.png)
Masked Actors
True crime meets cybercrime. Discover the people behind the keyboard.
From Ransomware-as-a-Service (RaaS) gangs to global financial crime syndicates, the rise of sophisticated cyber threats is reshaping the world. These aren’t lone hackers — they’re organized groups running multi-million dollar operations in the shadows.
In the Masked Actors podcast, cyber threat expert and former soldier turned hacker Gary Ruddell joins forces with Nick Palmer, a seasoned financial crime fighter, to investigate the top 10 most dangerous cybercriminal groups of 2025 — drawn from Group-IB’s High-Tech Crime Trends Report.
Each episode explores the tactics, motivations, and impact of major cybercrime groups, uncovering their role in the latest cybercrime, RaaS, and financial crime trends. You’ll learn how these actors exploit vulnerabilities, fuel geopolitical tension, and affect businesses and consumers alike.
Tune in to Masked Actors — and stay one step ahead of cybercrime.
Masked Actors
Lazarus: Is your best IT worker really a North Korean hacker?
In December 2014, Sony Pictures announced they were cancelling the release of Seth Rogan’s newest venture The Interview due to a large-scale cyberattack. And in February of this year, global cryptocurrency exchange Bybit suffered a massive attack resulting in the theft of $1.5 billion.
These masked actors are still active. But now, they’ve turned their attention to companies like yours...
Join Group-IB’s Gary Ruddell and Nick Palmer as they speak with Geoff White, one of the worlds leading journalists covering organized crime and tech and the author of The Lazarus Heist – From Hollywood to High Finance: Inside North Korea’s Global Cyber War as they explore the infamous Lazarus group.
In this episode, they delve into the groups’ latest modus operandi – infiltration campaigns, whereby North Korean hackers pose as remote IT employees to funnel information through the backdoor and leave logic bombs in code that they can trigger years or months down the line. They look at how this shifts the responsibility model for cybersecurity, requiring vigilance from across the organisation for unusual behaviour.
By understanding who these actors are and how they operate, you can better anticipate threats and protect yourself in an increasingly hostile digital world.
Subscribe now to meet these Masked Actors — and stay one step ahead in the fight against cybercrime.
Episode links:
Group-IB's Top 10 Masked Actors
Lazarus Arisen: Architecture, Tools and Attribution
Stealthy Attributes of Lazarus APT Group: Evading Detection with Extended Attributes
APT Lazarus: Eager Crypto Beavers, Video calls and Games
Meet Group-IB's top 10 Masked Actors here - and stay one step ahead in the fight against cybercrime.
In December 2014, Sony Pictures announced that they were cancelling the release of Seth Rogen's newest movie, The Interview, due to a large-scale cyber attack. And in February of this year, global cryptocurrency exchange Bybit suffered a massive attack resulting in the theft of $1.5 billion. One group pulled off both of these attacks and many more. Today, they're also infiltrating IT roles in the private and public sectors But what do these attacks have in common? We've got perhaps the biggest cryptocurrency theft ever, plans to put criminals on the insides of organizations around the world, and a film detailing a fictional plot to kill Kim Jong-un. That last part is the giveaway. The link is North Korea. And the criminals responsible for the attacks are the state-sponsored threat actor codenamed Lazarus Group. We're your hosts, Gary Riddell and Nick Palmer. Nick, let's get into Lazarus.
Nick Palmer:So it would be impossible to discuss Lazarus Group without sitting down with perhaps the best known expert on this topic, Jeff White. He's an investigative journalist who's written numerous books about the intersection of organized crime and technology, including Rinsed and, of course, The Lazarus Heist. Jeff, thanks a lot for joining us. Thanks. Thanks for having me. So, Jeff, let's dive right into it. When did you first become aware of Lazarus Group? And what can you tell us about the first moment in the spotlight, that Sony Pictures attack? It's pretty different from their modus operandi of targeting cryptocurrency companies, isn't it?
