North Korean Hackers Exploit Chromium Zero-Day to Target Cryptocurrency Users Worldwide

Microsoft has confirmed that a North Korean threat actor tracked as Citrine Sleet is actively exploiting a zero-day vulnerability in the Chromium browser engine to compromise cryptocurrency users and steal digital assets. The disclosure, published on August 30, 2024, reveals a sophisticated operation specifically designed to infiltrate the crypto ecosystem through browser-based attacks.

The Threat Landscape

The vulnerability, designated CVE-2024-7971, is a type confusion bug in the V8 JavaScript and WebAssembly engine that powers Chromium-based browsers. Exploiting this flaw allows attackers to achieve remote code execution within the sandboxed renderer process. Google patched the vulnerability on August 21, 2024, in Chromium version 128.0.6613.84, but Microsoft identified active exploitation beginning August 19.

Citrine Sleet operates as a financially motivated threat actor based in North Korea, primarily targeting financial institutions and individuals managing cryptocurrency holdings. The group conducts extensive reconnaissance of the cryptocurrency industry, creating elaborate fake websites that mimic legitimate trading platforms. These fraudulent sites distribute weaponized job applications and trojanized cryptocurrency wallets designed to compromise targets.

Core Principles

The attack chain follows a well-established pattern for North Korean cyber operations against the crypto sector. Citrine Sleet deploys a custom trojan called AppleJeus, which collects system information and credential data necessary to seize control of cryptocurrency wallets and exchange accounts. In this campaign, the group also deployed the FudModule rootkit, a sophisticated kernel-level tool that disables security monitoring on compromised Windows systems.

The exploitation of a browser engine vulnerability represents an evolution in targeting methodology. Rather than relying solely on social engineering to deliver malware, Citrine Sleet leverages a genuine browser flaw to compromise targets who simply visit a malicious webpage. This dramatically lowers the barrier for successful attacks against cryptocurrency holders who use browser-based wallets and trading platforms.

Tooling and Setup

Citrine Sleet maintains a robust toolkit for cryptocurrency theft. The AppleJeus trojan has been in continuous development, with variants targeting Windows, macOS, and Linux systems. The group creates convincing replicas of legitimate cryptocurrency platforms, complete with professional branding, functional user interfaces, and fake customer reviews. Some operations involve distributing modified versions of genuine cryptocurrency applications that contain hidden backdoors.

The FudModule rootkit deployed in this campaign operates at the kernel level, utilizing legitimate but vulnerable drivers to bypass Windows security mechanisms including Driver Signature Enforcement. Once installed, it disables antivirus and endpoint detection solutions, ensuring persistent access to compromised systems. Microsoft has noted shared infrastructure between Citrine Sleet and another North Korean group tracked as Diamond Sleet, suggesting coordinated resource allocation.

Ongoing Vigilance

This campaign underscores the persistent threat that nation-state actors pose to the cryptocurrency ecosystem. The United States Cybersecurity and Infrastructure Security Agency has assessed that North Korean actors will likely continue targeting vulnerabilities in cryptocurrency technology firms, exchanges, and individual holders to generate revenue for the regime. The combination of a browser zero-day with advanced rootkit capabilities represents a significant escalation in the sophistication of these attacks.

Cryptocurrency users should ensure their browsers are updated to the latest Chromium version. Hardware wallets remain the most secure option for storing significant crypto holdings, as they keep private keys isolated from internet-connected devices. Users should verify the authenticity of any cryptocurrency platform before connecting wallets or entering credentials, and should be particularly cautious about unsolicited job offers from crypto companies, which remain a primary lure for Citrine Sleet operations.

Final Takeaway

The Citrine Sleet campaign exploiting CVE-2024-7971 represents a convergence of nation-state capabilities with financially motivated targeting of the cryptocurrency sector. With Bitcoin trading near $59,100 and the total crypto market cap exceeding $2 trillion, the financial incentives for these attacks will only grow. The crypto community must adopt the same security rigor expected in traditional finance, including prompt patching, hardware wallet usage, and verification of all platform authenticity before engaging with new services.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified cybersecurity professionals for specific threat mitigation strategies.