U.S. agencies detail 'AppleJeus' cryptocurrency malware used by North Korean hackers

Quick Take

  • U.S. government agencies published a detailed breakdown this week of one of the North Korean government’s crypto-related cybercrime tools.
  • The report detailed ‘AppleJeus,’ which is disguised as legitimate-looking crypto trading software.

U.S. government agencies published a detailed breakdown this week of one of the North Korean government’s crypto-related cybercrime tools.

‘AppleJeus’ is designed to operate and appear as legitimate-looking crypto trading software, targeting would-be victims who seek to trade cryptocurrencies. First deployed in 2018, AppleJeus has been masked by a series of official-sounding names.

Those names include Celas Trade Pro, JMT Trading, Union Crypto, Kupay Wallet, CoinGoTrade, Dorusio and Ants2Whale.

Details of AppleJeus and the ways in which it is used to illicitly take control of computers were published in a report on Wednesday, drawing on a report developed by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Treasury Department.

The report comes on the heels of a significant indictment of three North Korea-tied hackers. On February 17, U.S. prosecutors charged three North Korean hackers for a vast array of attacks and thefts — including over $100 million of funds stolen from crypto companies. That action followed other attempts to staunch North Korea-linked cyberattacks. Last August, the U.S. Department of Justice also attempted to retrieve funds from 280 crypto accounts connected to such activities.

The report details HIDDEN COBRA, characterized as “malicious cyber activity by the North Korean government” centered around cryptocurrency attacks and thefts. The report indicates that cybercriminals operating within the so-called Lazarus Group have stolen and laundered hundreds of millions worth of cryptocurrency since January of last year.

The hackers targeted individuals and companies, such as crypto exchanges and financial service firms, and ultimately committed criminal acts in 32 countries across all continents except Africa.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

“It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea — the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts,” states the report.

Once a user downloads the affected software, AppleJeus malware would infect a victim’s computer with a remote administration tool. This would allow malicious actors to then control the afflicted computer. Hackers could then spread malware across the victim’s network and gain access to stored information.

According to the report, the approach by which Hidden Cobra participants spread different versions of AppleJeus evolved over time.

“Initially, HIDDEN COBRA actors used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with AppleJeus; however, these actors are now also using other initial infection vectors such as phishing, social networking, and social engineering techniques to get users to download the malware,” the report stated.

Hidden Cobra exploits affected these countries since January 2020: Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Estonia, Germany, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malta, the Netherlands, New Zealand, Poland, Russia, Saudi Arabia, Singapore, Slovenia, South Korea, Spain, Sweden, Turkey, the United Kingdom, Ukraine, and the United States. Sectors harmed were finance, energy, technology, industry, telecommunications, and government.

If users suspect they have been affected by AppleJeus, the report recommends victims generate new keys or move funds out of compromised crypto wallets, expel affected hosts, run anti-malware scans on infected computers, and notify either the FBI, CISA, or Treasury Department.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

MK Manoylov has been a reporter for The Block since 2020 — joining just before bitcoin surpassed $20,000 for the first time. Since then, MK has written nearly 1,000 articles for the publication, covering any and all crypto news but with a penchant toward NFT, metaverse, web3 gaming, funding, crime, hack and crypto ecosystem stories. MK holds a graduate degree from New York University's Science, Health and Environmental Reporting Program (SHERP) and has also covered health topics for WebMD and Insider. You can follow MK on X @MManoylov and on LinkedIn.