Geoff White:Yes, absolutely. I mean, this goes back, as you said, to December 2014. We knew there was trouble at Sony Pictures Entertainment. We knew the company had been hacked because swathes of its internal emails were being leaked online, some extremely juicy and salacious information. Some movies were leaked online. And then the attribution came from the US government itself that this was the work of North Korea. At the time, I was working for Channel 4 News in the UK. And I'll be honest, like quite a lot of journalists, I was slightly sceptical as to whether this was the actions of North Korea. I mean, yes, at the heart of it was this filmed the interview, which detailed a plot line involving the assassination of Kim Jong-un. It was quite a grisly assassination, which would be, of course, hugely offensive to North Korea. So there was a reason why they might do it. But it just seemed very odd. I mean, you've got to realise this was the era of the anonymous hacking group, you know, the guys in the Guy Fawkes masks breaking into companies, leaking data. It seemed more like something they would do. But as the evidence started to spill out, and that took several years, really, for the evidence to really kind of come to fruition. fingers started pointing at North Korea and it linked back to previous attacks that North Korea had done. Now, in that case, the Sony break-in, it's attributed to North Korea. And the idea is that North Koreans were so angry at this film, so outraged by what was being depicted of happening to Kim Jong-un, you know, a sitting world leader, that they decided to go and hack Sony. The subsequent activity, and we've had now five, 10 years more activity after that, has been more focused on stealing money. You know, the North Koreans, that attack on Sony Pictures Entertainment seems to have been a slightly unusual attack. It was a reputational damage issue, certainly reputational damage for Sony. But the subsequent attacks, it's mostly been certainly the ones I've covered about stealing money and vast quantities of it.
Nick Palmer:Yeah, it's a super interesting change from their normal modus operandi and definitely one that made the headlines worldwide. So thanks a lot for the breakdown. Let's talk a little bit more about the operations and the timelines around escalating different attacks for Lazarus Group.
Geoff White:Yeah, the activity for Lazarus Group, and by the way, the Lazarus Group is the name given to them by security researchers. The North Korean government hackers themselves almost certainly don't call themselves Lazarus Group. From what we know, this is a military unit within the North Korean government. They will be run as a military institution. They will have military ranks and unit numbers and so on. So the Lazarus Group is a convenient sort of shorthand. First activity starts about 2013. They start looking at attacking South Korea is the accusation, taking down TV stations, banking. It's disrupt North Korea's old enemy, South Korea. But over the years, we start to see North Korea doubling down on hacks to target financial institutions. banks and also cryptocurrency companies. Now, the backdrop to that is North Korea keeps testing nuclear weapons and keeps launching missiles. Obviously, that's quite a hostile act, certainly in that region of the world. And so the United Nations and others have sanctioned North Korea, turned off the international money taps, the trade taps. So North Korea is pretty much isolated. Can't bank, can't trade, can't buy, can't sell. How do you survive as a country? if that's going on. And of course, that's the idea of sanctions is North Korea will eventually come back and say, oh, these sanctions are hurting us, let's negotiate. The accusation is that North Korea has responded to those sanctions by putting its hackers on the send for money. They go out, they find financial institutions, they break into them and bring that money back to the North Korean government. The US government believes that North Korea pays for about half of its missile program through computer hacks. We are talking about multiple billions. I've seen figures up as far as six to seven billion dollars worth of currency stolen, allegedly by North Korea's hackers and taken back for the regime.
Nick Palmer:Yeah, very organized operation. And when you're shut off from the international money supply, you have to find unique ways of funding what it is that you want to do as a nation. So, you know, talking about cryptocurrency, why is that such a heavy point of interest for them? You know, we've seen them focus on banks in the past, but, you know, in more recent years, they focused in on cryptocurrency. Why is that in your opinion?
