{"id":76552,"date":"2023-04-01T07:00:00","date_gmt":"2023-04-01T04:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=76552"},"modified":"2025-09-10T18:00:48","modified_gmt":"2025-09-10T15:00:48","slug":"telegram-user-de-anonymisation-exposure-of-north-korean-spies-and-other-cybersecurity-developments","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/telegram-user-de-anonymisation-exposure-of-north-korean-spies-and-other-cybersecurity-developments\/","title":{"rendered":"Telegram user de-anonymisation, exposure of North Korean spies, and other cybersecurity developments"},"content":{"rendered":"<p>We\u2019ve gathered the week\u2019s most important cybersecurity news.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\" id=\"block-d4733124-7625-4f94-ad1c-2384d9a3fcc6\">\n<li>Experts uncover APT43 hackers, engaged in espionage on behalf of North Korea.<\/li>\n<li>Media outlets reveal Rostec&#8217;s tool for de-anonymising Telegram users.<\/li>\n<li>GitHub removed a private repository containing Twitter&#8217;s source code after a DMCA notice.<\/li>\n<li>In Ukraine, authorities arrested a gang of phishers who stole $4.3 million from EU residents.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>Experts uncover hackers <\/strong><strong>APT43<\/strong><strong>, engaged in espionage on behalf of North Korea<\/strong><\/h2>\n<p>Analysts from Mandiant published a report on the North Korean hacking group APT43, which conducts espionage and cryptocurrency theft.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Mandiant Intelligence is pleased to bring you ??APT43, a prolific cyber operator that supports the interests of the North Korean regime. We believe APT43 funds itself through cybercrime to support its primary mission of collecting foreign intelligence.<a href=\"https:\/\/t.co\/ArkVjlm6ZB\">https:\/\/t.co\/ArkVjlm6ZB<\/a><\/p>\n<p>\u2014 Andrew Thompson (@ImposeCost) <a href=\"https:\/\/twitter.com\/ImposeCost\/status\/1640730476926173190?ref_src=twsrc%5Etfw\">March 28, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to experts, the criminals are believed to be backed by North Korea&#8217;s General Reconnaissance Bureau, with the main targets including government and research institutions in the US, Europe, Japan and South Korea.<\/p>\n<p>APT43 sends phishing emails impersonating fictitious officials, directing victims to controlled websites to harvest credentials. This enables the hackers to authenticate in target systems.<\/p>\n<p>To steal funds, the group uses malicious Android applications targeted at cryptocurrency holders in China.<\/p>\n<p>Stolen assets are laundered through mixers and cloud-mining services using fake aliases and addresses. For equipment and infrastructure, APT43 pays with PayPal, American Express and stolen Bitcoin.<\/p>\n<h2 class=\"wp-block-heading\"><strong>GitHub removed the Twitter source code repository<\/strong><\/h2>\n<p>GitHub removed the private repository of user FreeSpeechEnthusiast containing Twitter&#8217;s source code after a <a href=\"https:\/\/github.com\/github\/dmca\/blob\/master\/2023\/03\/2023-03-24-twitter.md\"><span data-descr=\"DMCA notice\" class=\"old_tooltip\">DMCA<\/span><\/a> notice from the social network.<\/p>\n<p>Sources cited by <a href=\"https:\/\/www.nytimes.com\/2023\/03\/26\/technology\/twitter-source-code-leak.html\">The New York Times<\/a> say that the repository contained information about vulnerabilities in the security system that could allow hackers to exfiltrate user data or take Twitter offline.<\/p>\n<p>The company is now seeking the court to compel GitHub to disclose identifying information about the culprit and those who gained access to it.<\/p>\n<p>It is not known how long the source code remained on the network. Media reports say it was at least several months.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Trend Micro finds crypto-stealing malware OpcJacker<\/strong><\/h2>\n<p>Trend Micro researchers <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/c\/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html\">discovered<\/a> OpcJacker malware, which has been distributed since mid-2022 under the guise of cryptocurrency apps and other legitimate software on counterfeit sites.<\/p>\n<p>OpcJacker features include <span data-descr=\"Software for monitoring and controlling keystrokes\" class=\"old_tooltip\">keylogger<\/span>, screenshots, theft of data from browsers, loading of additional modules and clipboard cryptocurrency address spoofing.<\/p>\n<p>Upon infection, the malware replaces the legitimate <span data-descr=\"Dynamic Link Library \u2014 dynamically linked library\" class=\"old_tooltip\">DLL<\/span> library inside the installed program with a malicious one. This enables it to load additional malicious payload \u2014 a modified Babadeda ransomware payload.