This article is more than nine months old

How North Korea used LinkedIn and social engineering to steal $3.4bn in crypto

How North Korea used LinkedIn and social engineering to steal $3.4bn in crypto
The North Korean Lazarus cybercrime gang has used LinkedIn to steal billions in crypto. Credit; Rita Fortunato/DL News.
  • North Korea’s Lazarus Group has stolen at least $3.4 billion in crypto since emerging in 2007.
  • Part of the hacker group’s success is due its use of job ads on LinkedIn.
  • It is not the only weapon in its cybercrime arsenal.

North Korean hackers have stolen at least $3.4 billion in crypto — in part by preying on victims via LinkedIn.

The figure — based on DL News’ calculations of hacks linked to North Korea’s Lazarus Group going as far back as 2007 — includes the $100 million Harmony’s Horizon bridge hack in 2022, the $35 million Atomic Wallet heist this year, and the WannaCry ransomware attack in 2017.

“The Lazarus Group’s boldness and the effectiveness of their exploits have been a major source of revenue for the North Korean regime,” Hugh Brooks, director of security operations at blockchain research firm CertiK, told DL News.

What may be less known is how the digital thugs leverage recruitment platforms like LinkedIn in their social engineering and phishing attacks.

The cybercrime gang’s attack dubbed Operation In(ter)ception in 2019 is a telling example.

NOW READ: North Korea’s stolen crypto haul reaches $3.4bn — 16 years of Lazarus heists and hacks

Through the digital offensive, Lazarus targeted European and Middle Eastern military and aerospace companies, tricking their employees with job ads on platforms including LinkedIn, asking applicants to download a PDF that deployed an executable file, cybersecurity firm ESET reported.

Social engineering and phishing attacks both try to use psychological manipulation to trick victims to let their guards down and do things like click links or download files that will compromise their security.

Join the community to get our latest stories and updates

Their malware has enabled operatives to target vulnerabilities in victims’ systems and to steal sensitive information.

Lazarus used similar methods in its six-month campaign against crypto payments provider CoinsPaid, resulting in a $37 million heist on July 22.

Throughout the campaign, it sent fake job offers to engineers, launched technical attacks like Distributed Denial-of-Service and a tactic dubbed brute forcing — submitting many passwords with the hope of eventually guessing correctly.

NOW READ: Top 10 crypto hacks of 2023 — Stake ranks fifth as hackers wipe $735m

The group has also been known for leveraging on zero-day vulnerabilities and deploying malware in order to steal money, conduct espionage and generally disrupt.

LinkedIn did not return a request for comment.

In 2019, the US Department of the Treasury sanctioned the gang, officially linking it to the spooks at North Korea’s Reconnaissance General Bureau. The Treasury also credited the group with funding the terror state’s nuclear weapons programme.

Eric Johansson is DL News’ News Editor. He is based out of London. Tyler Pearson is a Researcher at DL News. He is based out of Alberta, Canada. Email us with tips on and