Geoff White:Yeah, this has been an interesting evolution. So one of the early banking attacks attributed to the North Koreans is the hack on Bangladesh Bank, the famous billion dollar hack, where they went to try and steal a billion dollars from the National Bank of Bangladesh. Didn't get away with the billion, which is a whole story in itself, but they were targeting that bank. Then they start to target other banks, dozens of banks they were targeting around this time, stealing in the sort of hundreds of millions of dollars. They started going after bank's ATM systems. So they actually managed to work out that once you're inside a bank, you can effectively hijack the ATM system and make ATMs around the world spew out notes, banknotes, which of course means you've got to have somebody on the other side to collect those banknotes. And you've got to have people in loads of different countries where the ATMs are. So that led the North Koreans into its alleged various interactions and alliances with some quite murky characters and quite bizarre characters who are on the other side of these sort of cash out operations. Probably with all of that is it takes place within the traditional banking system. So Bangladesh Bank, for example, when it was robbed, it could see exactly where the money went. It could follow the flow all the way through to the Philippines and to casinos, which is where the cash eventually ended up. If you use traditional banking to do hacking, there's going to be a paper trail, these days a digital trail, but it's a trail that investigators can follow. With cryptocurrency, this was the big switch. North Korea starts experimenting with cryptocurrency about 2016, but then there's the big ransomware attack, WannaCry 2017. Now, the WannaCry ransomware attack, I mean, ransomware has been in the news, certainly in the UK recently. The hackers scramble your files and then charge you a ransom to unscramble them. WannaCry was North Korea's ransomware attack, and it was vast. It went around the world, you know, automatically spreading from computer to computer. It was the single most virulent ransomware attack ever launched, but was also, for a lot of people, a complete dud, because the ransoms that came in as a result were only in the low millions, 10 million-ish, maybe 100 million, depending on how you value the Bitcoin cryptocurrency that the ransoms were paid in. And so people said, well, what was the point of this ransomware attack? It didn't make so much money. But what it taught the North Koreans, I believe, was crypto money laundering. Laundering the money from that attack, i.e. taking the cryptocurrency ransoms that were paid and vanishing them, took about 48 hours. And we still have no idea, apparently, where that money went. It's just gone. Compare that to that Bangladesh bank attack. It took them a month, a solid month, to get the money into the casinos, to gamble it through, to try and wash the money. They lost 30 million of it to some intermediary who's just never been seen again. So hacking crypto suddenly starts to look like a really good idea because you can move the money instantly. You can launder it so much more quickly. And crucially, cryptocurrency companies are not bound by the kind of laws and regulations that banks are. So as a hacker, you're hacking an easy target, low hanging fruit. And the North Koreans have made billions upon billions is the accusation out of targeting these crypto companies.
Gary Ruddell:When you talk about Lazarus Group being a state-sponsored group, elaborate on that. What does that really mean in
Geoff White:practical terms? What that means is that the government is actually hiring these people. So in the UK, we have government hackers. They work for GCHQ and MOD Caution and all these places. The US has them. Most countries worth their salt have government hackers, and they are paid a nine-to-five sort of salary. What you've also got, though, in most countries is a sort of, well, a non-government hacker scene. You've got organised criminals who do hacking. You've also got sort of hacktivists, sometimes teenagers, who just acquire these skills and sit in their bedrooms and carry this out. And you've got this interesting interaction, you know, Russian Federation, for example. We've got stories of the Russian government working with some of those sort of have-a-go cyber criminal hackers. So there's this interesting crossover. In North Korea, the situation's quite different. In North Korea, if you have a computer and an internet connection, it's because the government has given it to you. You can't go out and buy a laptop and get a SIM card or broadband connection and a Wi-Fi router and off you go. Not in North Korea. And if you're given that, you are very, very closely surveilled. So the vast majority of online computer use in North Korea is government controlled, very certainly government monitored. So what that means is if you're doing hacking from inside North Korea, you're a North Korean hacker, you are government sanctioned. You're probably government employed and paid. So when we see malicious cyber activity from North Korea, there's no ability for North Korea to turn around and say, oh, well, that must be some teenager in their bedroom that we don't know about because we know North Korea knows about all of them. They are all state sponsored. And what this means is you've got all of the resources of the state, all of the time, the money, the organization that goes behind this, and that can be applied to this cyber army. I've heard figures of around 6,000 cyber warriors in North Korea. I suspect the true figure is much higher because there are people who are coders, there are people who are computer hackers, but there are also people who do IT work for the North Korean government, but also for other people, and they interface with the hackers. So it sort of depends how you define a North Korean government. hacker as to how many might be in the pool. You
Gary Ruddell:mentioned earlier the casinos and trying to get the money out and the challenges around that. In the cryptocurrency space, can you talk us through how it's done in crypto land, why they can't just trace the money if it's crypto?
