Sapphire Sleet, a cybercrime group associated with North Korea, has managed to abduct over $10 million in cryptocurrency over the span of six months. According to Microsoft, the attackers used social engineering tactics and created fake profiles on LinkedIn, posing as recruiters or job seekers to generate illicit income for the country under sanctions.
The group has been active since at least 2020 and has links to well-known hacker associations APT38 and Bluenoroff. In November 2023, Microsoft revealed that Sapphire Sleet created a disguised infrastructure for skills assessment portals to carry out their attacks.
One of the primary methods employed by the group was presenting themselves as venture capitalists. The attackers would express interest in potential victims to set up an online meeting. During the connection phase, users would encounter errors and be instructed to contact the “room administrator”, who would then send them script files containing malicious software for data theft.
Sapphire Sleet also targeted employees of financial firms, including Goldman Sachs, by offering them skill assessments through websites controlled by the group. Subsequently, users unknowingly uploaded malicious code that granted attackers access to the system.
Microsoft also highlighted the extensive deployment of North Korean IT professionals abroad. These experts conduct both legitimate work and engage in illicit activities such as intellectual property theft and data streaming for the regime. They often utilize intermediaries to create accounts on freelance platforms to bypass restrictions.
The group leverages artificial intelligence technologies, like Faceswap, to produce fake photos and documents for resumes. In some cases, the same photo is used across multiple profiles. Hackers have also developed voice manipulation programs to create convincing fake personas.
Overall, North Korean IT workers have earned approximately $370,000, effectively coordinating their operations and tracking incoming funds, according to Microsoft.