top of page
  • Admin

North Korean APT Group Blasts Credential Harvesting Attacks Via Email

Published: April 02, 2023 on our newsletter Security Fraud News & Alerts Newsletter.

State-sponsored North Korean threat actors recently changed tactics to a new revenue source benefitting their government. The APT (advanced persistent threat) hacking group recently shifted from cryptocurrency theft to credential harvesting attacks using phishing emails. Targeting industries in the U.S. and Canada, researchers are sounding the alarm about this nefarious APT group’s new brand of aggressive attacks.

Proofpoint is tracking the group’s activities under the name TA444. The group is infamous for its massive crypto-theft operations in service to its Supreme Leader, Kim Jon-Un. They’re also known by other names, including APT38, Copernicium, and BlueNoroff.

TA444’s switch to credential harvesting attacks takes advantage of commercial email marketing tools to blast their phishing emails. The emails provide malicious links to websites controlled by TA444 that are setups to steal credentials entered on the site. The targeted industries include the financial, government, healthcare, and education sectors.

Chains of Infection

Those behind TA444 are also using marketing tactics to increase the chance of email targets acting on their phishing links. One strategy is luring victims by using topics that may be of interest to them and have used both fake and compromised LinkedIn accounts to do so. Those lures include email content like awesome job opportunities or salary-related subjects, topics likely to pique a target’s interest and get them to click the malicious link to learn more.

Once on the harvesting web page, targets are told their credentials are needed. When entered, the credentials are hijacked and used to steal their money.

Proofpoint’s recent study of TA444 leads them to credit the nation-state hacking group as an “astute and capable adversary” at defrauding victims and stealing hundreds of millions in funds. Last year, the group amassed over $1 billion in cryptocurrency heists, all benefitting the North Korean regime.

Don’t Be Next

Threat groups like TA444 are one of many cybercrime outfits using email phishing as their weapon of choice. Since we know how their latest operation works, a close watch over your inbox helps keep you safer from their clutches. Keep aware of email phishing red flags, especially if you’re employed in the industries targeted by TA444. In general, remember if it sounds too good to be true, it probably is.

Keep up to date: Sign up for our Fraud alerts and Updates newsletter

Want to schedule a conversation? Please email us at


bottom of page