North Korean Elite Hackers Use AI to Steal $10M in LinkedIn Job Scam

North Korean Elite Hackers Use AI to Steal $10M in LinkedIn Job Scam

North Korean Cyber Threat Group’s Cryptocurrency Heist and Recruitment Scams

The North Korean cyber threat actor “Sapphire Sleet” (also known as APT38 and BlueNoroff) has successfully stolen over $10 million in cryptocurrency through sophisticated social engineering campaigns. Microsoft’s investigation reveals several key findings:

Main Attack Strategies:
– Creating fake LinkedIn profiles posing as recruiters and job seekers
– Impersonating venture capitalists to arrange fraudulent online meetings
– Setting up fake skills assessment portals for malware distribution

Technical Attack Flow:
1. Victims encounter meeting connection “errors”
2. When seeking support, victims receive malicious scripts (.scpt or .vbs files)
3. Malware deployment leads to credential theft and cryptocurrency wallet access

Additional Tactics:
– IT workers operating abroad serve multiple purposes:
* Generating legitimate income for North Korea
* Stealing intellectual property
* Conducting data theft operations
– Use of AI tools (Faceswap, voice-changing software) to create convincing fake profiles
– Exploitation of facilitators for creating bank accounts and phone numbers
– Documented earnings of at least $370,000 through these operations

The operation demonstrates North Korea’s sophisticated approach to cybercrime, combining social engineering, technical exploitation, and AI-enhanced deception to bypass international sanctions and generate illegal revenue.

Share This Article