North Korea is using front companies to steal cryptocurrency

North Korean government-backed hackers known by the name of Lazarus Group are back at it.
North Korea missile program
An overhead view of Pyongyang, capital of North Korea. (Sven Unbehauen/Wikicommons).

North Korean government-backed hackers are targeting cryptocurrency exchanges to try to steal financial resources as Pyongyang searches for ways to fund its regime, two researchers discovered within the past week.

Lazarus Group, also known as APT38, has carried out hacks against central banks and exploited monetary exchanges as part of an effort to boost Kim Jong-un’s financial and military goals.  The United Nations revealed in August North Korea had gained approximately $2 billion from hacking banks and cryptocurrency companies.

This time, they’re using a front company to do it.

Researchers Patrick Wardle, the principal security researcher at Jamf, and MalwareHunterTeam, of IDRansomware, a group that aims to help provide guidance on ransomware, found malware affecting Mac and Windows operating systems that installs a backdoor Trojan on victim machines, allowing hackers to gain control of infected targets.


The malware asks for administrative privileges during installation, then communicates with a command-and-control server, and can receive instructions from the hackers to run certain tasks, such as uploading files to victim machines or causing the malware to exit, according to Wardle.

To trick victims into downloading the backdoor, the group created a fake company, “JMT Trading,” along with a website to convince victims to install what appears to be a cryptocurrency trading platform. When unwitting users click on a link to the “JMT Trading” GitHub page to supposedly download the trading software, hackers install the backdoor. The website for the fake company was created roughly three months ago, Wardle said, timing that coincided with North Korea’s test-firing two short-range ballistic missiles days after Kim Jong-un met with President Donald Trump in the demilitarized zone.

That the hackers are using a front company for its operations shows they are resorting to a tactic Lazarus Group has previously used to target cryptocurrency exchanges. Last year, Kaspersky found the group had been using a fake company called “Celas Trade Pro” and an associated website to better deceive victims, just as it is doing now.

The U.S. government has repeatedly linked Lazarus Group with the North Korean government, sanctioning the group in recent months through the U.S. Treasury Department.

Wardle finds that the new MacOS malware is related to the Kaspersky-exposed malware because of this repeated front company tactic, noting he believes the hackers are “without a doubt” Lazarus Group


“The infection mechanism is essentially identical. In both attacks, the [advanced persistent threat] group created a legitimate looking cryptocurrency company that hosted the malware,” Wardle writes in a blog post on the malware, noting there are also several code similarities. “Though both samples are signed, neither are signed with a[n] Apple developer ID. This is rather unusual.”

At the time both researchers posted about the malware, no engines on VirusTotal were detecting either.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts