Google Cloud’s threat intelligence team has uncovered a series of cyberattacks orchestrated by North Korean government-backed hackers targeting Brazil’s cryptocurrency exchanges and fintech companies. This revelation underscores the growing threat of state-sponsored cybercrime in the digital finance sector.
On June 13, Google Cloud’s threat intelligence department released a detailed report highlighting the coordinated efforts of North Korean cyber attackers aimed at Brazilian cryptocurrency and fintech sectors. The report revealed a series of attempts to hijack, extort, and defraud Brazilian entities, marking a significant escalation in cyber activities by North Korean groups against financial institutions outside their usual geographical focus.
Targeted Attacks on Brazil’s Crypto and Fintech Sectors
The North Korean cybercriminal group, Pukchong, also known as UNC4899, has been particularly active in targeting Brazilian citizens and organizations. Their methods include exploiting the job market to distribute malware. Unsuspecting job seekers are tricked into downloading malicious software disguised as legitimate applications. Google’s report provides insight into their tactics:
“The project was a trojanized Python app for retrieving cryptocurrency prices that was modified to reach out to an attacker-controlled domain to retrieve a second stage payload if specific conditions were met.”
Similar attacks have been noted from other malware variants, such as GoPix and URSA, which have been actively targeting Brazilian crypto firms. These sophisticated malware campaigns aim to compromise systems and steal sensitive information or financial assets.
Comparative Analysis of State-Sponsored Cyberattacks
While North Korean groups like Pukchong primarily focus on cryptocurrency firms and financial entities, other state-backed actors, such as those from China, have different targets. Chinese government-supported cybercriminals typically attack Brazilian government organizations and the energy sector. This diversification in targets highlights how various state-sponsored groups prioritize different sectors based on their strategic interests.
The rise in cyberattacks on cryptocurrency platforms is not limited to Brazil. Globally, there has been an increase in sophisticated cyber threats targeting crypto exchanges and wallet providers. Recently, Trust Wallet, a major crypto wallet provider, advised Apple users to disable iMessage. This recommendation came after discovering a zero-day exploit—a type of cyberattack that leverages previously unknown vulnerabilities in software or hardware. Trust Wallet cited “credible intel” suggesting that such an exploit could allow hackers to take control of users’ phones, posing a significant threat to the security of digital assets.
Kaspersky’s Findings on North Korean Malware
Further illustrating the global reach of North Korean cyber threats, cybersecurity firm Kaspersky recently uncovered a new malware variant used by the North Korean hacking group Kimsuky. Dubbed “Durian,” this malware variant has been used to target South Korean cryptocurrency firms. Durian’s capabilities are extensive, allowing it to execute commands, download additional files, and exfiltrate sensitive data.
Kaspersky’s analysis also highlighted the use of another malware, LazyLoad, by Andariel—a sub-group within the notorious North Korean hacking consortium, Lazarus Group. The findings suggest a potential link between Kimsuky and Lazarus, indicating a broader coordination among North Korean cyber actors targeting global financial systems.
| Group | Known Aliases | Primary Targets | Key Malware Used |
|---|---|---|---|
| Pukchong | UNC4899 | Cryptocurrency firms, job seekers | Trojanized Python apps |
| Kimsuky | Velvet Chollima | South Korean crypto firms | Durian, LazyLoad |
| Lazarus Group | Hidden Cobra | Global financial institutions, exchanges | Various sophisticated malware |
The discovery of North Korean cyberattacks on Brazilian fintech firms by Google Cloud’s threat intelligence team highlights the escalating risks faced by the cryptocurrency industry. As cyber threats become more sophisticated and state-sponsored groups expand their targets, it is imperative for companies and individuals alike to enhance their cybersecurity defenses. With coordinated efforts and advanced security measures, the industry can better protect itself against these persistent threats.
Featured image credit: Kadhija Begum via Vecteezy