apt38-beagleboyz

APT38 / BeagleBoyz

also known as: Bluenoroff Stardust Chollima Sapphire Sleet NICKEL GLADSTONE COPERNICIUM TraderTraitor G0082

North Korea's primary financial cyber unit, responsible for generating hard currency at scale to fund the regime's nuclear and missile programs under international sanctions. Responsible for at least $81 million stolen from Bangladesh Bank in 2016 — stopped only because the Federal Reserve Bank of New York detected anomalies in the transfer instructions before a $1 billion theft was completed. The group has since evolved into the world's most prolific state-sponsored financial cybercriminal operation, stealing an estimated $1.7 billion in cryptocurrency in 2022 alone and accumulating more than $5 billion in stolen digital assets since 2017. The UN Panel of Experts formally identifies these operations as sanctions evasion. US NSA Deputy Director Richard Ledgett's comment upon the Bangladesh attribution remains definitive: "A nation state is robbing banks."

attributed origin North Korea — RGB Unit 180 (Reconnaissance General Bureau)

active since At least 2014

primary mission Hard currency generation for DPRK nuclear/missile programs

confirmed stolen $5B+ in crypto since 2017; $100M+ via SWIFT heists

single-year record ~$1.7B in 2022; ~$1.3B in 2024

countries targeted 38+ countries (SWIFT); cryptocurrency globally

doj indicted Park Jin Hyok (2018); Jon Chang Hyok, Kim Il (2021)

avg network dwell 155 days (longest: 678 days — nearly 2 years)

mitre group G0082

Overview

APT38 / BeagleBoyz is the North Korean state's primary mechanism for generating hard currency in the face of the most comprehensive international sanctions regime ever imposed on a sovereign state. Where other North Korean hacking units conduct espionage (APT37 / ScarCruft), or political disruption (Lazarus Group's destructive operations), APT38's mandate is singular and transactional: steal money at scale, repeatedly, across the global financial system, and convert it into fungible resources for the regime's weapons programs.

This mandate emerged directly from the 2013 round of UN Security Council sanctions following North Korea's nuclear tests — sanctions that cut off legitimate hard currency flows and forced Pyongyang to seek alternative revenue sources. By 2014, what became APT38 was conducting online reconnaissance of global banking infrastructure. By 2016, it had pulled off the largest cyber bank robbery in history. By 2022, it had evolved into an industrial-scale cryptocurrency theft operation that, according to TRM Labs, accounted for approximately 35% of all stolen crypto funds globally in 2024.

The UN Panel of Experts on North Korea has repeatedly documented these operations in its reports as explicit sanctions evasion — revenue that directly funds the DPRK's ballistic missile and weapons of mass destruction programs. Chainalysis researchers noted that in 2020, North Korea's total legitimate exports were approximately $142 million, making crypto theft alone "a sizable chunk of the nation's economy." The US Army estimated that the Bluenoroff (APT38) division comprises approximately 1,700 members — a substantial institutional investment that reflects how central this revenue stream has become to Pyongyang's strategic planning.

APT38's operational style is distinctly different from ordinary cybercrime: CISA's joint advisory characterized the group's operations as "well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities." FireEye / Mandiant documented an average network dwell time of 155 days — and in one case nearly two years inside a victim network before executing the theft. This patience, combined with the group's willingness to deploy destructive malware after theft operations to destroy forensic evidence, reflects an operation that operates under state direction with the time horizon and resource base of a government program rather than a criminal gang.

lazarus / apt38 naming context

The relationship between APT38 and Lazarus Group is a consistent source of confusion. Lazarus Group is the broad umbrella name used for North Korea's cyber operations — a collective designation that encompasses multiple specialized sub-units. APT38 (BeagleBoyz / Bluenoroff) is the financially-focused financial crime sub-unit within the broader Lazarus umbrella. The FBI has at times referred to Lazarus Group "also known as APT38" in press releases, while CISA and Mandiant maintain the distinction. The practical answer: when a DPRK-attributed theft is documented, the FBI and DOJ often cite both names. This profile uses APT38 / BeagleBoyz to refer specifically to the financial operations cluster with the distinct methodology of long-dwell SWIFT heists, FASTCash ATM operations, and major cryptocurrency thefts.

