BlueNoroff (APT38)
A North Korea-linked, financially focused sub-group of the Lazarus umbrella that targets banks and crypto firms. Blamed for the 2016 Bangladesh Bank SWIFT heist and, more recently, macOS malware campaigns against crypto businesses (RustBucket, KandyKorn, 'Hidden Risk'). Sanctioned by the U.S. in 2019.
Also known as: BlueNoroff, APT38, Stardust Chollima, Sapphire Sleet, Hidden Risk, RustBucket
On attribution: BlueNoroff/APT38 is a North Korea-linked cluster within the Lazarus/RGB umbrella; attributions are those of the cited authorities and firms (U.S. Treasury, SentinelOne).
Overview
BlueNoroff — also tracked as APT38, Stardust Chollima, and Sapphire Sleet — is a financially motivated unit within North Korea's Reconnaissance General Bureau, created to generate revenue as sanctions tightened. The U.S. Treasury sanctioned it (alongside Lazarus Group and Andariel) in September 2019, citing heists against foreign financial institutions, including via the SWIFT interbank system. [1]
Activity
BlueNoroff/APT38 is most associated with bank-targeting operations such as the 2016 Bangladesh Bank heist (~$81 million taken) and attempted SWIFT thefts in numerous countries. Since the crypto era it has run a series of macOS-focused campaigns against cryptocurrency, DeFi, and fintech firms — including RustBucket, KandyKorn, and the 2024 "Hidden Risk" campaign documented by SentinelOne, which used fake crypto-news lures and a novel macOS persistence trick (abusing the zshenv file). [1][2]
Bracketed numbers refer to the numbered sources listed below.
People & entities involved
Sources (2)
- Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups — U.S. Department of the Treasury
- BlueNoroff 'Hidden Risk': Threat Actor Targets Macs with Fake Crypto News — SentinelOne
See also
- Angel DrainerOrganizations & groupsA wallet-drainer-as-a-service operation (≈85/15 affiliate/developer split) specialized in EVM chains. Most notably, Angel Drainer malware was used in the December 2023 Ledger Connect Kit supply-chain attack, which drained roughly $500K–$600K from DeFi users in a few hours.
- Monkey DrainerOrganizations & groupsAn early, prolific wallet-drainer-as-a-service crew (active into early 2023) that focused on high-value NFTs and is estimated to have facilitated roughly $13–16.5M in theft before announcing it was 'shutting down' and pointing affiliates to rival drainers.
- Ledger Connect Kit hackProjects
This page was last updated on Jun 8, 2026. View revision history.