The North Korean cyber threat actor “Sapphire Sleet” (also known as APT38 and BlueNoroff) has successfully stolen over $10 million in cryptocurrency through sophisticated social engineering campaigns. Microsoft’s investigation reveals several key findings:
Main Attack Strategies:
– Creating fake LinkedIn profiles posing as recruiters and job seekers
– Impersonating venture capitalists to arrange fraudulent online meetings
– Setting up fake skills assessment portals for malware distribution
Technical Attack Flow:
1. Victims encounter meeting connection “errors”
2. When seeking support, victims receive malicious scripts (.scpt or .vbs files)
3. Malware deployment leads to credential theft and cryptocurrency wallet access
Additional Tactics:
– IT workers operating abroad serve multiple purposes:
* Generating legitimate income for North Korea
* Stealing intellectual property
* Conducting data theft operations
– Use of AI tools (Faceswap, voice-changing software) to create convincing fake profiles
– Exploitation of facilitators for creating bank accounts and phone numbers
– Documented earnings of at least $370,000 through these operations
The operation demonstrates North Korea’s sophisticated approach to cybercrime, combining social engineering, technical exploitation, and AI-enhanced deception to bypass international sanctions and generate illegal revenue.