Cryptocurrency Startups Targeted by the BlueNoroff Hacking Group

BlueNoroff, a North Korean Advanced Persistent Threat (APT) group, has been observed using malicious documents and bogus MetaMask browser extensions in attacks targeting small and medium-sized cryptocurrency startups.

The BlueNoroff threat actors’ motivation is merely financial, but security experts have previously determined that the gang is connected to the North Korean Lazarus hacking group considering its sophistication in carrying out objectives.

BlueNoroff Went Globally

According to a report from Kaspersky, the gang has lately focused on cryptocurrency startups located in the US, Russia, China, India, the UK, Ukraine, Poland, Czech Republic, UAE, Singapore, Estonia, Vietnam, Malta, Germany, and Hong Kong.

How Does the Operation Work?

As per BleepingComputer, the APT tries to infiltrate these companies’ communications and trace employee interactions in order to find potential social engineering pathways. They do this by hacking into an employee’s LinkedIn account and sharing a link to download a macro-laced document directly on the platform.

BlueNoroff threat actor uses actual conversations to name laced documents accordingly and send them to the victim at the opportune moment.


The attackers include an icon from the Sendgrid email delivery service to get an alert when the targeted employee opens the sent file in order to

Read More: