North Korean hackers turn to ‘cloud mining’ for crypto to avoid law enforcement scrutiny

Researchers at Mandiant identified a new hacking group knowns as APT 43 that uses stolen bitcoin to fund cyberespionage operations.
Pyongyang, North Korea
(Getty Images)

A North Korean espionage unit suspected of impersonating journalists and faking LinkedIn accounts to collect intelligence is using a novel way to fund their international hacking operations: renting out cloud-based power to mine for cryptocurrency.

The use of so-called cloud mining to rent crypto mining processing power appears to be a way for the group to avoid technologies such as mixers, which have come under increased law enforcement scrutiny, according to a report out today from the cybersecurity firm Mandiant, which is part of Google Could. The cloud mining process is a way for the newly identified hacking syndicate, which Mandiant dubbed APT 43, to produce clean bitcoin with no blockchain-based connections for law enforcement to trace.

Unlike other North Korean hacking units engaged in cryptocurrency-related cybercrime, researchers at Mandiant believe that APT 43 is using its loot to fund its own hacking and cyberespionage activities, not sending it back to the regime for a nuclear weapons program. Instead, the group takes the cleaned funds to purchase infrastructure such as website domains to further espionage activities.

“They don’t need $100 million to rent servers to run C2 nodes. They need much smaller amounts,” said Joe Dobson, Mandiant Principal Analyst. “We see them targeting everyone. I like to say, ‘There’s no fish too small.’ If someone has funds in their crypto wallet, they will get targeted.”


The group’s operations are a stark contrast to the massive crypto-heists pulled off by another North Korean threat actor, the Lazarus group, which U.S. law enforcement officials accused of stealing $100 million from Harmony’s Horizon bridge last year.

Financially motivated North Korean hackers are also getting more aggressive, other firms note. Researchers at the cybersecurity firm Proofpoint reported an uptick in North Korea-related phishing emails from another cluster of state-affiliated hackers with overlaps with the Lazarus group. Dobson says that, based on the volume of attacks, APT 43 has most likely automated aspects of its campaigns. Mandiant has tracked more than 10 million NFT-related (non-fungible tokens) phishing scams successfully delivered to cryptocurrency users since 2022 — and most of those are tied to APT 43.

“I think overall we’re seeing more clusters of DPRK-related threat activity toward crypto,” said Dobson. “They see that they’re having success. And so whether that means for revenue generation or for operational funding, status, they’re going to continue to expand and move more into crypto.”

APT 43’s most common attack method is using tailored spear-phishing emails to gain access to their victim’s information. The group also uses spoofed websites designed to steal credentials. Persona building on fake LinkedIn profiles and other platforms has also become a hallmark of North Korean espionage online.

The group leverages stolen data and spoofed domains to pose as key individuals to gain the trust of their targets, Mandiant said in its report. For example, in one instance that researchers observed, an attacker posed as a Voice of America journalist to directly ask an expert for insights into diplomatic relations with North Korea. The hackers have developed methods to trick victims into responding, including replying to their own messages to create an appearance of a conversation.


“We’ve seen somewhere they reply to their own messages several times so that whoever they go after thinks that they’re late to the party and their guard is let down,” said Michael Barnhart, Mandiant principal analyst at Google Cloud.

As an espionage-assigned unit, APT 43’s targeting shifts in response to regime priorities. For instance, during the pandemic, it shifted focus to health care and pharmaceutical-related targeting. However, by late 2021 it has shifted back to targeting groups involved in diplomatic relations between North Korea and South Korea and Japan, such as universities and NGOs. By mid-2022 the campaigns shifted to targeting South Korean bloggers and social media users “associated with South Korean affairs, human rights, academic, religion, and cryptocurrency.”

APT 43 has also collaborated with other North Korean espionage actors associated with the North Korean government, “underscoring the major role APT43 poles in the regime’s cyber apparatus,” researchers say.

Barnhart stressed that APT43’s focus on North Korea’s nuclear weapons program in its espionage operations means that “this is the time to pay attention to this actor.”

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts