How State-Sponsored Hackers Like DPRK Drain DeFi Protocols: Uneasy Money
- •
DPRK hackers use social engineering to facilitate supply chain attacks - Attackers often pose as VCs on Zoom or Teams to trick developers into running malicious commands that compromise core software dependencies like Axios.
“The second I saw the stuff, I made a lot of calls to get the full set of indicators for recent DPRK stuff to see if we could get more insight. I think especially relevant and like the thing that's top of mind is obviously the Axios hack happened yesterday.”
- •
Session token theft renders hardware MFA ineffective - Once a developer's device is compromised, hackers steal active session tokens to impersonate them, bypassing 2FA and leaving no trail of 'unauthorized' logins.
“If your computer is completely compromised in the way that DPRK compromises computers, that token, they take that token and they reuse it. Now it doesn't matter that you have MFA. It doesn't matter at all.”
- •
Pinning dependencies is the best defense against malicious updates - To avoid silently pulling compromised code into a project, developers should avoid auto-updating packages and wait for new versions to be vetted by the community.
“The normal mechanism that they use to compromise people is they get one person on a Zoom call and they make that person run a command and that command then does all this malicious stuff and gives them like full access to the computer.”