Geoff White:Well, it's interesting this because when people talk about cryptocurrency, as anybody knows anything about Bitcoin and blockchain will know all cryptocurrency transactions are sort of logged and tracked. It's a digital currency. But in a way, that's the same with traditional finance. If you spend on your credit card, there's sort of a record of it. The thing with cryptocurrency is the log, the ledger, the register of transactions is public, certainly in the case of Bitcoin. And so you can use this blockchain to track Bitcoin transactions. And so a lot of people think, well, cryptocurrency must be fantastic for investigators because they can see all the transactions. You can see it move in real time. And that's exactly what happened with that WannaCry ransomware attack I talked about back in 2017. When the money starts to get laundered, you can watch it in real time. The problem is that it went into an Eastern European cryptocurrency exchange And from there, we have no idea what happened to it because it drops into this black box. The money just goes in and it's inside this organization, inside this company. It must have got spewed out somewhere, we presume, but we can't track it beyond that. So when people talk about cryptocurrency being traceable, yes, it's traceable, but sometimes only to a certain point. And even then, yes, the crypto is traceable, but even if you can trace it, can you stop it, freeze it and get it back? If somebody breaks into my house and steals my TV and runs off down the street, it's all very well me being able to watch them as they run down the street with my TV. What I want is my TV back. So traceability of crypto is only one part of the challenge. Freezing it and recovering it is the issue. And again, for crypto money launderers, that's been the boon as they realize that you can get away with it. You can actually vanish the money if you do it correctly.
Gary Ruddell:I guess as well, if you're North Korea and you have their sort of resources and, you know, the money that they have, potentially they could have agents in different countries around the world that just they create a company that is a crypto company. They could put the money through it and then shut that company down to sort of mask some of this stuff. Is that something that happens?
Geoff White:It's a good question. And actually... I've heard tell of North Korea sort of flirting around that for, you know, for example, setting up crypto companies, crypto enterprises and so on. The problem we've got there is sort of liquidity. It's volume. This is the mad thing about North Korea and some of these financial attacks that they're accused of doing is they're actually sort of the cutting edge of finance and they have to deal with very, very heavy financial issues. which for a country that's the world's oldest communist country, I mean, North Korea predates China as a communist country, the idea that they're involved in this sort of massive financial machinations, I find very ironic. If you're going to set up a crypto exchange or crypto company, as you've described, Gary, what you really need is liquidity. You need a big pool of money so that you can stick your stolen money in and mix it. If... you or I, or indeed North Korea, just sort of sets one up, you don't really have enough money sloshing around. So what they prefer to do is to use large organizations, large institutions, and try and trick those institutions into accepting the stolen money. So North Korea might take the crypto, run it through a few Bitcoin wallets, maybe hundreds of Bitcoin wallets, and then try and stick it into a big exchange, you know, your Coinbase or Binance or Kraken, all these big exchanges, and try and trick them into saying, hey, this money is actually fine. You can accept it. It's not stolen money. So that's been the game. They tend to prefer to use these big organizations. The other thing they use is crypto mixers, which, as the name suggests, takes incoming crypto, mixes it with other people's currency, and then spits it out to a fresh wallet address. Which, by the way, if you want privacy in crypto, which is quite a challenge, using a crypto mixer makes a lot of sense. If you want to donate to a particular political cause through crypto without being spotted or identified, crypto mixer helps you. It also helps with money laundering. And so we know cybercrime groups in general, but the North Koreans particularly have been using these crypto mixers to wash, you know, millions and millions, probably in the billions of dollars worth of cryptocurrency.
Nick Palmer:Yeah, they've certainly become experts at learning how to wash digital currencies around the world. And like you said, Jeff, being ousted from the global financial community, they've certainly still been involved in it to profit. We've talked a lot about large organizations, Bank of Bangladesh and cryptocurrency organizations, but what about small companies? Do they have to be concerned about North Korean hackers, or is it just large organizations?