The SWIFT Heist Methodology

APT38's SWIFT bank robbery operations represent a fundamentally different category of financial cybercrime from anything documented before or since. Rather than simply breaking into a bank's systems and transferring funds, the group conducts what amounts to a comprehensive institutional study of each target — understanding how SWIFT transactions are initiated, approved, and executed within that specific organization before placing a single fraudulent order. FireEye's October 2018 "Un-usual Suspects" report documented the full attack lifecycle in detail.

Stage 1 — Target Research: Before any intrusion, APT38 conducts extensive open-source and closed-source research on the target institution. This includes understanding the organization's SWIFT membership and transaction patterns, the specific SWIFT software version and configuration in use, the personnel responsible for transaction approval, and the correspondent banking relationships through which funds would flow. The Bangladesh attack began with online reconnaissance of Bangladeshi banking in October 2014 — sixteen months before the February 2016 theft execution.
Stage 2 — Initial Compromise: Initial access is typically achieved via spear-phishing against bank employees, exploitation of insecure Apache Struts2 web servers, or watering-hole attacks on websites visited by financial sector personnel. The Bangladesh Bank intrusion began with spear-phishing emails sent to employees in February 2015. Malware was installed providing a backdoor communicating over a custom binary protocol designed to look like TLS traffic.
Stage 3 — Reconnaissance and Credential Harvesting: After gaining initial access, APT38 uses a combination of custom malware and legitimate Windows tools to conduct extensive network reconnaissance — mapping the topology, identifying all systems involved in SWIFT transaction processing, harvesting credentials for SWIFT operator accounts, and understanding the specific workflow of how transactions are approved in the target environment. The group is documented to have spent an average of 155 days in victim networks before any theft attempt.
Stage 4 — SWIFT Server Targeting: APT38 deploys specialized reconnaissance malware on systems used for SWIFT transaction processing. This provides operators with deep understanding of how SWIFT messages flow through the target's infrastructure — specifically what transaction monitoring and approval steps occur — which is necessary to ensure fraudulent transactions will not be caught before clearing. SWIFT Alliance Access or SWIFT Alliance Gateway software on victim systems is specifically studied and mapped.
Stage 5 — Fraud Execution: When operators assess conditions are right — typically timed for weekends or holidays to maximize the window before the fraud is detected — fraudulent SWIFT payment orders are submitted. In the Bangladesh Bank case, 35 fraudulent SWIFT transfer requests totaling approximately $951 million were sent to the Federal Reserve Bank of New York on the night of February 4–5, 2016. DYEPACK malware simultaneously modified the SWIFT Alliance database to delete records of the fraudulent transactions from the local database, ensuring that Bangladesh Bank's SWIFT monitoring systems would show no evidence of the unauthorized transfers.
Stage 6 — Evidence Destruction: Following theft execution, APT38 deploys wiper malware to destroy forensic evidence on compromised systems — deploying disk-wiping malware, MBR wipers, or ransomware (as a false flag and distraction) to prevent investigators from recovering malware samples, logs, or evidence of the intrusion. At Banco de Chile, a wiper crashed thousands of computers and servers simultaneously — initially reported as an IT failure, later attributed to APT38 as a distraction from the simultaneous SWIFT fraud.

FASTCash: ATM Cash-Out Operations

Alongside SWIFT heists, APT38 developed a separate operational capability for ATM-based financial theft — the FASTCash scheme — which allows the group to simultaneously cash out ATMs in multiple countries in a single coordinated operation. The FBI and CISA first documented FASTCash in October 2018 after a $6.1 million theft from BankIslami Pakistan in a single operation that hit ATMs across the country.

