North Korean state-sponsored threat actor tracked as Nickle Tapestry has been linked to fake crowdfunding activity, extending beyond just fraudulent IT worker operations (both as individuals and under front companies) that help North Korea to evade sanctions and generate revenue for its weapons program.
According to a recent joint advisory from the US, Japan, and the Republic of Korea, North Korean hackers stole around $660 million in cryptocurrency in 2024. DPRK’s hackers were behind at least five cryptocurrency heists last year, including the $308 million DMM Bitcoin theft, the $50 million Upbit heist, the theft of $16.13 million from Rain Management, $235 million from WazirX, and $50 million from Radiant Capital.
Secureworks’ investigation revealed that Nickle Tapestry orchestrated a scam on the IndieGoGo crowdfunding platform in 2016, promoting a portable wireless memory device called ‘Kratos.’ While the campaign successfully garnered around $20,000 from backers, complaints from supporters suggest that they never received the product nor any refunds.
The scam marks an early example of North Korean actors experimenting with different methods of generating illicit revenue, including the use of fraudulent crowdfunding campaigns. This activity follows a pattern that has evolved over time, with North Korean threat actors increasingly engaging in cybercrime as a way to bypass international sanctions.
In 2018, two companies, China-based Yanbian Silverstar Network Technology Co and Russia-based Volasys Silver Star, were designated by the US Department of Treasury’s Office of Foreign Asset Control (OFAC) for violating sanctions. These companies served as fronts that facilitated the employment of North Korean IT workers who were living abroad and generating revenue that funneled back to the North Korean regime. According to a 2023 affidavit filed by the FBI, accounts linked to freelancers from Yanbian Silverstar were accessed from an IP address geolocated in Jilin, China, further substantiating claims that North Korean operatives were working from overseas locations.
Further investigation by CTU researchers uncovered a domain name tied to these front companies, which had been used as a platform for North Korean IT workers to find freelance jobs. In 2024, this domain was seized, and the registrant email, linked to a persona named Jin Maolin, was publicly exposed in the WHOIS data.
Among the seized domains was kratosmemory.com, the same site connected to the fraudulent crowdfunding campaign. CTU’s research revealed that the domain had been updated with new registrant details in mid-2016 to reflect the persona Dan Moulding. This name matches the IndieGoGo profile for the Kratos scam. Notably, this persona was not seen in connection with any other domains, suggesting that the identity was likely fabricated for the sole purpose of executing this scheme.
“This 2016 campaign was a low-effort, small monetary-return endeavor compared to the more elaborate North Korean IT worker schemes active as of this publication,” the researchers noted. However, it showcases an earlier example of North Korean threat actors experimenting with various money-making schemes. The network infrastructure overlap between the crowdfunding and IT worker campaigns indicates an association between the IndieGoGo scam operators and the NICKEL TAPESTRY threat group.”