There's a new DPRK report making the rounds. I have thots.
Contents
There's a new DPRK report making the rounds. I have thots.
- Is good report generally. Very welcome given the lack of UN Panel of Expert reports.
- Some attribution things got a bit mushy.
- Offchain folks still don't realize the wealth of info available from the chain.
Report for the curious:
https://msmt.info/Publications/detail/MSMT%20Report/4221…
1. Swissborg ("Swissbord")—which stemmed from a compromise of Kiln keys—was not DPRK.
There are no DPRK indicators onchain or offchain.
Laundering is completely different.
It's an active case—and not DPRK—so I can't comment on attribution beyond that.
2. Zoth not TraderTraitor. It was what this report refers to as "CryptoCore."
Zoth overlaps on and offchain with the "2025-02-28 Unidentified Victim."
That was a case of impersonated telegram -> calendly -> zoom call -> applescript shit.
3. A note on "CryptoCore" generally.
Both the Feb 2025 case and Ripio are called "CryptoCore."
Meanwhile the former was a Zoom SDK Update Applescript shit while the latter was social engineering via Linkedin / …
- Is good report generally. Very welcome given the lack of UN Panel of Expert reports.
- Some attribution things got a bit mushy.
- Offchain folks still don't realize the wealth of info available from the chain.
Report for the curious:
https://msmt.info/Publications/detail/MSMT%20Report/4221…
1. Swissborg ("Swissbord")—which stemmed from a compromise of Kiln keys—was not DPRK.
There are no DPRK indicators onchain or offchain.
Laundering is completely different.
It's an active case—and not DPRK—so I can't comment on attribution beyond that.
2. Zoth not TraderTraitor. It was what this report refers to as "CryptoCore."
Zoth overlaps on and offchain with the "2025-02-28 Unidentified Victim."
That was a case of impersonated telegram -> calendly -> zoom call -> applescript shit.
3. A note on "CryptoCore" generally.
Both the Feb 2025 case and Ripio are called "CryptoCore."
Meanwhile the former was a Zoom SDK Update Applescript shit while the latter was social engineering via Linkedin / …