Investigating Suspected DPRK-Linked Crypto Intrusions
Contents
Investigating Suspected DPRK-Linked Crypto Intrusions
Korean Crypto Theft
A threat actor has systematically compromised cryptocurrency organisations: exploiting web application vulnerabilities, pillaging AWS tenants with valid credentials, and exfiltrating proprietary exchange software containing hardcoded secrets. Their targeting spans the crypto supply chain, from staking platforms, to exchange software providers, to the exchanges themselves.
In this blog we will expose the tradecraft, tooling and infrastructure we observed. Additionally, while keeping victim companies anonymous, we will share the types of data this threat actor stole. Based on the extensive targeting of crypto organisations, amongst other factors, we believe this might be linked to DPRK-based actors.
All findings discussed in this blog were identified via successive exposed open-directories over a period of 2 weeks. On 2026-01-27, threat intelligence vendor Hunt.io archived one of these open-directories. Although we will not be sharing our dumps publicly, significant intelligence can be gleaned from the archive on this platform.
Ctrl-Alt-Intel has attempted to …
Korean Crypto Theft
A threat actor has systematically compromised cryptocurrency organisations: exploiting web application vulnerabilities, pillaging AWS tenants with valid credentials, and exfiltrating proprietary exchange software containing hardcoded secrets. Their targeting spans the crypto supply chain, from staking platforms, to exchange software providers, to the exchanges themselves.
In this blog we will expose the tradecraft, tooling and infrastructure we observed. Additionally, while keeping victim companies anonymous, we will share the types of data this threat actor stole. Based on the extensive targeting of crypto organisations, amongst other factors, we believe this might be linked to DPRK-based actors.
All findings discussed in this blog were identified via successive exposed open-directories over a period of 2 weeks. On 2026-01-27, threat intelligence vendor Hunt.io archived one of these open-directories. Although we will not be sharing our dumps publicly, significant intelligence can be gleaned from the archive on this platform.
Ctrl-Alt-Intel has attempted to …
IoC
https://[email protected]/[REDACTED
https://ifconfig.me
http://itemnania.com
http://64.176.226.36
64.176.226.36
10.15.15.57
42bd7c130c146246c88dc3462b0d21dd
1c6770917d13fce1347f0cea9c9b86b0
8f633ade35df4f992eb28a2c5bc37cef
https://ifconfig.me
http://itemnania.com
http://64.176.226.36
64.176.226.36
10.15.15.57
42bd7c130c146246c88dc3462b0d21dd
1c6770917d13fce1347f0cea9c9b86b0
8f633ade35df4f992eb28a2c5bc37cef