Threat Actor Profile

Bluenoroff (Gleaming Pisces)

Bluenoroff (also known as Gleaming Pisces) is a high-profile threat actor operating under the North Korean-affiliated Lazarus Group, first identified in 2014. This financially motivated group specializes in targeting cryptocurrencies and the financial sector using advanced social engineering, malware-based attacks, and emerging technologies. Their sophisticated operations reflect high levels of organization and state sponsorship.

Threat Actor Profile

Bluenoroff (Gleaming Pisces)

Country of Origin

Bluenoroff is believed to operate from the Democratic People’s Republic of Korea (DPRK). With substantial backing from the North Korean state, their activities align closely with the government’s strategic objectives, particularly in generating revenue via illicit means to counteract economic sanctions.

Members

The exact number of members in Bluenoroff is unknown. However, it is widely understood that they are a subset of the Lazarus Group, which is collectively estimated to contain dozens, if not hundreds, of cyber operatives. This threat actor likely leverages DPRK state resources and trained personnel to conduct its operations effectively.

Leadership

Details regarding the leadership of Bluenoroff remain largely unknown. The group is presumed to operate under the oversight of the Lazarus Group leadership, which reportedly functions as an arm of the North Korean regime. No specific individual names or aliases have been publicly attributed to this subgroup.

Bluenoroff’s TTPs

Understanding Bluenoroff's tactics, techniques, and procedures can shed light on their highly targeted and methodical activities.

Tactics

Their primary objective revolves around financial gain, primarily focusing on exploiting vulnerabilities in cryptocurrency platforms and financial institutions.

Techniques

Bluenoroff employs spear phishing campaigns, deepfake technology, and exploitation of vulnerabilities in digital wallets and trading platforms. Social engineering methods are frequently used to infiltrate organizations.

Procedures

The group utilizes malware such as custom backdoors, ransomware, and cryptocurrency-stealing trojans. Notably, they have been linked to exploiting blockchain bridge vulnerabilities and have engaged in extensive reconnaissance on their targets.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

One significant Bluenoroff operation was the 2022 deepfake "Zoom scam," where the group deployed highly convincing fake video calls to impersonate legitimate employees and executives. This resulted in significant cryptocurrency theft. Another major highlight includes the exploit of blockchain bridges, leading to multi-million-dollar losses in crypto transactions.

Law Enforcement & Arrests

Despite Bluenoroff’s high-profile attacks, there have been no recorded arrests or dismantling of this group. This is largely due to the group operating within North Korea, a country that does not cooperate with international law enforcement efforts. Several cybersecurity agencies and organizations continue to monitor and report on their operations.

How to Defend Against Bluenoroff

Prioritize security awareness training for employees to empower them as the first line of defense against phishing attempts, enabling them to recognize and respond effectively.

Deploy advanced endpoint detection and response (EDR) platforms to identify and counteract malware threats.

Try Huntress for Free

References

https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis

https://thehackernews.com/2025/06/bluenoroff-deepfake-zoom-scam-hits.html#:~:text=BlueNoroff%2C%20also%20tracked%20under%20the,Republic%20of%20Korea%20(DPRK)

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free