BlueNoroff Hacker Group Attack Small & Medium-Sized Cryptocurrency Companies

A North Korean-based hacker group which is tracked as “BlueNoroff Hacker Group” was identified to be targeting the small and medium-sized cryptocurrency companies with fake MetaMask browser extensions and malicious documents.

The BlueNoroff Hacker Group working for the North Korean government, stole almost $400 million worth of cryptocurrencies from seven companies during 2021.


Using the cryptocurrency mixers and Asian crypto exchanges the operators of BlueNoroff have laundered and cashed out a maximum of their funds.

Hack and Steal

Why maximum funds instead of full? The state-sponsored hackers of the BlueNoroff group failed to cash out all of their stolen funds, but they managed to put their hands on the maximum amount of funds that they have stolen.

On further analysis, it has been detected that the hackers did not cash out more than $170 million worth of cryptocurrency stolen from 49 cryptocurrency exchanges between the following years:-

  • 2017
  • 2021

In these events 58% of the stolen funds were Ether and 20% were Bitcoin. While the crypto exchange, Chainalysis linked these attacks to the Lazarus group, it’s a term often used to describe the acts of several other North Korean state-sponsored hackers.

But, here, in this case, the BlueNoroff hacking group is tracked as a division of the Lazarus hacking group that is often associated with hacking banks and cryptocurrencies.


After several years of investigation, the cybersecurity at Kaspersky Lab has managed to connect the hacking group, BlueNoroff with numerous hacks of small and medium-sized cryptocurrency companies in the following countries:-

  • The US
  • Russia
  • China
  • India
  • The UK
  • Ukraine
  • Poland
  • Czech Republic
  • UAE
  • Singapore
  • Estonia
  • Vietnam
  • Malta
  • Germany
  • Hong Kong

Here in the below image, you can see the company names and logos that were targeted by BlueNoroff:-

The Infection Chain

In a malicious campaign called SnatchCrypto, via email or via LinkedIn messages the hackers sent malicious documents to people working for crypto companies. 

Once these files were viewed and interacted by the victim, a backdoor gets installed automatically on the victim’s system through which the hackers access the network of their victims.

While in other campaigns they used LNK files, and the end result was the same, in short, BlueNoroff hackers accessed the victim’s device.

In this type of event, the hackers for several weeks or months closely monitor their targets, and they track and collects the following data and activities of their targets for financial theft:- 

  • Collects keystroke data.
  • Tracks the daily activities of the user.

Moreover, by using the malicious version of the Metamask Chrome extension the hackers replace the original version of the Metamask Chrome extension and record the activities of their target when they initiate a transaction to steal their data and steal all the available funds.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.