Introduction
Research conducted by the Secureworks Counter Threat Unit (CTU) has uncovered the activities of Nickel Tapestry, a North Korean threat actor involved in fraudulent crowdfunding campaigns [3]. A significant instance of this was a 2016 scam on IndieGoGo, which raised approximately $20,000 under false pretenses [3]. This operation is part of a broader strategy by North Korean actors to engage in various illicit money-making schemes [2].
Description
Research from Secureworks Counter Threat Unit (CTU) has identified Nickel Tapestry as a North Korean threat actor involved in fraudulent crowdfunding campaigns [3], including a notable 2016 scam on IndieGoGo that raised approximately $20,000. This campaign promoted a Kratos portable wireless memory device [1] [2] [3] [4], but backers reported that they never received the product or any refunds, indicating that the operation was fraudulent.
Further investigation revealed that this crowdfunding effort was part of a broader strategy employed by North Korean actors to explore various money-making schemes, which included the use of fake IT workers [3]. The operation utilized a network of domain names [1], front companies [1] [3], and email addresses [1] [3], suggesting a low-effort scheme compared to more sophisticated cybercrime tactics typically associated with North Korean actors.
Connections were found between the IndieGoGo scam and two IT companies, Yanbian Silverstar Network Technology Co [1]. and Volasys Silver Star [1], both of which were sanctioned by the US in 2018 for violating sanctions. Evidence linked these firms to the crowdfunding scheme [1], with the FBI tracing accounts used by Yanbian Silverstar freelancers to an IP address in Jilin [1], China [1], where the company is based [1]. The CEO of both companies [1], Jong Song Hwa [1], a North Korean national [1] [2] [3], was designated by the FBI [1].
In 2024 [1], a domain associated with these companies was seized [1], revealing a registrant email address and a street address in Jilin that matched Yanbian Silverstar’s offices [1]. This same email and address were used to register multiple domains [1], including kratosmemory.com [1], which was linked to the IndieGoGo campaign [1]. The WHOIS registrant data for this domain was updated to reflect a persona named Dan Moulding [1], associated with the Kratos scam [1], although this persona has not been linked to any other domain registrations [1]. The investigation underscores the continued exploration of various fraudulent activities by the Nickel Tapestry group, highlighting their persistent and evolving tactics in the realm of cybercrime.
Conclusion
The activities of Nickel Tapestry underscore the persistent threat posed by North Korean cyber actors, who continue to adapt and evolve their tactics. The fraudulent crowdfunding campaigns not only highlight the need for increased vigilance and security measures on crowdfunding platforms but also emphasize the importance of international cooperation in tracking and mitigating such threats. As these actors continue to explore new avenues for illicit gains, it is crucial for both governmental and private entities to remain proactive in their cybersecurity efforts to prevent future incidents.
References
[1] https://www.archyde.com/secureworks-reveals-north-korean-fraudulent-crowdfunding-connections/
[2] https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-january-15-2025
[3] https://www.infosecurity-magazine.com/news/north-korean-links-fraudulent/
[4] https://www.secureworks.com/blog/nickel-tapestry-infrastructure-associated-with-crowdfunding-scheme