How FASTCash Works: APT38 compromises the interbank payment switches that financial institutions use to process ATM transactions — typically smaller regional or national payment processors with less mature security than the major global networks. The operators deploy malware on the bank's switch server that intercepts ATM authorization requests. When a co-conspirator inserts a debit card at an ATM and requests a large cash withdrawal, the malware intercepts the authorization request before it reaches the bank's core banking system, approves the transaction regardless of whether the account has sufficient funds, and does not record the transaction in the legitimate transaction log. The physical withdrawal can then be made. This process can be repeated simultaneously at ATMs across multiple countries — with networks of money mules in different countries each conducting withdrawals from ATMs at the same time.
FASTCash 2.0: CISA's August 2020 advisory documented an updated FASTCash capability targeting Windows-based payment switches alongside the original Unix/AIX-based targets. The evolution demonstrated APT38's continued investment in this capability and its adaptation to changing payment infrastructure technology.
Scale: CISA documented FASTCash operations affecting "upwards of 30 countries in a single incident." The coordinated multi-country cash-out approach is specifically designed to maximize the total withdrawal before any financial institution detects the fraud and blocks transactions — each individual country operation may be modest, but collectively they generate tens of millions of dollars in a single night.

The Cryptocurrency Evolution

As the SWIFT security community hardened its defenses following the Bangladesh Bank heist and subsequent operations, and as the global cryptocurrency market grew to represent trillions of dollars in value, APT38 systematically redirected its financial theft operations toward cryptocurrency — an environment with fewer legal safeguards, less regulatory oversight, faster settlement, and significantly higher individual target values than traditional banking.

Phase 1 — Exchange Targeting (2017–2021): APT38 initially targeted cryptocurrency exchanges directly — compromising exchange employee accounts, depleting exchange hot wallets, and exploiting exchange platform vulnerabilities. These operations targeted exchanges in South Korea, Japan, and globally. The 2018 campaigns produced multiple documented exchange compromises yielding tens of millions per operation.
Phase 2 — DeFi Bridge Exploitation (2021–2023): APT38 identified cross-chain bridge protocols — systems that allow cryptocurrency to move between different blockchain networks — as particularly high-value, high-vulnerability targets. Bridges lock large quantities of assets in smart contracts, and vulnerabilities in those contracts can allow attackers to drain the locked funds in a single transaction. The Ronin Network bridge hack in March 2022 ($625 million) and the Harmony Horizon bridge hack in June 2022 ($100 million) were executed via compromised private keys and smart contract exploitation respectively. The Ronin hack was initiated through a fake LinkedIn job offer sent to a senior Axie Infinity engineer — social engineering to establish initial access, followed by private key theft.
Phase 3 — Centralized Exchange Targeting (2023–2025): As DeFi bridge security improved, APT38 shifted back toward centralized exchanges but with more sophisticated social engineering and supply chain compromise approaches. The 2023 cluster — Atomic Wallet ($100 million), Alphapo ($60 million), CoinsPaid ($37 million), and Stake.com ($41 million) — all within a three-month window — was attributed by the FBI to the same operational cluster. The February 2025 Bybit hack ($1.5 billion — the largest single cryptocurrency theft in history) was attributed to the same North Korean threat cluster, executed via compromise of Bybit's multi-signature wallet infrastructure through a supply chain attack on Safe{Wallet}.
Money Laundering Infrastructure: Stolen cryptocurrency does not immediately become spendable fiat currency. APT38 maintains sophisticated cryptocurrency laundering operations — using mixing services (Tornado Cash, RAILGUN, Sinbad), chain-hopping across multiple blockchain networks, converting to privacy coins, and using peer-to-peer trading services and unregulated exchanges to convert crypto to cash. The January 2023 use of RAILGUN to launder $60 million in Ethereum stolen from Harmony was specifically documented by the FBI. Chainalysis has tracked these laundering flows and documented that North Korean actors continued to diversify their mixing service usage as individual services were sanctioned or shut down.

Major Operations

Bangladesh Bank — SWIFT Heist $81M stolen / $1B attempted February 2016

The defining APT38 operation and the event that brought the group to global attention. Reconnaissance began in October 2014. The first phishing emails targeting Bangladesh Bank employees were sent in February 2015 — a full year before the theft. Over that year, APT38 gained access to the SWIFT Alliance system, studied transaction approval workflows, and deployed DYEPACK to intercept and delete transaction records. On February 4–5, 2016, 35 fraudulent SWIFT transfer instructions were submitted to the Federal Reserve Bank of New York requesting transfers totaling approximately $951 million from Bangladesh Bank's account. 30 of the 35 instructions were blocked when the Federal Reserve noted the unusual volume and the routing through the Rizal Commercial Banking Corporation in the Philippines — a bank with no correspondent relationship with Bangladesh Bank. Five instructions totaling $101 million cleared: $20 million to a Sri Lanka company (subsequently recovered) and $81 million to Philippines accounts (largely laundered into Macau's casino system). The $81 million became the largest single loss in the operation that had attempted to steal nearly one billion dollars in a single night. NSA Deputy Director Richard Ledgett's statement on the attribution — "A nation state is robbing banks" — marked the first time a government official publicly acknowledged what had occurred.

