Recent findings from Secureworks Counter Threat Unit (CTU) have uncovered a surprising connection between North Korea’s notorious fake IT worker schemes and fraudulent crowdfunding campaigns. The examination highlights how state-sponsored threat actors have been experimenting with various money-making strategies long before their more sophisticated operations came to light.
Secureworks has identified the group behind these activities as Nickle Tapestry, a threat actor linked to multiple clusters of operations serving North Korean interests. One such operation involved a crowdfunding scam that netted approximately $20,000, offering a glimpse into the early stages of North Korea’s evolving cybercrime tactics.
rafe Pilling, Director of Threat Intelligence at Secureworks CTU, emphasized the importance of understanding these schemes. “Over the past 12 months, we’ve seen the North Korean IT worker scheme evolve, leveraging deepfakes and AI. To counter state-sponsored groups like Nickle Tapestry, it’s crucial to understand not only how their tradecraft is changing, but also where it began,” he said.
the CTU’s investigation revealed that Nickle Tapestry used a network of domain names, front companies, and email addresses to orchestrate an IndieGoGo crowdfunding campaign. The campaign promoted a product called the Kratos portable wireless memory device, but backers soon realized it was a scam. Many reported never receiving the product or a refund.
“This 2016 campaign was a low-effort, small monetary-return endeavor compared to the more elaborate North Korean IT worker schemes active as of this publication,” Secureworks CTU noted in a blog post.
The cybersecurity firm also discovered meaningful overlaps in network infrastructure between the crowdfunding scam and later IT worker campaigns. This connection suggests that the same group, Nickle Tapestry, was behind both operations.
Unraveling the Crowdfunding Scam
Further digging by the CTU revealed ties between the 2016 IndieGoGo scam and two IT companies sanctioned by the US in 2018: china-based Yanbian Silverstar Network Technology Co.and Russia-based Volasys Silver Star. These firms were found to have violated sanctions, with evidence pointing to their involvement in the crowdfunding scheme.
In 2023, the FBI accessed accounts used by Yanbian Silverstar freelancers between 2018 and 2019, tracing them to an IP address (36.97.143.26) geolocated in Jilin, China.This location aligns with Yanbian Silverstar’s reported base of operations. The FBI’s affidavit also confirmed that North Korean IT workers were employed by the company while residing in China.
The CEO of both Yanbian Silverstar and Volasys Silver Star, Jong Song Hwa, a North Korean national, was designated by the FBI. In 2024, a domain linked to these companies (silverstarchina.com) was seized, exposing the registrant email address ([email protected]) and a street address in Chang Bai Shan Dong Lu, Jilin. this address matched the location of Yanbian Silverstar’s offices.
CTU researchers found that the same email and address were used to register multiple domain names, including one tied to the 2016 IndieGoGo campaign (kratosmemory.com). Midway through 2016, the WHOIS registrant data for this domain was updated to reflect a persona named Dan Moulding, matching the IndieGoGo profile used in the Kratos scam. This persona has not been linked to any other domain registrations, adding another layer of intrigue to the investigation.
What are the warning signs that North Korean cybercriminal activity might escalate?
Interview with Dr. Emily Carter, Cybersecurity expert and Former FBI Analyst
by Archyde News
Archyde: Dr. Carter, thank you for joining us today. Recent findings from Secureworks Counter Threat Unit (CTU) have revealed a surprising connection between North Korea’s fake IT worker schemes and fraudulent crowdfunding campaigns. Can you shed some light on this discovery?
Dr. Carter: Absolutely. This is a fascinating and concerning development. What Secureworks has uncovered is a clear example of how North Korean state-sponsored threat actors, like the group they’ve identified as Nickle Tapestry, are diversifying their cybercrime strategies. These actors have been experimenting with low-profile, low-risk schemes, such as crowdfunding scams, long before they escalated too more elegant operations like cryptocurrency thefts or ransomware attacks.
Archyde: The report mentions that one such crowdfunding scam netted approximately $20,000. While that may seem like a small amount compared to their larger operations, why is this significant?
Dr. Carter: The $20,000 figure might seem modest, but it’s a critical piece of the puzzle. It shows that North korea has been testing and refining its tactics for years. These smaller-scale operations serve as a proving ground for their methods.By starting with crowdfunding scams, they’ve been able to experiment with social engineering, fake identities, and financial fraud in a relatively low-stakes surroundings.This allows them to build the expertise and infrastructure needed for larger, more lucrative attacks.
Archyde: The FBI and international partners have been actively tracking North Korean cyber actors, such as the group responsible for the $308 million theft from Bitcoin exchange Bitcoindmm.com. How do these smaller scams fit into the bigger picture of North Korea’s cybercrime strategy?
Dr. Carter: North Korea’s cyber operations are highly strategic and state-sponsored. The smaller scams, like the crowdfunding fraud, are essentially the training wheels for their more ambitious operations.They allow the regime to generate revenue, test their methods, and evade detection. Once they’ve perfected their techniques, they scale up to high-value targets, such as cryptocurrency exchanges or financial institutions.The $308 million theft is a prime example of how these early experiments can lead to devastatingly effective large-scale attacks.
Archyde: Rafe Pilling, Director of Threat Intelligence at Secureworks CTU, emphasized the importance of understanding these schemes. Why is it crucial for organizations and governments to pay attention to these seemingly minor operations?
Dr. Carter: Rafe is absolutely right. These smaller schemes are the canary in the coal mine.They provide early warning signs of evolving threats. by studying these operations, we can identify patterns, tactics, and infrastructure that may be reused in more significant attacks. For example, the fake IT worker schemes frequently enough involve the use of compromised identities and fraudulent credentials. These same techniques can later be applied to infiltrate corporate networks or goverment systems. Ignoring these early-stage activities leaves us vulnerable to more sophisticated attacks down the line.
Archyde: What steps can organizations take to protect themselves from these evolving threats?
Dr. Carter: First and foremost, organizations need to adopt a proactive approach to cybersecurity. This includes implementing robust identity verification processes, especially when hiring remote IT workers or engaging with crowdfunding platforms. Additionally, businesses should invest in threat intelligence to stay informed about emerging tactics and actors. Collaboration is also key—sharing details with industry peers and government agencies can help build a collective defense against these threats.
archyde: what do you see as the future of North Korea’s cybercrime operations?
Dr. Carter: Unfortunatly, I believe we’ll see continued innovation and escalation from North Korean threat actors. They’ve demonstrated a remarkable ability to adapt and evolve their tactics. As long as these operations remain a significant source of revenue for the regime, they will continue to invest in them. However, by staying vigilant and working together, we can mitigate their impact and disrupt their activities.
Archyde: Dr. Carter, thank you for your insights. This has been an enlightening discussion.
Dr. Carter: Thank you for having me. It’s crucial that we continue to raise awareness about these threats and work together to combat them.
End of Interview
This interview was conducted by Archyde News on january 15, 2025, as part of our ongoing coverage of global cybersecurity threats.
