North Korean hackers exploited Chrome zero-day to steal crypto


A North Korean hacking group earlier in August exploited a previously unknown bug in Chrome-based browsers to target organizations with the goal of stealing cryptocurrency, according to Microsoft.

In a report published on Friday, the tech giant’s cybersecurity researchers said they first saw evidence of the hackers’ activities on August 19, and said the hackers were affiliated with a group called Citrine Sleet, which is known to target the crypto industry. 

According to the report, the hackers exploited a flaw in a core engine within Chromium, the underlying code of Chrome and other popular browsers, like Microsoft’s Edge. When the hackers exploited the vulnerability, it was a zero-day, meaning the software maker — in this case, Google — was unaware of the bug and as such had zero time to issue a fix prior to its exploitation. Google patched the bug two days later on August 21, according to Microsoft. 

Google’s spokesperson Scott Westover told TechCrunch that Google had no comment other than confirming that the bug was patched. 

Microsoft said it has notified “targeted and compromised customers,” but did not provide more information on who was targeted, nor how many targets and victims were targeted by this hacking campaign.

Contact Us

Do you have more information about North Korean government hackers, or other government-sponsored hacking activities? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.

When asked by TechCrunch, Chris Williams, a spokesperson for Microsoft, declined to say how many organizations or companies were affected. 

Researchers wrote that Citrine Sleet “is based in North Korea and primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain,” and the group “has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it” as part of its social engineering techniques. 

“The threat actor creates fake websites masquerading as legitimate cryptocurrency trading platforms and uses them to distribute fake job applications or lure targets into downloading a weaponized cryptocurrency wallet or trading application based on legitimate applications,” reads the report. “Citrine Sleet most commonly infects targets with the unique trojan malware it developed, AppleJeus, which collects information necessary to seize control of the targets’ cryptocurrency assets.”

The North Korean hackers’ attack started by tricking a victim into visiting a web domain under the hackers’ control. Then, because of another vulnerability in the Windows kernel, the hackers were able to install a rootkit — a type of malware that has deep access to the operating system — on the target’s computer, according to Microsoft’s report. 

At that point, it’s basically game over for the targeted victim’s data, as the hackers had gained complete control of the hacked computer. 

Crypto has been a juicy target for North Korean government hackers for years. A United Nations Security Council panel concluded that the regime stole $3 billion in crypto between 2017 and 2023. Given that the Kim Jong Un government is the target of strict international sanctions, the regime has turned to stealing crypto to fund its nuclear weapons program.

Leave a Comment

url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url url