Far Eastern International Bank (Taiwan) $60M stolen October 2017

Funds were routed to accounts in Sri Lanka, Cambodia, and the United States. Following the theft, APT38 deployed the Hermes ransomware on FEIB's network — initially interpreted as a ransomware attack before investigators connected it to the APT38 modus operandi. The deployment of Hermes — which had been associated with the WannaCry attribution to North Korea — was later assessed as either a deliberate false-flag effort to implicate a different threat actor or as destructive malware deployed to prevent forensic recovery of theft evidence. A portion of the $60 million was recovered after international law enforcement coordination.

Banco de Chile — SWIFT + Wiper $10M stolen May 2018

APT38 simultaneously executed a SWIFT fraud theft ($10 million) and deployed KillDisk disk-wiping malware across Banco de Chile's network — crashing thousands of computers and servers. The wiper attack was initially reported as a large-scale IT failure, successfully diverting the bank's incident response resources toward data recovery while the SWIFT fraud completed. The combination — simultaneous theft and destructive distraction — is a documented APT38 operational pattern that represents an evolution from the Bangladesh approach where the wiper was deployed as purely post-theft evidence destruction.

Ronin Network Bridge (Axie Infinity) $625M stolen March 2022

The largest single DeFi exploit in history at the time of execution, and one of the largest cryptocurrency thefts ever. APT38 compromised five of the nine Ronin Network validator nodes — the nodes responsible for approving bridge transactions — by first social-engineering a senior Axie Infinity engineer through a fake LinkedIn job offer, establishing access to the engineer's system, and then using that access to obtain private validator keys. With five of nine validators compromised, APT38 had sufficient approval authority to forge large withdrawal transactions. The hack was not discovered for six days after execution. The US Treasury and FBI attributed the operation to the Lazarus Group and APT38. The US Treasury subsequently sanctioned the Tornado Cash mixing service that APT38 used to launder a portion of the stolen funds.

Harmony Horizon Bridge $100M stolen June 2022

APT38 exploited a vulnerability in the Horizon bridge's MultiSigWallet contract — a smart contract requiring multiple authorized signers to approve large transactions. By compromising the private keys of multiple signers (attributed to social engineering of Harmony team members), APT38 was able to forge approvals for large withdrawal transactions. The FBI confirmed APT38 attribution in January 2023, noting that the group used RAILGUN — a crypto privacy protocol — to launder approximately $60 million in Ethereum stolen in this operation. RAILGUN uses zero-knowledge proofs to obscure transaction origins, making blockchain analytics-based tracing significantly harder.

Bybit Exchange — Safe{Wallet} Supply Chain $1.5B stolen February 21, 2025

The largest single cryptocurrency theft in documented history. APT38 compromised Safe{Wallet} — a widely-used multi-signature wallet infrastructure provider — through a targeted social engineering attack on a Safe{Wallet} developer's workstation in early February. After establishing access via a malicious application delivered through a social engineering lure, APT38 used stolen AWS session tokens to access Safe{Wallet}'s cloud environment, conducted reconnaissance of its infrastructure, and injected malicious JavaScript into Safe{Wallet}'s statically hosted frontend. The injected code was specifically designed to detect Bybit transactions and modify them in real time at the moment of signing — substituting attacker-controlled destination addresses while displaying a legitimate-looking transaction to Bybit's approval team. On February 21, 2025, when Bybit employees authorized what appeared to be a routine cold-to-warm wallet transfer, approximately 401,000 ETH valued at $1.5 billion was drained to attacker-controlled addresses. The malicious code was scrubbed from Safe{Wallet}'s site within minutes of the theft completing. Attribution to North Korea's TraderTraitor / APT38 was confirmed by the FBI on February 26, 2025. Within 48 hours at least $160 million had been laundered through multiple chains. The operation demonstrated APT38's continued evolution from direct exchange attacks to supply chain compromise of widely-trusted financial infrastructure — mirroring the DYEPACK approach of manipulating the environment that legitimate transactions operate within.

