Mandiant said that although APT43’s main objective is espionage, the group also engages in various types of crime both related and unrelated to crypto. Mandiant said that APT43 steals user credentials by phishing — that is, by impersonating online services such as crypto exchanges and search engines. For example, APT43 at one point created a malicious app to target Chinese users seeking crypto loans. Mandiant’s report also said that APT43 uses cryptocurrency services to launder stolen currency. It added that the hacking group also rents cloud mining services in order to obtain cryptocurrency that cannot be linked to its original payment method. Mandiant said that APT43’s methods are connected to other groups or “clusters.” Crypto-related malware such as PENCILDOWN and LONEJOGGER have been shared in this way. Mandiant said that APT43 often targets South Korea, the U.S., Japan, and Europe. The group primarily uses spear-phishing messages to target individuals within organizations. It is not known to exploit zero-day vulnerabilities through direct hacks. Mandiant’s report does not state how much money APT43 has stolen, either in total or in cryptocurrency. However, Mandiant says that APT43 has stolen enough cryptocurrency to allow it to operate in a self-reliant, self-financing manner.
Full report : North Korean hacking group APT43 found to rely on cryptocurrency crime.