Crypto Heists and Insider Threats Put North Korea on G7 Hot Seat

The upcoming G7 summit in Canada is expected to address North Korea’s digital offenses, including its extensive crypto theft operations led by groups like Lazarus.

North Korea

The global cybersecurity landscape is facing serious challenges from state-sponsored cybercrime groups from North Korea and Russia. In 2024 alone, North Korean hackers stole over $1.3 billion through 47 separate attacks, with the stolen crypto being used to fund weapons development and evade international sanctions. Their tactics evolved to include insider threats and shell companies. 

Additionally, Coinbase users are facing an alarming rise in social engineering scams, with $45 million stolen in just one week. This contributed to an estimated $330 million in annual losses. These scams often involve fake support representatives and malware-laced job offers, tactics linked to North Korea. Meanwhile, Russia-backed group COLDRIVER is deploying new malware called LOSTKEYS, which enhances their capabilities for data theft. Collectively, these developments prove that there is an urgent need for more coordinated global defense strategies.

G7 Turns Spotlight on North Korea’s Digital Crimes

The Group of Seven (G7) is expected to address the growing threat of North Korea’s cyberattacks and crypto thefts at its upcoming summit in Canada next month. While ongoing conflicts in Ukraine and Gaza will likely be central to the discussions, sources from Bloomberg on May 7 say that North Korea’s digital operations have become an alarming concern that demands coordinated international action.

G7 summit

North Korea’s cybercrime apparatus, which is led by groups like the Lazarus Group, stole billions in cryptocurrency in 2024 alone. One of the most damaging incidents this year was a $1.4 billion exploit targeting the crypto exchange Bybit in February. This was the largest single hack ever recorded in the crypto industry. In total, it is estimated that North Korean-linked hackers pulled off 47 crypto-related heists in 2024, totaling more than $1.3 billion in stolen digital assets. This is according to blockchain analytics firm Chainalysis.

The illicit funds stolen through these hacks reportedly became a critical financial pipeline for the North Korean regime, helping to circumvent sanctions and support weapons development programs. A September report from the US Treasury explained how these operations allowed Pyongyang to maintain funding for its prohibited military initiatives.

In addition to external hacks, North Korea has also been accused of embedding operatives in crypto firms. The US, Japan, and South Korea warned earlier this year that the regime was sending trained tech workers to infiltrate companies as employees, which poses a serious insider threat. In April, a group linked to Lazarus allegedly set up three shell companies—two of which were located in the United States—to distribute malware and scam crypto developers.

North Korean hacks

Crypto stolen by North Korea each year (Source: Chainlaysis)

Crypto exchange Kraken recently revealed that it thwarted an infiltration attempt by a North Korean hacker. Chief Security Officer Nick Percoco shared that the individual was caught through an internal identity verification test, which they failed. Cybersecurity expert Heiner Garcia of Telefónica managed to expose another suspected operative during a mock interview. The operative inadvertently revealed connections to known North Korean crypto scams.

Overall, the expanding reach and sophistication of North Korea’s cyber operations pushed them to the top of the G7’s agenda.

Scams Steal $45 Million from Coinbase Users in One Week

On-chain investigator and security analyst ZachXBT recently reported that an additional $45 million has been stolen from Coinbase users in just the past week through a surge in social engineering scams. This figure adds to an already troubling trend that was identified by ZachXBT. He claims that over the past few months, scammers stole nine figures in total from Coinbase users using similar techniques, and pointed out that these scams seem to be a problem unique to Coinbase.

Post

Telegram post from ZachXBT

The latest findings bring the estimated annual losses from these scams targeting Coinbase users to around $330 million. The tactics employed by scammers evolved in sophistication, ranging from impersonating Coinbase support staff to sending deceptive emails that prompt users to transfer funds to external wallets.

The United States Federal Bureau of Investigation (FBI) also took note of the growing threat. In a series of alerts that were issued between July and September of 2024, the FBI warned the public about scammers impersonating crypto exchange representatives, offering fake job opportunities, and deploying malware disguised as employment tests or investment materials. These methods have also been linked to North Korean state-sponsored hacking groups.

In response to the escalating risks, Coinbase chief security officer Phillip Martin advocated for a unified framework to help users and exchanges report and respond to scams more efficiently. This whole situation proves just how urgent the need is to improve consumer protection in the face of increasingly aggressive and sophisticated social engineering campaigns.

Russian Hackers Deploy New LOSTKEYS Malware

A new wave of cyberattacks linked to the Russian-backed threat group COLDRIVER is also raising fresh concerns among cybersecurity experts, especially after the emergence of a sophisticated new malware strain dubbed LOSTKEYS. According to a May 7 report from Google Threat Intelligence, the malware is a big step up in COLDRIVER’s capabilities from traditional credential phishing to advanced information theft.

The infection chain involves a four-step process starting with a deceptive “lure website” that uses a fake CAPTCHA to trick users. Once engaged, the site delivers a PowerShell script directly to the user’s clipboard. From there, the malware executes device evasion techniques before retrieving and installing the final payload. ‘

Stage 1

(Source: Google)

Once active, LOSTKEYS has the ability to scan directories and file extensions, extract documents, and transmit sensitive system information — including active processes — back to its command-and-control infrastructure. The IP address associated with the campaign is “165.227.148[.]68,” according to Google.

Payload delivery

(Source: Google)

To counter the threat, Google took swift action by flagging the malicious domains in its Safe Browsing feature, to help prevent users from unknowingly visiting these harmful sites. The company said that the targets of these attacks include Western journalists, former diplomats, and other high-profile figures, which is in line with COLDRIVER’s established tactics.

This latest development follows a January 2024 attack by COLDRIVER involving “Spica,” a malware variant that is capable of executing shell commands and uploading or downloading data. However, the progression from Spica to LOSTKEYS proves that the group is growing in sophistication when it comes to targeting and data exfiltration.

Meanwhile, the broader cybersecurity landscape continues to deteriorate, especially in the cryptocurrency sector. A recent report from blockchain security firm Hacken revealed that crypto hacks in Q1 2025 alone surpassed $2 billion in losses. This is already higher than all of 2024. Hacken pointed out that operational vulnerabilities and social engineering are still persistent weaknesses across both centralized and decentralized platforms as they expose even major industry players to large-scale attacks.