BlueNoroff—the name given by security researchers to a group linked with North Korean state-sponsored hacking collective Lazarus Group—has expanded its criminal activities to include posing as venture capitalists looking to invest in crypto startups, according to a new report from the Cybersecurity firm Kaspersky.

“BlueNoroff created numerous fake domains impersonating venture capital companies and banks,” Kaspersky says.

In its report, Kaspersky says it detected global attacks by BlueNoroff targeting cryptocurrency startups in January 2022, but says there was a lull in activity until the fall.

According to Kaspersky, BlueNoroff is using malware to attack organizations that deal with smart contracts, DeFi, Blockchain, and the FinTech industry. Kaspersky says BlueNoroff is also using software to bypass Mark-of-the-Web (MOTW) technology, which ensures that a message from Windows pops up to warn users when trying to open a file downloaded from the Internet.

Stealing cryptocurrency has been a profitable business for North Korean hackers. Since 2017, over $1.2 billion in cryptocurrency has been looted, according to data from South Korean spy agencies. In 2022, several high-profile companies, including FTX, were hit by cyber-attacks.

A treacherous fall

In August, the group sent job offers to candidates on LinkedIn for an engineering manager position at cryptocurrency exchange Coinbase.

In September, the Lazarus Group targeted Coinbase and Crypto.com job seekers in two separate phishing attacks. One malware attack encouraged job seekers to download a PDF document showcasing the open vacancies at Crypto.com. Once downloaded, the PDF would install a trojan horse and steal personal and financial information.

In October, cyber criminals used an exploit in the Binance Smart Chain to make off with over $100 million in cryptocurrency.

On November 11, 2022, the day FTX filed for Chapter 11 bankruptcy protection, an unknown actor began siphoning funds from FTX wallets to the tune of $640 million in tokens.

Hundreds of millions of dollars are now flowing out of FTX wallets, some speculate liquidators but it's late on a friday night, not typical times for such rapid heavy movements. Some withdrawals are being swapped from Tether to DAI. Hack or insider actions? $26 million here pic.twitter.com/8wWlaE7na9 — foobar (@0xfoobar) November 12, 2022

While the story of the fall of Sam Bankman-Fried and FTX has taken over the headlines, the threat posed by cyber criminals has never subsided.

Kaspersky acknowledged a request for comment from Decrypt but was unable to provide a response prior to publication.