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"990\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/opcjacker-1-1024x990.png\" alt=\"opcjacker-1\" class=\"wp-image-203007\" srcset=\"https:\/\/u1f987.com\/wp-content\/uploads\/opcjacker-1-1024x990.png 1024w, https:\/\/u1f987.com\/wp-content\/uploads\/opcjacker-1-300x290.png 300w, https:\/\/u1f987.com\/wp-content\/uploads\/opcjacker-1-768x743.png 768w, https:\/\/u1f987.com\/wp-content\/uploads\/opcjacker-1-1536x1485.png 1536w, https:\/\/u1f987.com\/wp-content\/uploads\/opcjacker-1.png 1875w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Data: Trend Micro.<\/figcaption><\/figure>\n<p>The malware&#8217;s primary objective remains unknown, but its ability to steal cryptocurrency points to a financial motivation, say experts.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Roskomnadzor opposes anonymous numbers based on blockchain<\/strong><\/h2>\n<p>Roskomnadzor has proposed using equipment installed at providers under the sovereign internet law to restrict access to anonymity tools. The agency singled out services that use virtual phone numbers. This includes numbers on the Fragment blockchain platform, which can <a href=\"https:\/\/u1f987.com\/en\/news\/telegram-launches-sale-of-anonymous-numbers-on-fragment\">purchased for cryptocurrency<\/a> for anonymous Telegram registration.<\/p>\n<p>If the government passes the amendments, they would take effect on 1 March 2024.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Ukraine arrests phishing gang that stole $4.3 million from EU residents<\/strong><\/h2>\n<p>The Ukrainian Cyber Police uncovered participants of an international criminal organisation who used phishing to steal banking card data.<\/p>\n<p><iframe loading=\"lazy\" width=\"560\" height=\"315\" src=\"https:\/\/www.youtube.com\/embed\/D3ZSM6FmNCU\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\n<p>The suspects created more than 100 phishing sites selling cheap goods targeting European users. All customer payment information automatically became known to criminals. They then wired funds from their accounts.<\/p>\n<p>The group also set up call centres in Vinnytsia and Lviv, whose operators encouraged potential victims to make purchases.<\/p>\n<p>Over 1,000 victims from the Czech Republic, Poland, France, Spain, Portugal and other EU countries have been recorded. The total damage exceeds 160 million hryvnias ($4.3 million).<\/p>\n<p>During a series of searches, law enforcement seized mobile phones, SIM cards and computer equipment. A criminal case has been opened for fraud and the creation of a criminal group. The suspects face up to 12 years in prison with confiscation of property.<\/p>\n<p>Two organizers have been arrested. Ten more participants have been detained in the EU. The investigation continues.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Media reveal Rostec tool for de-anonymising Telegram users<\/strong><\/h2>\n<p>Rostec, the Russian state corporation, has purchased a platform that enables revealing the identities of anonymous Telegram users. The investigation by The Bell and Meduza says.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Since 2022, Rostec has been fighting a war on two fronts. As well as supplying hardware to the front, it is also eliminating criticism of its chief, Sergei Chemezov, a friend of Vladimir Putin, from Telegram channels. The Bell and Meduza found out more \u2013 a thread ?1\/13<\/p>\n<p>\u2014 The Bell (@thebell_io) <a href=\"https:\/\/twitter.com\/thebell_io\/status\/1640663975732953089?ref_src=twsrc%5Etfw\">March 28, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to them, the software suite named <a href=\"https:\/\/tomhunter.ru\/pk\">\u201cHunter\u201d<\/a> analyses more than 700 public data sources, including social networks, blogs, forums, messaging apps, classifieds, cryptocurrency blockchains, the dark web and state automated services.<\/p>\n<p>The data allow names, nicknames, email addresses, phone numbers, crypto wallets and IP addresses to be linked and eventually identify Telegram channel administrators.<\/p>\n<p>Journalists believe Rostec&#8217;s primary targets are authors critical of Russia&#8217;s state policy.<\/p>\n<p>Public organisation Roskomsvoboda notes that using only data points cannot de-anonymise the channel owner. They suggest Rostec may also exploit a zero-day vulnerability in the platform or work with an insider inside Telegram.<\/p>\n<p>A Telegram spokesperson told Bleeping Computer that the most common methods for de-anonymising channel administrators are accepting payments for advertising, granting access to third-party bots, or using unofficial Telegram apps.<\/p>\n<p>Rostec plans to sell \u201cHunter\u201d in 2023 to all Russian Interior Ministry administrations and the FSB&#8217;s operational-technical divisions.