The BlueNoroff hacker group has long since transformed cybercrime into a high-tech business, with tens of millions of dollars, cryptocurrency assets, and entire financial ecosystems at stake.
A report by Picus Security details the group’s evolution. Starting with brazen attacks on banks, BlueNoroff has gradually evolved into one of the most dangerous threats to the cryptocurrency market , Web3 businesses, and developers worldwide.
BlueNoroff is considered the financial arm of the Lazarus Group and gained notoriety in 2016 when it participated in an attack on the Central Bank of Bangladesh . The attackers hacked the SWIFT infrastructure and stole $81 million, making it one of the most high-profile cyber heists in history. The group then moved on to attack banks in Europe and, in 2017, shifted its focus and began targeting cryptocurrency companies as part of the SnatchCrypto campaign.
In 2018, hackers began creating fake IT companies and distributing “legitimate” software, which later received malicious updates. In recent years, their main targets have become macOS users and Web3 projects. In the GhostCall and GhostHire campaigns, attackers impersonated recruiters and investors, held fake interviews and meetings, and infected the devices of executives and developers. In 2025, the group went even further, launching supply chain attacks, publishing malicious packages in official Go repositories, and disguising malware as Microsoft Teams applications.
The group’s attacks are based on meticulous reconnaissance. Hackers scour LinkedIn and other social media profiles, create plausible fake identities, and then contact victims via Telegram , messaging apps, and fake video conferencing sites. Victims may be offered a verification task, an interview, or an investment meeting , which in reality ends with the installation of malware.
BlueNoroff’s technical arsenal is impressive. They employ modular malware written in Rust, Go, Python, and other languages, use AppleScript and scripts to execute code on macOS , spoof browser extensions, create autorun mechanisms, and disguise malicious files as system processes and popular applications. To steal data, they use fake password prompts, spoofed system requests, and hidden credential harvesters that seek access keys to cloud services and crypto wallets.
The primary objective of all operations remains money. The group systematically steals cryptocurrencies, financial data, and digital assets, turning complex APT attacks into tools for large-scale financial fraud.
Experts emphasize that BlueNoroff is one of the most advanced cybercriminal groups in the world. Its history, from attacks on banking infrastructure to complex social engineering schemes, supply chain attacks, and fake job interviews, demonstrates how cybercrime is evolving into a full-fledged industry, where technology, psychology, and deception work hand in hand. And judging by the group’s activity in 2024 and 2025, it certainly shows no signs of slowing down.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
