According to a recent report by cybersecurity firm Mandiant, North Korean cyber operator APT43 has been exploiting cryptocurrency mining services to launder stolen currency and fund its espionage operations.
The group, which primarily targets South Korean and U.S.-based government organizations, academics, and think tanks, has been involved in strategic intelligence collection and financially-motivated cybercrime.
APT43 has turned to cryptocurrency services as a means to sustain its operations, using hash rental and cloud mining services to convert stolen cryptocurrency into clean currency.
These services provide hash power to mine cryptocurrency without any blockchain-based association to the buyer's original payments. The group has used payment methods such as PayPal, American Express cards, and Bitcoin, likely derived from previous operations, for infrastructure and hardware purchases.The group has also been involved in targeting Chinese users looking for cryptocurrency loans through a malicious Android app. This app, along with an associated domain, is suspected to harvest credentials. The prevalence of financially-motivated activities among North Korean groups like APT43 suggests a widespread mandate to self-fund and an expectation to sustain themselves without additional resourcing.
Mandiant assesses APT43 as a moderately-sophisticated cyber operator supporting the North Korean regime. The group has been tracked since 2018, with its collection priorities aligning with the mission of North Korea's Reconnaissance General Bureau (RGB).