Geoff White:Before, I would have said, well, frankly, if you're a large organization, the North Koreans are interested in you. If you're a big government organization, of course, All big government organisations, they can't see hacking each other, so they have to be worried about lots of threats, including North Korea. Big financial institution, a big organisation like Sony. Yes, you should be worried about the North Korean threat. But what's been interesting is this recent switch that North Korea's done in terms of moving from hacking to almost an infiltration campaign, if you like. The backdrop to this is that... North Korea's citizens used to be allowed to work abroad. North Korea could actually get its citizens to work overseas. They would do things like logging in Vladivostok, or there was a North Korean restaurant, I think, in Sweden, in Stockholm, where you could actually go and have North Korean food served by a North Korean. So they were allowed to work abroad. The problem was that people figured out these employees were just sending money back to North Korea. And so effectively they were sort of funding the regime and as the regime tested more missiles and nukes, that became an issue. So the sanction went out from the United Nations, you are not allowed to hire a North Korean, allow a North Korean to work in your country. So North Korea's employees got sent back inside the borders or struggled to go outside the borders. Then COVID happened again, the country got sort of locked down. So increasingly North Korea's ability to sort of reach out into the world to get its people overseas and working overseas, those routes started to get shut off, not entirely, they can still use diplomatic passports and so on to get people out, but out and about in the world. But a lot of the time it's quite difficult. So then the challenge became, well, okay, we want to try and hack into these companies. We want to try and get into these companies, but we're not allowed to physically go and be in these places. Our hacking attacks are working, but hacking is difficult. You have to go into the back door. If you get caught, you're going to get kicked out. Why don't we go into the front door? Why don't we just apply for a job at these companies? Now, obviously, that would normally involve you turning up to an interview and sitting there in your Kim Jong-un badge and your military uniform. Obviously, you wouldn't get the job. But obviously, post-COVID, there's been this huge boom in remote IT working. So as a software developer, a web developer, an IT person, you can apply for a remote working job, and a lot of companies don't really care so much anymore where you are in the world they just want employees the north koreans have hopped on board this with gusto they've managed to get jobs at companies around the world and we're talking you know fortune 500 companies in the us in europe in the uk applying for these jobs now the employer obviously doesn't want to hire a north korean so what the north koreans have done is used intermediaries effectively proxies and accomplices in these different countries to impersonate a local individual. It might be an identity they've stolen, or it might be a willing individual who's handed over their ID, you know, their bank account to be used by these North Koreans. So the North Koreans get a job at the company, the organization. And as far as the organization is concerned, they're hiring John Smith in New York, but actually John Smith in New York turns out to be, you know, Park Jin-hyuk based in Pyongyang, who's dialing in remotely. Now, the company will send a laptop out to John Smith in New York, and the person who's pretending to be John Smith will plug it in, connect to the internet, install remote access software, and Park Jin-hyuk from North Korea can dial in and start work. It's absolutely incredible. And there are hundreds and hundreds of cases of this. We suspect thousands of North Korean IT workers on the other side of it. Some of whom, by the way, are just doing the IT work job. They're just getting on with it. And they actually, some of them are quite effective employees. In fact, we got told in the podcast that I made for the BBC, one of the employers we spoke to who almost, almost hired a North Korean had this great story about another company that they spoke to who actually did hire a North Korean, got a call from the FBI saying, we've been tracing this and you hired a North Korean. The company apparently came... You've got to sack this person. It's in North Korea. You can't keep hiring this person. And the company went back to the FBI and said, well, he's actually one of our best programmers, so we'd rather not let him
Gary Ruddell:go. I feel like I need to ask all of us just to sort of pull on our skin to prove that we're not... Wearing masks or deep fakes or anything, yeah. You mentioned the laptop case. I think, was that Kraken, if I'm recalling correctly, Geoff?
Geoff White:Correct, yes. Kraken is one of the companies that's been targeted in this way, went out, went public. Also, KnowBefore, a company that a lot of your listeners might know, it's an IT security and security culture awareness company. KnowBefore actually for a period of, I think it was a couple of hours, did hire a North Korean, sent the laptop to them and have done a whole bunch So if you Google Kraken and Nobifor, Nobifor particularly has been putting out advice to people on how they spotted this person, how you can make sure you don't inadvertently hire a North Korean. But those are just the ones that have got the big headlines. Multiple, multiple companies. I mean, I can't name them yet because I haven't given them the right of reply. But I mean, I've been told recently about three of the world's biggest companies who... didn't just almost actually hired a North Korean and sent a laptop out to a representative. So it's big. It's big. It's very big.
