Press Release

CISA, FBI, and Treasury Expose Latest Tool in North Korea’s Cryptocurrency Theft Scheme – AppleJeus


WASHINGTON - The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury (Treasury) issued a joint cybersecurity advisory about North Korean government malicious activity the U.S. government refers to as “AppleJeus.” The advisory highlights technical details on this specific threat activity, mitigations for networks compromised by it, and recommended proactive mitigations for defense against it.   

The joint advisory provides technical details on seven versions of the AppleJeus malware, which has been used by North Korea posing as cryptocurrency trading platforms since at least 2018. In most instances, the malicious application—seen on both Windows and Mac operating systems—appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate. 

Matt Hartman, Acting Executive Assistant Director of Cybersecurity, CISA, said:

“This advisory marks another step by the U.S. Government to counter the ongoing and criminal North Korean global cryptocurrency theft scheme targeting finance, energy, and other sectors. The FBI, Treasury, and CISA continue to assess the evolving cyber threat posed by North Korea, cyber criminals, and other nation-state actors and are committed to providing organizations timely information and mitigations to combat these threats.” 

Paul Neff, Director of Cyber Policy, Preparedness and Response in the Office of Cybersecurity and Critical Infrastructure Protection, Treasury, said:  

“This advisory will provide the financial sector and the cybersecurity community with a detailed picture of North Korean threat capability that will assist cyber defenders in multiple sectors in identifying and mitigating this active threat, further demonstrating the value of interagency partnerships in combating cybercrime and malicious nation-state actor activity.” 

Tonya Ugoretz, Acting Assistant Director of Cyber Division, FBI, said:  

“Today’s announcement highlights the strong partnership between the FBI, CISA, and Treasury to defend against cyber threats to our nation's security. The FBI is committed to using our authorities, capabilities, and partnerships to raise the costs on those like North Korea who mistakenly believe they can hold our networks at risk without incurring risk themselves.”  

Working closely with our interagency and international partners, the FBI, CISA and Treasury share timely cyber threat information with the intent to disrupt malicious cyber activity and help our partners protect their networks. Today’s advisory along with seven malware analysis reports adds to a still growing list of malicious cyber activity by North Korean state actors. Four of the seven versions of AppleJeus malware were identified in 2020 and reveal a determination by this group to evolve and continue this scheme. A complete list of their activity and important mitigation recommendations, can be found here.   

Organizations, specifically those in the financial services sector, should give this activity the highest priority for assessing their networks and implementing appropriate mitigation. You can read the joint cybersecurity advisory here and the seven malware analysis reports here.