CryptoCore Criminal Group

Infosec researchers believe that they have managed to uncover the identity of the cybercriminal group responsible for several multi-million attack campaigns targeting mostly cryptocurrency exchanges. The hacker group was given the name CryptoCore by the security experts tracking its activity. An initial report attributed the attacks to Eastern European hackers, possibly located in countries from the region such as Ukraine, Russia and Romania. 

Multiple cybersecurity vendors followed up that report by releasing their own findings regarding different malicious operations that exhibited significant similarities with the activities observed by security researchers. An F-SECURE report revealed details about a large-scale, multinational campaign against crypto wallets, while Japan's CERT JPCERT/CC shared their findings after an analysis of multiple attacks against Japanese firms. The last piece was a report from NTT Security, a Japanese cybersecurity company, regarding a campaign that they tracked as CRYPTOMIMIC. 

After combining and comparing the gathered information, the researchers had enough evidence to attribute the CryptoCore operations with medium to high confidence to the North Korean state-sponsored hacking group Lazarus. This confirmed the conclusions previously established by F-Secure. 

CryptoCore Attack Details

The attacks were first detected back in 2018 and involved spear-phishing tactics designed to gain a foothold within the targeted entity. The hackers assumed different identities and initiated contact with the chosen users. The victims were then tricked into downloading one or more corrupted files onto their computers. Between 2018 and 2020, 5 different attack campaigns were determined to be part of the CryptoCore operations. The compromised entities included three different cryptocurrency exchanges and several Japanese companies. The estimated losses as a result of the hacks exceed $200 million. 

It appears that the cybercriminals are expanding the scope of their activities by including Israeli targets in their recent operations. The shift may be a sign of readjustment in their focus or that the hackers go after companies that match a specific financial profile.