Under Review ACTIVE

APT38

Also known as: Bluenoroff, Stardust Chollima, BeagleBoyz, NICKEL GLADSTONE
Affiliation North Korea (Reconnaissance General Bureau)
Motivation Financial
Status active
Country North Korea
First Seen 2014
Last Seen 2025
Target Sectors Financial Services, Cryptocurrency, Banking, Fintech
Target Geographies Global, Southeast Asia, Latin America, Africa, Europe

Executive Summary

APT38, also known as Bluenoroff and Stardust Chollima, is a North Korean financially motivated intrusion cluster attributed to the Reconnaissance General Bureau (RGB) and commonly treated as part of the broader Lazarus ecosystem. Active since at least 2014, APT38 specializes in revenue-generating operations against banks, payment systems, and cryptocurrency services rather than the wider espionage mission usually associated with Lazarus umbrella reporting.

APT38 is estimated to have attempted to steal over $1.1 billion from financial institutions worldwide and has successfully stolen hundreds of millions of dollars. The group targets banks, cryptocurrency exchanges, and financial technology companies across more than 30 countries. APT38’s operations are characterized by extensive pre-operation reconnaissance, long dwell times within victim networks, and the use of destructive malware to cover tracks after theft operations.

Notable Campaigns

2016 — Bangladesh Bank Heist

APT38 compromised Bangladesh Bank’s SWIFT infrastructure and attempted to transfer $951 million from its account at the Federal Reserve Bank of New York. While most transfers were blocked, $81 million was successfully stolen through accounts in the Philippines. The operation revealed the group’s deep understanding of SWIFT messaging and interbank transfer protocols.

2018 — Banco de Chile Attack

The group compromised Banco de Chile, deploying destructive malware (HERMES variant) across approximately 9,000 workstations and 500 servers as a diversionary tactic while conducting unauthorized SWIFT transfers totaling $10 million.

2017-2022 — Cryptocurrency Exchange Targeting

APT38-adjacent financial intrusion activity expanded into cryptocurrency theft as the broader Lazarus ecosystem shifted toward exchanges, wallet services, and cross-chain infrastructure. Public reporting frequently discusses these thefts alongside APT38 because of the shared financial mission, but the largest cases are often attributed to the wider Lazarus/Bluenoroff ecosystem rather than to APT38 alone.

Technical Capabilities

APT38 conducts extensive reconnaissance within target financial networks, spending months understanding internal transaction systems, SWIFT configurations, and operational procedures. The group develops custom tools tailored to each financial institution’s specific infrastructure.

FASTCash enables fraudulent ATM cash withdrawals by intercepting and modifying transaction authorization messages at the application server level. DYEPACK modifies SWIFT Alliance Lite2 software to delete transaction records and alter printed confirmations, hiding fraudulent transfers.

The group’s operational model follows a distinctive pattern: initial compromise via spearphishing, extended reconnaissance and lateral movement (average 155 days), execution of financial theft, and deployment of disk-wiping malware to destroy forensic evidence.

Attribution

The U.S. DOJ charged Park Jin Hyok, a North Korean national, in September 2018 for his role in APT38 operations including the Bangladesh Bank heist. CISA advisory AA20-239A (BeagleBoyz) detailed North Korean financial institution targeting with technical indicators. The U.S. Treasury Department has sanctioned multiple entities associated with APT38 operations, and the UN Panel of Experts on North Korea has documented the group’s role in sanctions evasion.

MITRE ATT&CK Profile

Initial Access: Spearphishing attachments (T1566.001) targeting bank employees, watering hole attacks (T1189) on financial industry sites, and supply chain compromise of financial software.

Persistence: The group maintains long-term access through scheduled tasks (T1053), registry modifications (T1547.001), and backdoors placed on critical financial infrastructure servers.

Impact: Financial theft (T1657) through SWIFT manipulation, cryptocurrency theft, and ATM cash-out schemes. Post-operation evidence destruction through data destruction (T1485) and disk wiping (T1561).

Defense Evasion: Custom malware designed to evade financial sector security tools, timestomping (T1070.006), and indicator removal (T1070) are standard practices.

Sources & References

Known Tools

DYEPACKHERMESFASTCashNESTEGGKEYLIMEMAPMAKERQUICKCAFE
nation-statenorth-koreafinancialapt38bankingcryptocurrency