Nick Palmer:Incredible. Incredible. You know, speaking about the hiring process, I imagine, you know, you're living in North Korea, having such a position within, you know, the organized crime group, conducting hacking, et cetera, is probably a pretty prestigious position. position. Do you have any insights on like, if I was living there, how would I go about getting that job? Or how do the local people do that?
Geoff White:It's very interesting. I'm not a North Korean expert. There are loads of people who are. My co-host for the podcast, Lazarus Heiss, Jean Lee, is a fountain of information about North Korea. But I've read a lot about it and I've obviously spoken to people who've got expertise in this. North Korean society is almost impossible for us outside it to understand. I mean, from birth, your lot in life is controlled for you. And interestingly, a lot of that's about how close your family or your ancestors were to Kim Il-sung, the founder of North Korea, or his offspring, including Kim Jong-un, the current leader of North Korea. So from birth, almost, your path is sort of set for you. This is where you're going to be. This is where you fit in the strata. This is how wealthy you're going to be or not. And There are effectively groups in each territory that control all of this. Everything's very tightly managed. Within the apartment block that you live in, there will be a structure and a hierarchy. There will be somebody who effectively runs that apartment block, who makes sure that you don't get above your station, who makes sure that you don't start trying to research news that you shouldn't be hearing or get an illicit radio. There's all this control that goes on to it. And one of the things about that is your career really is largely structured for you. What North Korea does from quite early on is it tries to spot who's good at different things and effectively channels and streams those people very, very specifically. If, for example, you're good at mathematics and you show prowess, it's likely that you'll be streamed into You know, mathematics classes at school, university, you'll study it. And what they'll be looking out for is those people who have computer ability on top of that. If you have that, you'll put in special programs, special university, and you'll be streamed if you're good, if you're the best, the best into the computer hacking teams, the Lazarus group and the military units behind that. or the nuclear program, which obviously is also a computer heavy kind of career. So those are your sort of trajectories if you're into computers and you're quite good at them. And what this means for North Korean is you can potentially escape the sort of fate that's set for you and escalate your career chances. One of the defectors we interviewed talked about a thing called songbun, which in North Korean society is effectively your place in society. It's kind of logged. It's actually recorded quite carefully as to who you are, what you will do. If you want to escape your songbun, if you want to improve you and your family's chances, one of the ways is to show prowess in a particular skill. Sports, for example, is one of them. If you're a particularly talented sports person or a musician, you can actually sort of raise your stock, your standing in society. Computer hacking, again, computer skills is another way of doing that. So there's a real incentive for the North Koreans to do this. What this translates to in real life would be perhaps a larger apartment in Pyongyang, perhaps a a refrigerator, maybe even a car. There are perks available for this. It's also worth pointing out that for the North Koreans, they don't often have an option. The government tells you to do something. Now, you might think, well, why don't you just refuse? If you refuse, the consequences for you and your direct family can be extremely severe. If you do something really wrong, the consequences could be fatal for your family members. When we talk about these hackers, it's worth noting on the other side that their level, the lower levels, they don't have a huge amount of options to what to do. It's just run for them.
Nick Palmer:Fascinating. It takes the requirement to excel to the next level if you want to get out of your current cast or situation. Very interesting. Thank you.
Gary Ruddell:When companies and people try to protect themselves from these types of threats, what types of things do you see working?
