North Korean Hackers Target Cryptocurrency Firms in Massive 3CX Supply Chain Hack – Here’s What Happened

Last updated:
Journalist
Journalist
Sead Fadilpašić
About Author

Sead specializes in writing factual and informative articles to help the public navigate the ever-changing world of crypto. He has extensive experience in the blockchain industry, where he has served...

Last updated:
Why Trust Cryptonews
Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews
Ad DisclosureWe believe in full transparency with our readers. Some of our content includes affiliate links, and we may earn a commission through these partnerships. Read more
Source: AdobeStock / Victor Moussa

Russian cybersecurity firm Kaspersky has warned of a new form of attack on cryptocurrency firms, which it says is carried out with “surgical precision” by hackers using corrupted software. 

Kaspersky’s research identified several crypto-focused companies as victims of the 3CX software supply-chain attack in the past week. 

While it did not name the targeted firms, it did reveal they were based in “western Asia”.

The attack, which is believed to have been carried out on behalf of the North Korean government, involved corrupting the widely used VoIP application, 3CX, to push the hackers’ code onto victims’ machines.

The hackers failed

Georgy Kucherin, a researcher on Kaspersky’s GReAT team of security analysts, said that this attack type is “becoming very common,” and explained: 

“During supply-chain attacks, the threat actor conducts reconnaissance on the victims, collecting information, then they filter out this information, selecting victims to deploy a second-stage malware.”

The filtering is meant to help the attackers avoid detection, given that deploying the second-stage malware to many victims becomes easier to detect.

However, something seems to have gone wrong here. 

The 3CX supply-chain attack was detected quickly, at least compared to others, Kucherin said. Security companies like CrowdStrike and SentinelOne detected the installation of the initial malware last week already, less than a month after it was deployed. 

“They tried to be stealthy, but they failed,” Kucherin says. “Their first-stage implants were discovered.”

CrowdStrike and SentinelOne identified North Korean hackers as the attackers who compromised 3CX installer software used by 600,000 organizations globally, per Wired. 

Kaspersky further found that the hackers sifted through the victims they infected to identify and deliberately target “fewer than 10 machines” connected to crypto firms. This is at least the data gathered so far.

It seems that it is becoming more common for state-sponsored hackers to exploit software supply chains in order to infect thousands of organizations, but then only focus on a few victims. 

Kusherin was quoted as saying that,

“This was all just to compromise a small group of companies, maybe not just in cryptocurrency, but what we see is that one of the interests of the attackers is cryptocurrency companies. […] Cryptocurrency companies should be especially concerned about this attack because they are the likely targets, and they should scan their systems for further compromise.”

But because the attackers were caught, it’s yet unclear if the campaign was successful. Kucherin said that Kaspersky so far hasn’t seen any evidence of actual crypto theft from the companies found to be targeted with this specific malware.

More companies, including those outside of the crypto industry, are likely future targets. Tom Hegel, a security researcher with SentinelOne, added that,

“The current theory at this point is that the attackers did initially target crypto firms to get into those high-value organizations. […] I’m going to guess that once they saw the success of this, and the kinds of networks they were in, other objectives probably came into play.”

He added that the situation is “unfolding very quickly,” and that there is still more to learn about the victims and potential targets. “But from an attacker standpoint,” Hegel said, “if all they did was target crypto firms, this was a dramatic wasted opportunity.”

A third of crypto users fell victim to scams

Meanwhile, Kaspersky surveyed 2,000 Americans in October last year, finding that a third of those who owned crypto also experienced it being stolen. 

The average value of theft was $97,583. 

A third said they had fallen victim to a fraudulent crypto-related website or investment scam

Among the victims, 19% saw their identities stolen, while 27% saw their personal details stolen and money from their bank accounts. 

Marco Rivero, a senior security researcher at Kaspersky GReAT, said that “this survey data shows a lot of people are getting their crypto stolen and even experiencing identity theft.” 

Users should keep an eye out for phishing scams and fake websites, employ any extra security measures available to them, such as multi-factor authentication, and use strong, unique passwords across all accounts, Rivero advised. 

Meanwhile, hackers stealing crypto for the North Korean regime is not a new phenomenon. You can read more about it below.  

____

Learn more: 

– New Report Exposes How North Korean Hackers Use Cloud Computing to Launder Crypto Loot – Should You Be Worried?
Wallet Addresses Linked to $200 Million Euler Exploit and Axie Infinity Hack Mysteriously Interact – Are North Korean Hackers Involved?

Seoul: Sanctions May Be Ineffective Against North Korea’s Crypto Hacks
New North Korean Ransomware Threat to ‘Major Institutions’ Detected, Say South Korea, US

Web 3 Hackers Are Getting Smarter: Here’s How to Stay Safe
Is Cryptocurrency Safe to Invest in 2023? How to Avoid Crypto Scams

More Articles

Press Releases
DavosWeb3 Roundtable to Shape the Future of Decentralized Technologies
Mao Orillana
2025-01-18 12:14:17
Altcoin News
New TRUMP Meme Coin Could hit $100 Billion Market Cap By Inauguration Day, But is It For Real?
Gary McFarlane
Gary McFarlane
2025-01-18 11:07:12
Crypto News in numbers
editors
Authors List + 66 More
2M+
Active Monthly Users Around the World
250+
Guides and Reviews Articles
8
Years on the Market
70
International Team Authors