Lazarus Hackers Using Malicious Cryptocurrency Apps

CISA, the FBI, and the US Treasury Department warned today that the North Korean Lazarus hacking group is targeting organizations in the cryptocurrency and blockchain industries with trojanized cryptocurrency applications.

The attackers use social engineering to trick employees of cryptocurrency companies into downloading and running malicious Windows and macOS cryptocurrency apps.

The Lazarus operators then use these trojanized tools to gain access to the targets’ computers, spread malware throughout their networks, and steal private keys that allow initiating fraudulent blockchain transactions and stealing the victims’ crypto assets from their wallets.

“Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms,” a joint advisory published on Monday reads.

“Observed payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access trojan (RAT), that collects system information and has the ability to execute arbitrary commands and download additional payloads,” the federal agencies added.

They are also targeting individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs). Among the malicious TraderTraitor cryptocurrency apps used in these campaigns, the joint advisory highlights:

  • DAFOM: a “cryptocurrency portfolio application” (macOS)
  • TokenAIS: claims to help “build a portfolio of AI-based trading” for cryptocurrencies (macOS)
  • CryptAIS: claims to help “build a portfolio of AI-based trading” (macOS)
  • AlticGO: claims to offer live cryptocurrency prices and price predictions (Windows)
  • Esilet: claims to offer live cryptocurrency prices and price predictions (macOS)
  • CreAI Deck: claims to be a platform for “artificial intelligence and deep learning” (Windows and macOS)

Last year, the FBI, CISA, and US Department of Treasury also shared information on malicious and fake crypto-trading applications injected with AppleJeus malware used by Lazarus to steal cryptocurrency from individuals and companies worldwide.

The list of apps trojanized using AppleJeus includes Celas Trade Pro, JMT Trading, Union Crypto, Kupay Wallet, CoinGoTrade, Dorusio, and Ants2Whale.

The U.S. Justice Department charged three Lazarus Group members for stealing $1.3 billion in money and cryptocurrency in multiple attacks against banks, the entertainment industry, cryptocurrency companies, and other organizations worldwide.

In 2019, a confidential United Nations report also said that North Korean operators stole an estimated $2 billion in at least 35 cyberattacks on banks and crypto exchanges across over a dozen countries.

The same year, the U.S. Treasury Department sanctioned three North Korean hacking groups (Lazarus Group, Bluenoroff, and Andariel) for funneling the financial assets they stole in cyberattacks to the North Korean government.

“The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as TraderTraitor.”

The trojanized TraderTraitor applications are Electron-based and cross-platform utilities developed using JavaScript and the Node.js runtime environment.

TraderTraitor apps are almost always pushed via websites featuring modern design advertising the fake crypto apps’ alleged features.


This field is for validation purposes and should be left unchanged.

Secure your peace of mind