Tactics, Techniques & Procedures

mitre id	technique	description
T1195.002	Supply Chain Compromise — Software Infrastructure	The February 21, 2025 Bybit hack demonstrated APT38's evolution to supply chain compromise of trusted financial software infrastructure. A Safe{Wallet} developer's workstation was compromised via social engineering in early February. APT38 used stolen AWS session tokens to access Safe{Wallet}'s cloud environment, then injected malicious JavaScript into Safe{Wallet}'s statically hosted frontend — code specifically designed to detect Bybit transactions and replace legitimate destination addresses with attacker-controlled addresses at the moment of signing. Bybit's approval team saw a legitimate-looking transaction while unknowingly authorizing the drain of $1.5 billion. The malicious script was scrubbed within minutes of the theft completing. This mirrors the DYEPACK approach of the SWIFT era: rather than forcing fraudulent transactions through, modify the environment that legitimate transactions operate within so that the fraud is indistinguishable from authorized activity at every observable point.
T1566.002	Spear-Phishing — Financial Employee Targeting	APT38 uses precisely-crafted spear-phishing targeting financial sector employees — particularly SWIFT system operators, cryptocurrency exchange engineers, and blockchain developer personnel at DeFi projects. The Ronin Network hack was initiated via a fake LinkedIn job offer to a senior engineer. The FASTCash operations used email-based social engineering to establish initial access to payment switch environments. LinkedIn and email impersonation targeting individuals with specific technical access is a consistent documented pattern. The targeting of individual engineers — rather than generic employees — reflects the group's operational intelligence about who has access to the specific systems it needs to reach.
T1190	Exploit Public-Facing Application — Apache Struts2	FireEye documented APT38's consistent exploitation of insecure Apache Struts2 installations for initial access to financial institution networks. Apache Struts2 vulnerabilities have provided remote code execution capability on web servers, which serve as initial access points from which the group pivots deeper into target networks. This reflects APT38's preference for direct server exploitation as an alternative to phishing — particularly useful when the target organization has email security controls that reduce phishing success rates.
T1005	Data from Local System — SWIFT Transaction Mapping	After reaching SWIFT-connected systems, APT38 conducts systematic collection of SWIFT transaction data — studying how the target organization's specific SWIFT deployment processes, approves, and logs transactions. This intelligence is essential for designing fraudulent SWIFT messages that will pass the target's specific internal validation checks and for ensuring the DYEPACK evidence-erasure malware targets the correct database tables and fields. The average 155-day dwell time is largely attributable to this intelligence collection phase — the group does not rush to execute theft until it has comprehensive understanding of the target's transaction workflow.
T1485	Data Destruction — Post-Theft Evidence Destruction	APT38's signature post-theft behavior: deploying destructive malware after a successful financial operation to destroy forensic evidence and complicate attribution. Documented examples include Hermes ransomware on Far Eastern International Bank's network, KillDisk on Banco de Chile's network, and BOOTWRECK (an MBR wiper) documented in FireEye's technical report. The post-theft wiper serves dual purposes: destroying evidence of how the intrusion was conducted (preventing defenders from closing the specific vulnerabilities exploited) and, in the Banco de Chile case, actively distracting incident responders by creating a simultaneous crisis that demands immediate attention.
T1036	Masquerading — False Flag Malware Deployment	APT38 has used false flag techniques to misdirect attribution. Documented examples include incorrectly configured Hermes ransomware (associated with a different threat actor), NachoCheese malware with "poorly translated Russian-language strings" added, and the DarkComet backdoor phoning home to a legitimate African bank's server. These techniques reflect the group's operational security awareness and its effort to attribute attacks to criminal actors or other nation-state groups rather than allowing direct attribution to North Korea — buying time before sanctions or defensive countermeasures are implemented.
T1601	Modify System Image — DYEPACK SWIFT Database Manipulation	DYEPACK is APT38's signature SWIFT-specific forensic erasure tool. It monitors the SWIFT Alliance Access database — the local SQL database recording all SWIFT transactions at the victim institution — and executes SQL DELETE commands to remove rows corresponding to fraudulent transactions submitted by APT38 operators. DYEPACK ensures that any financial institution monitoring its own SWIFT transaction logs sees only legitimate transactions and has no local record of the fraudulent transfer orders. DYEPACK.FOX adds the capability to manipulate PDF representations of SWIFT statements, preventing printed or PDF-based transaction reports from revealing the fraudulent activity.
T1567.001	Exfiltration Over Web Service — Crypto Mixing and Laundering	Stolen cryptocurrency is laundered through a multi-stage process using privacy protocols, cross-chain bridges, and mixing services. The FBI documented APT38's use of RAILGUN (zero-knowledge proof privacy protocol) to launder $60 million in Ethereum from the Harmony heist. Tornado Cash was used for Ronin Network proceeds before being sanctioned by the US Treasury. Subsequent to Tornado Cash sanctions, APT38 diversified to Sinbad and other mixing services. Chain-hopping (converting ETH to BTC, then mixing, then converting to other assets) is a standard part of the laundering chain, designed to break the blockchain analytics trail that firms like Chainalysis and TRM Labs use to track stolen funds.

