Beyond Borders: How North Korean Hackers Are Using Russian Infrastructure to Fuel Global Cybercrime

In a disturbing trend, North Korean cybercrime operations have expanded beyond their national network, leveraging Russian infrastructure to target cryptocurrency wallets and sensitive information worldwide. Recent findings reveal that five Russian IP ranges, primarily located in the border towns of Khasan and Khabarovsk, are being used to facilitate sophisticated attacks.

At the heart of these operations is a strategic location: Khasan, situated just one mile from the North Korea-Russia border and connected via the Korea-Russia Friendship Bridge. From this vantage point, cybercriminals have established a complex anonymization network, utilizing commercial VPN services, proxy servers, and numerous Virtual Private Servers (VPS) with Remote Desktop Protocol (RDP) access.

This infrastructure allows North Korean threat actors to conceal their origins while connecting to job recruitment platforms, cryptocurrency services, and communication applications like Skype, Telegram, Discord, and Slack. A threat actor known as Void Dokkaebi, also called Famous Chollima, has been conducting extensive social engineering campaigns through fictitious companies like BlockNovas.

BlockNovas: A Case Study in North Korean Social Engineering

BlockNovas presented itself as a blockchain technology firm with a sophisticated online presence, targeting IT professionals in Ukraine, the United States, and Germany with fraudulent job interviews. Victims were prompted to download and execute malware disguised as necessary software for the interview process.

The infrastructure supporting these operations traces back to specific Russian IP ranges assigned to two organizations in Khasan and Khabarovsk. These IP ranges include 80.237.84.0/24, 80.237.87.0/24, 188.43.136.0/24, and several others registered to network names like KPOST-NET and SKYFREIGHT-NET.

When candidates engaged with BlockNovas’ automated interview process, they received messages claiming their camera needed a software update, with instructions to execute a command that downloaded and executed malware known as FrostyFerret on Mac systems or GolangGhost on Windows, connecting to command-and-control servers that support both these variants and Beavertail malware.

Law Enforcement Takes Action

On April 23, 2025, the FBI seized the BlockNovas domain as part of a law enforcement action against North Korean cyber actors. Analysis of the group’s infrastructure revealed connections to Beavertail malware command-and-control servers and password-cracking tools like Hashtopolis, demonstrating the operation’s focus on cryptocurrency theft.

The investigation also uncovered instructional videos with non-native English text detailing Beavertail C&C server setup and cryptocurrency wallet password cracking, suggesting collaboration with foreign conspirators beyond the core North Korean team. These videos were created during RDP sessions from Russian IP addresses, providing further evidence of the Russian infrastructure’s central role in these operations.