Geoff White:Well, at the high level, obviously, you've got all of the sort of usual stuff of trying to, you know, segment your network so you don't get in, get all the crown jewels, obviously, multi-factor authentication and so on. I mean, a lot of the hacks I've looked into with North Korea, social engineering is at the heart of this. I mean, the Bybit hack that you mentioned, this is a cryptocurrency exchange called Bybit, the target of an alleged North Korean hack in which $1.5 billion worth of cryptocurrency was stolen. An absolutely astonishing amount of money. I have been on record, and I'll go on record again, saying it's the biggest single theft ever in terms of one theft, one hit, and one victim in one go, valued at the time of the theft. It's the biggest we've ever had. At one point, there's just no competitor for that. Now, the way they broke into Bybit was really interesting. They looked at the company. They worked out how Bybit's cryptocurrency transactions worked. They worked out what software they were using to enable those transactions within Bybit, its internal systems. They then went after Bitcoin. the software provider. So it's not quite true to say they hacked Bybit. In the end, they hacked Bybit. What they started doing was hacking a company that made software called Safe, ironically enough, that authorised the transactions. That's where the North Koreans went. And again, it was social engineering. They found one of the software developers who worked for that company that made that Safe software. They managed to trick that employee into downloading a sort of share trading, commodity trading type app onto their phone. And that gave them access to the phone. So again, it's not, you know, the tactics aren't massively sort of advanced. And fundamentally at the heart of that is a social engineering attack. You know, can I convince this person to do something they shouldn't do? Download a dodgy app onto their, I think their work phone in this case. So it's all that usual sort of stuff you do about, you know, segmenting your network, looking after your business processes, looking at your business the way an attacker would and thinking, we're by a bit, we're sitting on a billion and a half. If I want to steal that, what would I have to actually do? Well, I'd have to do this, this and this. That's the process you go through. And what's great about that is for business, for an organisation, there's no technology involved in that. You don't have to understand anything about technology. You just have to look at your business and go, what do we do? Where's the money? If I was going to do damage, how would I do that? What's our processes? And how would I get into our processes and screw them up? mess them up so that I could do some damage. You could do that with a paper and pen. You don't need a computer to do it. So that's a good place to start. In terms of the North Koreans applying for these jobs, these sort of blagging, if you like, exercises, the infiltration exercises, again, you've got to look at the processes by which you're hiring people, particularly if you're hiring people remotely and you're never going to see these people and you send out a laptop. You've got to do an extra job of diligence around these employees because it's effectively like letting somebody into your network, into your office building at night. So I'm not going to see them, but I'll just give them a key. I'm sure they're fine. No, you would want to know who that person was. It's the same with remote IT workers. If you're hiring anybody who works remotely, who's not going to come into the office, you need to really double down on the diligence. warning signs are things like they want the laptop sent out but not to the address that's on the bank account or not to the address they used on their application form you know they have references but the references addresses are gmail addresses or outlook addresses so their reference is somebody i don't know the bank of england but you're not emailing them a bank of england.com address you're emailing the reference at a gmail address so yes it's you know Jane Smith, who works at the Bank of England, but it's janesmith at gmail.com. It's like, well, hang on. Why aren't I emailing this person at their Bank of England address? Loads of little signs like that. You just have to have your radar up, particularly if you're hiring somebody remotely for any signs that their story doesn't quite add up and just doubling down that diligence. And I know that's a faff, but the consequences are if you hire this person, A, you've just hired a North Korean, your sanctions dodging. It's a very serious offence. And B, they just walked into your network. They've got access to everything. It's potentially a huge problem for you.
Gary Ruddell:What do you think the future holds for North Korea, Lazarus Group, from a hacking perspective? Given the trajectory they've been on, the 1.5 billion you talked about earlier, what might we see in the future? I don't know, you don't have a crystal ball, but in your experience.
Geoff White:Yes. I mean, look, what I hope for for North Korea is what I think all people hope for and should hope for, which is peace, some way of this country not being... As militarily focused as it is. That's obviously political matter, it's diplomatic matter. And the issue with these sanctions, and we need to think about this in terms of the Russian Federation as well, is if you pull every sanctions lever, if you tighten the screws, the country just learns to survive despite the sanctions. So there's kind of no more screws we can turn on North Korea. What else could we do? You know, do we let this country back into the fold? Do we offer it? Well, OK, we'll lift those sanctions if you do X. What's the diplomatic path? There's all of that sort of stuff going on. In terms of North Korea's cyber activity, this whole infiltration campaign thing is a whole new front. One of the things I do worry about is if North Korean hackers have blagged their way into jobs at companies and they've blagged their way into IT jobs at companies, have they left North logic bombs effective in the code, security vulnerabilities in code that they found access to, that they could then trigger months, years down the line and used to either get back into that organization or steal money from it if it's a crypto organization or a bank, for example. So we may see this sort of second wave happen. These infiltration campaigns, they might get spotted, but they might have left some sort of vulnerabilities into there. Cryptocurrency has been a really interesting journey. As I say, the the North Koreans, despite being a communist country, are now involved in financial engineering at the absolute cutting edge of that industry. Some of the stuff they deal in, we're talking DeFi, Web3, smart contracts. This is out there stuff. I mean, I just about understand it, but, you know, it takes me a while. They are absolutely at the cutting edge of finance, as are a lot of cyber criminals, because the cutting edge of finance is where the regulation is limited and weakest and non-existent in some cases. So of course, as a criminal, that's where you're going to sort of go to. So as we see cryptocurrency become more embedded in society and we've already seen, you know, big organizations getting into crypto, we've seen the thing called the Bitcoin ETF, the exchange traded funds, you know, you can now invest in Bitcoin in the same way you would invest in normal shares in normal companies in the US, for example. Cryptocurrency is going to become more and more embedded into society. There's going to be more and more innovation on top of that. And I suspect the North Koreans are not going to shy away from targeting that innovation. Every new wave, every new thing that comes through, every new innovation that's quite cool and groovy and will help us potentially in the future have a new financial world. North Koreans and other cyber criminals are going to hop on board with it, hop on top of it and see if they can exploit it first.