DOJ Indictments

Three North Korean nationals have been indicted in US federal courts for APT38 / Lazarus Group activities. None are in US custody; Russia and North Korea do not maintain extradition arrangements with the United States.

Park Jin Hyok (indicted September 2018): The first North Korean hacker individually charged by US federal prosecutors. Charged in the Central District of California with conspiracy to commit computer fraud and conspiracy to commit wire fraud. Specifically implicated in the Bangladesh Bank heist, the Sony Pictures attack (2014), and the WannaCry ransomware (2017). Park worked for Chosun Expo Joint Venture, a Dalian-based North Korean front company that FireEye identified as one of the RGB's cover organizations for its overseas cyber operators.
Jon Chang Hyok (indicted February 2021): Charged alongside Kim Il in an expanded superseding indictment covering the full range of Lazarus Group / APT38 operations. Jon Chang Hyok is described as a member of an RGB unit and implicated in multiple bank heist operations, the FASTCash scheme, WannaCry, and the development and distribution of malicious cryptocurrency applications designed to steal private keys and credentials from users of legitimate-seeming crypto wallets.
Kim Il (indicted February 2021): The third named defendant, also an RGB unit member charged alongside Jon Chang Hyok. Kim Il is specifically implicated in the development of malicious cryptocurrency applications including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale — fake trading applications designed to backdoor users' systems while appearing to provide legitimate cryptocurrency trading functionality. This application-based approach to crypto theft became a documented APT38 / TraderTraitor capability pattern.

Tools & Malware

DYEPACK / DYEPACK.FOX: APT38's most operationally distinctive malware — a SWIFT Alliance database manipulation tool that monitors the local SQL database and deletes rows corresponding to fraudulent transactions, preventing the victim institution from detecting the theft through its own monitoring systems. DYEPACK.FOX extends this capability to PDF manipulation, altering printed SWIFT statement representations. Used specifically in the Bangladesh Bank operation and in other documented SWIFT heist campaigns.
BOOTWRECK: An MBR wiper used for post-theft evidence destruction. Overwrites the master boot record of compromised systems, preventing boot and destroying forensic evidence on affected machines. Part of APT38's standard post-heist evidence destruction toolkit.
HERMES: A ransomware toolkit deployed at Far Eastern International Bank following the 2017 theft as both an evidence destroyer and a false-flag to misdirect attribution. Hermes had previously been associated with different threat actors, making its deployment an attribution complication technique.
HOPLIGHT: A proxy application documented in the CISA FASTCash 2.0 advisory, used to mask the true source of network traffic in APT38 operations — supporting operational security during both intrusion and theft execution phases.
ELECTRICFISH: A tunneling tool that creates an encrypted tunnel between two IP addresses, providing a covert communication channel for APT38 operators within compromised financial institution networks.
FASTCash Malware (AIX / Windows variants): Custom malware targeting interbank payment switch servers. The AIX variant targets Unix-based ATM payment switches; the Windows FASTCash variant (documented in the CISA FASTCash 2.0 advisory) targets Windows-based payment switch infrastructure. Both variants intercept ATM authorization requests and approve fraudulent withdrawals without recording them in legitimate transaction logs.
TraderTraitor Malicious Crypto Applications: A family of fake cryptocurrency trading applications and developer tools designed to backdoor users' systems while providing apparently functional trading interfaces. The 2021 DOJ indictment documented nine specific applications: Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale. More recent TraderTraitor operations have targeted DeFi developers through fake job offers involving malicious npm packages or repository compromises.
CROWDEDFLOUNDER, VIVACIOUSGIFT, ECCENTRICBANDWAGON: Malware families documented in the CISA FASTCash 2.0 advisory (August 2020) with associated malware analysis reports (MARs) from US-CERT. VIVACIOUSGIFT is a proxy tool; CROWDEDFLOUNDER and ECCENTRICBANDWAGON provide C2 and backdoor functionality for APT38's banking intrusion operations.

