Threat Intelligence Tarot
Vol. II · 127
North Korea (Lazarus financial sub-cluster)
G0098
risk 5/5
The Sapphire Heist
BlueNoroff
Sapphire Sleet · Stardust Chollima · APT38-adjacent · TA444
Cryptocurrency exchangesDeFi platformsVenture capital firmsBanks
Active since ~2014 · Financial theft, Sanctions evasion, Cryptocurrency acquisition
The Sapphire Heist does not crack vaults. It interviews them — over LinkedIn, over coffee, over a job offer too generous to ignore. The vault hands over its keys with a smile.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.002
Spearphishing Link
Initial Access
T1078
Valid Accounts
Persistence
T1027
Obfuscated Files or Information
Defense Evasion
T1071.001
Web Protocols
Command and Control
T1657
Financial Theft
Impact
T1567.002
Exfiltration to Cloud Storage
Exfiltration
Notable Operations
  • AppleJeus cryptocurrency trading app trojanization
  • LinkedIn recruiter persona lures against crypto employees
  • RustBucket and ObjCShellz macOS backdoors
  • Ronin bridge $625M theft (March 2022, attributed)
Defenses
  • Hardware-key MFA for cryptocurrency treasury and signing operations
    NIST SP 800-63B
  • Social engineering training specifically covering recruiter-persona lures
    NIST CSF: PR.AT
  • macOS endpoint detection with behavioral analysis for unsigned Mach-O binaries
    MITRE D3FEND
  • DeFi smart contract audits and multi-signature treasury controls
    CIS Control 6
Reversed: Their Weakness
Cryptocurrency employee training that treats recruiter outreach as a phishing vector, plus hardware key requirements for treasury operations, blunts this operator's edge.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Hungry BansheeNext →The Ember Before the Fire
Related Adversaries
The Hungry Banshee
APT43
5 shared TTPs
The Throne of Drivers
GhostEmperor
3 shared TTPs
The Tower of Sparrows
Earth Estries
3 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.