Gary Ruddell:Like you say, Jeff, this probably isn't going to end anytime soon. And yes, those concerns around... If we did embrace North Korea as a nation again and embedding things like logic bombs in systems they get access to, that is a real concern, isn't it? Nick, from a vendor perspective, from our side of the game, what does good security practices look like for us?
Nick Palmer:Well, as Jeff was speaking, I was thinking to myself how thankful I am about the seriousness that Group IB takes about our hiring process. So, Jeff, you might not know about this, but we have a fairly in-depth security practice within Group IB to screen employees and perform different security checks to ensure that who we are hiring is very important. So I think you're exactly right. You know, looking at How are they doing it today? How might they do it in the future is an important question to ask as well. And then make sure that you have the necessary both security checks in place. device checks in place for access to certain data or modifications to certain programs for certain levels of employees will be absolutely essential. I love what Jeff was saying about trying to anticipate where this will go in the future from a pure ingenuity perspective. When you tighten the screws, like Jeff was saying, as hard as they are against North Korea today, they have to be creative in the way that the target organizations and we as defenders need to think about what that might look like and make sure we have the practices in place.
Gary Ruddell:I'm sure if anything does happen, We'll hear about it from Jeff because we're now buddies with the guy who keeps his eye on Lazarus Group for us. So yeah, I mean, if you haven't heard the Lazarus Heist podcast, I do recommend that you go check it out. It's a fantastic podcast. There's another podcast about the, is it the Pongsu? It's about a shipping vessel. That was a fantastic podcast as well. So there's a few North Korea podcasts that just give you great insight that you would otherwise not get.
Geoff White:Really good, the Pongsu podcast. I really enjoyed it. We were trying to work out, could we somehow integrate that into or cover that in the Lazarus Heights podcast? But it was two sort of separate, but it is really worth listening to. It's really well put together as well. So yes, thumbs up for that.
Gary Ruddell:Thanks very much for your time today, Jeff. Been fantastic talking with you. And I look forward to seeing what you get up to in the very near future. I'm sure there's going to be some super interesting things on our airwaves, sadly, because it's a whole different you know, malicious based stuff. It's never good news. It's always bad news. But thank you very much. Thanks for having me. I appreciate it. Your data is valuable and it's under attack. Cyberespionage groups, financially motivated threat actors, ransomware attackers, and other criminal enterprises are on the rise. Working in secrecy to dismantle security perimeters, they spread like a virus through the web, stoking geopolitical tensions, holding businesses to ransom, and flooding criminal marketplaces with sensitive information. These groups thrive in secrecy now more than ever. Knowing who your adversaries are is critical. So join us as we ask who's behind the world's most prolific cybercriminal groups. What are their tactics, their motivations, and their impact? Who are the world's masked actors? Masked Actors is an independent podcast from Group IB, a leading voice in the fight against cybercrime. The threat landscape evolves quickly, but all information was correct at the time of recording and based on Group IB's high-tech crime trends report 2025. Join in the conversation online using the hashtag maskedactors. And don't forget to subscribe so you don't miss an episode. Thanks for listening. See you next time as we uncover more of the world's top masked actors.