Indicators of Compromise

IOCs from CISA FASTCash 2.0 advisory (AA20-239A, August 2020), US-CERT Malware Analysis Reports for CROWDEDFLOUNDER / ECCENTRICBANDWAGON / ELECTRICFISH / FASTCash / HOPLIGHT / VIVACIOUSGIFT, and FBI cryptocurrency tracking notices. Full malware sample hashes and network IOCs are in each CISA MAR linked in the sources section.

false flag note

APT38 deliberately deploys false-flag malware and adds misleading attribution indicators (non-native language strings, misattributed ransomware, DarkComet backdoors phoning home to unrelated servers) to complicate attribution. Investigators who identify Hermes ransomware or NachoCheese malware with Russian-language strings should not conclude the operation is a criminal or Russian state actor — these are documented APT38 deliberate misdirection techniques. Correlate TTPs, targeting patterns, and SWIFT transaction anomalies rather than relying solely on malware family identification for attribution.

behavioral and technical indicators

swift anomaly SWIFT transaction records modified or deleted from local Alliance database — DYEPACK signature; unexplained gaps or deletions in local SWIFT transaction logs warrant immediate investigation and out-of-band verification with SWIFT network counterparties

swift anomaly Discrepancy between SWIFT network-side transaction records and locally stored records — the core DYEPACK effect; routine independent reconciliation between local logs and SWIFT Alliance portal records is the primary detection mechanism

behavior Weekend / holiday high-value transfer requests to previously-unknown correspondent banks — APT38 times SWIFT fraud execution to maximize the window before detection; out-of-hours bulk transfer requests to new beneficiaries should require enhanced manual verification

atm / switch Simultaneous high-volume ATM withdrawals across multiple branches / regions — FASTCash signature; ATM management systems detecting multiple simultaneous large-amount approvals for accounts with insufficient funds is the primary detection indicator

network ELECTRICFISH tunnel activity — custom tunneling tool creating encrypted channels on non-standard ports; network traffic analysis identifying encrypted tunnels on unexpected ports from SWIFT server hosts or ATM switch systems

crypto RAILGUN / Tornado Cash / Sinbad mixer deposits following exchange or bridge security incidents — DPRK laundering chain; blockchain analytics monitoring for wallet interaction with known mixer addresses is standard for crypto exchange security teams

persistence Apache Struts2 exploitation on financial institution DMZ servers — standard APT38 initial access vector; patch management for internet-facing web application servers at financial institutions is documented as a critical control in CISA AA20-239A

Mitigation & Defense

APT38 remains highly active and continues to evolve — from SWIFT heists to FASTCash ATM operations to DeFi bridge exploitation to supply chain compromise of financial infrastructure providers. The financial sector faces an adversary with the patience to spend months or years inside a network before executing, the technical depth to understand specific SWIFT configurations and blockchain architectures, and the institutional backing to maintain operations continuously regardless of individual campaign failures.