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>Ormenus Coin <a href=\"https:\/\/u1f987.com\/en\/news\/ormenus-coin-organizers-to-pay-102-million-after-sec-lawsuit\">will pay $102 million<\/a> in a suit by the SEC.<\/li>\n<li>The court found participants of the bZx DAO <a href=\"https:\/\/u1f987.com\/en\/news\/court-finds-bzx-dao-participants-liable-for-protocol-hack\">responsible for the breach<\/a> of the protocol.<\/li>\n<li>The SEC brought charges against <a href=\"https:\/\/u1f987.com\/en\/news\/sec-brings-charges-against-beaxy-crypto-exchange-and-its-executives\">the Beaxy crypto exchange<\/a> and its executives.<\/li>\n<li>Hackers stole <a href=\"https:\/\/u1f987.com\/en\/news\/hackers-stole-bitcoins-in-52-countries-via-a-fake-tor-browser\">bitcoins in 52 countries<\/a> via a fake Tor browser.<\/li>\n<li>The client database of the <a href=\"https:\/\/u1f987.com\/en\/news\/tetchange-exchange-client-database-put-up-for-sale-for-1000-updated\">Tetchange exchange<\/a> was put up for sale for $1,000.<\/li>\n<li>DEX SafeMoon <a href=\"https:\/\/u1f987.com\/en\/news\/safemoon-dex-loses-about-9m-in-hack\">lost $9 million<\/a> in a breach.<\/li>\n<li>HAPI Labs: nearly 96% of donations to the Russian army went through Binance.<\/li>\n<li>Sam Bankman-Fried was granted new <a href=\"https:\/\/u1f987.com\/en\/news\/new-bail-terms-agreed-for-sam-bankman-fried\">terms of release<\/a> on bail. He was also charged <a href=\"https:\/\/u1f987.com\/en\/news\/sam-bankman-fried-accused-of-bribing-a-chinese-official\">with bribing a Chinese official<\/a>.<\/li>\n<li>The <a href=\"https:\/\/u1f987.com\/en\/news\/thorchain-network-halts-after-credible-vulnerability-reports\">THORChain network paused operations<\/a> due to a vulnerability.<\/li>\n<li>An analyst estimated the number of <a href=\"https:\/\/u1f987.com\/en\/news\/analyst-says-6-million-bitcoins-have-been-irretrievably-lost\">irrecoverably lost bitcoins<\/a>.<\/li>\n<li>CFTC filed <a href=\"https:\/\/u1f987.com\/en\/news\/cftc-files-suit-against-binance-and-changpeng-zhao\">a lawsuit against Binance<\/a> and Changpeng Zhao.<\/li>\n<li>Verichains warned about <a href=\"https:\/\/u1f987.com\/en\/news\/verichains-warns-of-vulnerability-in-multisignature-wallets\">wallet vulnerabilities<\/a> with multisig.<\/li>\n<li>A former Coinone employee was arrested <a href=\"https:\/\/u1f987.com\/en\/news\/former-coinone-employee-arrested-in-bribery-case\">in a bribery case<\/a>.<\/li>\n<li>An American was sentenced to four years in prison for <a href=\"https:\/\/u1f987.com\/en\/news\/american-sentenced-to-four-years-and-three-months-in-prison-for-21m-ico-fraud\">ICO fraud<\/a> involving $21 million.<\/li>\n<li>In Canada, extortionists abducted the bankrupt <a href=\"https:\/\/u1f987.com\/en\/news\/in-canada-the-bankrupt-crypto-king-aiden-pletersky-was-abducted-by-extortionists\">\u201ccrypto king\u201d<\/a>.<\/li>\n<li>A glitch in ChatGPT <a href=\"https:\/\/u1f987.com\/en\/news\/chatgpt-outage-exposed-subscribers-payment-information\">exposed subscribers&#8217; payment information<\/a>.<\/li>\n<li>Do Kwon will appeal the decision to <a href=\"https:\/\/u1f987.com\/en\/news\/do-kwon-to-appeal-montenegro-detention-extension-ruling\">extend detention<\/a> in Montenegro.<\/li>\n<li>The Kokomo Finance team suspected of <a href=\"https:\/\/u1f987.com\/en\/news\/kokomo-finance-team-suspected-of-4-million-exit-scam\">an exit scam of $4 million<\/a>.<\/li>\n<li>The hacker who breached Euler Finance returned more than <a href=\"https:\/\/u1f987.com\/en\/news\/hacker-behind-euler-finance-breach-returns-more-than-100-million-in-ethereum\">$100 million in Ethereum<\/a>, and later another <a href=\"https:\/\/u1f987.com\/en\/news\/euler-finance-hacker-returns-over-23214-eth-and-10m-in-dai\">$50.5 million in ETH and DAI<\/a>.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>What to read this weekend?<\/strong><\/h2>\n<p>Together with HAPI Labs experts, we examine how \u201cdirty\u201d cryptocurrency becomes \u201cclean\u201d and how AML services should label it going forward.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We\u2019ve gathered the week\u2019s most important cybersecurity news.<\/p>\n","protected":false},"author":1,"featured_media":76553,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-76552","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"32","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/76552","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=76552"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/76552\/revisions"}],"predecessor-version":[{"id":76554,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/76552\/revisions\/76554"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/76553"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=76552"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=76552"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=76552"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}