How A North Korean Hacker Group Stole Over $1B In Crypto Last Year

hero north korean hacker group stole over 1 billion 2022 disruptive approach news
TA444 is an advanced persistent threat (APT) group believed to be associated with the North Korean government. However, rather than receiving financial backing from its government, the group seems to bring in revenue for the government. Unlike most state-backed APTs, such as China’s Aoqin Dragon or Iran’s Charming Kitten, which conduct cyber espionage and sabotage missions, TA444 works to steal money to help fund the North Korean regime. In 2021, the threat group stole nearly $400 million in cryptocurrency, but, according to new research by Proofpoint, the group strove to pump up that number in 2022 with an approach that echos startup culture.

Many threat actors try to develop one or two highly effective attack-chains, then deploy these attack-chains with slight variations until mitigation measures render them ineffective. Meanwhile, 2022 saw TA444 deviate from its standard playbook to throw a large variety of different attack-chains at its targets to see what stuck. Beyond it’s standard opening move of distributing malicious .LNK shortcut files or documents that download malicious remote templates, the APT group joined the wave of threat actors exploiting document macros. TA444 also tried distributing malware using a variety of file formats, including MSI installer, Virtual Hard Disk (VHD), ISO, and Microsoft Compiled HTML Help (CHM).

ta444 phishing email demanding invoice payment news
Credential harvesting phishing email attributed to TA444 (source: Proofpoint)

Not afraid to fail, TA444 seems to have tried its hand at credential harvesting as well. In December 2022, targets across a variety of sectors in both the United States and Canada received phishing emails originating from TA444’s infrastructure. Rather than distributing malware in accordance with the APT groups’ normal operating behavior, these emails directed recipients to basic credential harvesting sites. This email campaign also marked another major deviation from TA444’s usual email activity by nearly doubling the threat group’s total email volume in 2022 in a short span of time.

Nonetheless, as chaotic and out of character TA444’s activity was in 2022, the disruptive approach seems to have paid off for the APT group. In 2022, it took only a single cyberattack for TA444 to steal $500 million in cryptocurrency and eclipse 2021’s total haul of cryptocurrency worth $400 million. By the end of the year, the state-affiliated threat group stole more than $1 billion in cryptocurrency. While North Korea remains largely physically isolated from the rest of the world, the regime can still operate and secure funding on the world stage through hostile cyber activity.