CryptoCore has swindled more than $200 million from cryptocurrency exchanges since 2018.
According to a report by ClearSky cybersecurity, the group targets cryptocurrency exchange employees and executives with phishing scams. The group is known as CryptoCore but also notorious under the aliases of “Dangerous Password” “Leery Turtle.”
CryptoCore scammers fool people working at exchanges by impersonating high-ranking employees of the same exchange to access their credentials. The hackers ask for access to the victim’s password manager account from where they can get their financial credentials.
The scammers use the passwords to steal the victim’s assets and all data that can be used to target other victims.
The report stated that the attackers’ main objective is to access the exchange’s wallets including the corporate wallets and wallets owned by employees. The attackers begin with an “extensive reconnaissance phase” against the company and all personnel working with the exchange.
Targets and method of operation
CryptoCore has been targeting exchanges in the US and Japan. The group has stolen more than $200 million worth of cryptocurrencies through phishing scams.
The group first conducts thorough research about its target exchange then impersonates specific entities by using similar domain names.
The group infects the victim’s device by sending them files that require a supposed password to open. Once run, the files install malware on the device that searches the password managers for data. The malware then infects the exchange’s network to search for passwords.
Once the group gains access to wallets, the funds are moved to the wallets they control. While it is unclear where the group operates from, ClearSky believes that the group is based in East Europe. Many hacking groups targetting crypto-related businesses are reported to be working from North Korea.