likely target
Chinese users looking for cryptocurrency loans.
Criminals Turn to Cloud Mining
Through its investigations, Mandiant has discovered that APT43 leverages cryptocurrency services to launder stolen currency, employing various tactics such as the use of aliases, addresses, and identified payment methods to purchase and launder cryptocurrency. Mandiant now suspects that APT43 may also be using hash rental and cloud mining services to convert stolen cryptocurrency into “clean” cryptocurrency, using the stolen funds to rent hashing power and earn more on the back of it, effectively washing the funds.
Utilizing such services represents a new dimension for North Korean crypto hacking groups and shows that they are still able to innovate to meet their goals.