
YEREVAN (CoinChapter.com) — Microsoft Security Intelligence has uncovered a new attack on cryptocurrency investment companies. According to a recent press release, the hacker, dubbed DEV-0139, used the messaging app Telegram to find and target new victims.
As per the detailed report, the hacker joined several Telegram groups in October containing high-profile clients of crypto startups. They then identified a target among the group members and opened a direct line of communication with them by posing as an employee of a crypto exchange.

After gaining their trust, the hacker invited the victim to another group where they pretended to ask for their feedback on the fee structures of exchanges. The fact that the hacker was well-informed about the market helped them come across as genuine employees, thus making it easier to scam investors.
DEV-0139 then sent a malicious Excel file named OKX Binance & Huobi VIP fee comparision.xls. These files allegedly contained several tables about fee structures among cryptocurrency exchange companies.
Once the user downloaded and opened these files, it triggered a series of activities, including dropping more files on the system. As a result, the attacker eventually gained remote access to the infected system through a second Excel sheet that ran in the background.
The hacker used the compromised system to establish a backdoor communication with his Command-and-control servers (C2C) server.
Microsoft’s security division explained the details of the new hack through a detailed diagram.

Recommended: Another DeFi Hack! Solana’s Solend Suffers $1.26M Exploit
North Korean Lazarus Group behind the DEV-0139 hack?
According to cyber security firm Volexity, the style of the recent attacks confirms that North Korea’s state-sponsored Lazarus Group has done it. Upon closer examination, the organization concluded that the techniques used by the two are similar.
The United States Government has already sanctioned the group. Earlier this year, Lazarus conducted a cyber espionage campaign targeting U.S., Canadian, and Japanese energy providers.
It is also suspected that the group was behind the attacks on the Sony Network back in 2014. Following the hack, the network shut down completely the next day as the hackers had leaked confidential data from the studio.
“Over the last few months, Volexity has observed new activity tied to a North Korean threat actor it tracks that is widely referred to as the Lazarus Group. This activity notably involves a campaign likely targeting cryptocurrency users and organizations with a variant of the AppleJeus malware by way of malicious Microsoft Office documents,”
the security firm announced.
Changpeng Zhao, the CEO of the cryptocurrency exchange Binance, also posted about the incident. He further urged people to be cautious not to download compromised files.

As CoinChapter earlier reported, the crypto industry is riddled with hacks. The Decentralized Finance (DeFi) industry has been the target of many cyber attacks.
Worried about crypto hacks? Click here to read our extensive report on how to keep your tokens safe from hackers.