Out-of-Band SWIFT Transaction Verification — Critical: The DYEPACK malware's core capability is preventing local detection by modifying the local SWIFT transaction database. The only reliable detection mechanism that DYEPACK cannot defeat is independent, out-of-band reconciliation between your institution's local records and the SWIFT network's records. Implement automated daily reconciliation that compares locally stored transaction logs with transaction records retrieved directly from the SWIFT portal — any discrepancy is an immediate security incident. The Bangladesh Bank fraud was eventually detected because the Federal Reserve Bank of New York noticed anomalies in the transfer instructions it received — not because Bangladesh Bank detected the DYEPACK manipulation.
Mandatory Callback Verification for Large Transfers: Implement mandatory voice callback verification — using known, pre-established phone numbers rather than contact information provided in the transfer request — for any high-value SWIFT transfer, particularly to new beneficiaries or unusual correspondent banks. This simple procedural control provides an out-of-band verification step that DYEPACK cannot defeat regardless of how completely it controls the digital transaction environment.
SWIFT Security Framework Compliance: SWIFT issued the Customer Security Programme (CSP) following the Bangladesh Bank heist — mandatory security controls for all SWIFT member institutions. Financial institutions should review compliance with all mandatory CSP controls, including segregation of SWIFT infrastructure from general corporate networks, multi-factor authentication for all SWIFT operator accounts, and implementation of SWIFT's anomaly detection tools. SWIFT's SWIFT Alliance Portal provides network-side transaction monitoring that is independent of local infrastructure and cannot be manipulated by DYEPACK.
ATM Payment Switch Security: CISA's FASTCash advisory documents that APT38 targets interbank payment switch servers — specifically smaller regional payment processors with less mature security than global networks. Payment switch operators should segment switch infrastructure from general corporate networks, implement integrity monitoring on switch software to detect the malware modifications that FASTCash requires, and implement anomaly detection specifically tuned to detect simultaneous high-volume approvals from accounts with insufficient funds across multiple ATMs.
Cryptocurrency Exchange and DeFi Security: APT38's crypto heists have consistently exploited private key management weaknesses — through social engineering of key custodians, supply chain compromise of wallet infrastructure, and smart contract vulnerabilities. Implement hardware security modules (HSMs) for all hot wallet private keys, require multi-party computation (MPC) or hardware key signing for all large transactions, conduct regular security audits of smart contract code for bridge and DeFi protocols, and maintain strict operational security for personnel with access to high-value signing keys. The fake job offer that enabled the Ronin Network hack succeeded because the target engineer opened a malicious PDF from what appeared to be a legitimate recruiter — user security awareness training for engineers with cryptographic key access is specifically relevant.
Long Dwell Time Detection — Threat Hunting: APT38's average 155-day network dwell time means that standard incident detection approaches — waiting for an obvious attack signature — will systematically miss the pre-theft phase. Proactive threat hunting specifically looking for the reconnaissance patterns described in CISA's FASTCash advisory (network enumeration, SWIFT-adjacent credential access, timestomping of malware files to match legitimate timestamps) can detect APT38 activity before the theft execution phase. Engagement with FS-ISAC and SWIFT's ISAC for threat intelligence sharing on current APT38 indicators is a documented best practice in the CISA advisory.

analyst note

APT38's financial trajectory from 2014 to 2025 describes the construction of what analysts at 38 North have called a "shadow national treasury." The accumulated stolen cryptocurrency — estimated by TRM Labs at over $5 billion since 2017 — represents sovereign wealth that sits outside the dollar-denominated international financial system, is difficult to freeze, and can be moved at the speed of transactions. If you convert documented North Korean cryptocurrency theft into notional holdings, some analysts suggest Pyongyang could rank among the largest state-level holders of Bitcoin globally, behind only the US and China. This is not a hacking group motivated by financial gain in the conventional sense — it is a state weapons program's finance function. APT38 exists to solve a specific problem: the 2013 sanctions removed North Korea's access to hard currency for weapons development. APT38 is the solution. As long as that problem exists — as long as North Korea pursues nuclear weapons and the international community maintains sanctions — this operation will continue, will continue to escalate, and will continue to evolve to wherever financial value is most accessible. The February 2025 Bybit hack at $1.5 billion — the largest single cryptocurrency theft in history — was not an outlier. It was a data point on a trend line.

Sources & Further Reading

Primary government documents, vendor research, and indictments used to build this profile.

— end of profile