Skip to main content

FireEye: North Korea's Stealing Cryptocurrency

FireEye revealed that groups that appear to be sponsored by North Korea have targeted South Korean cryptocurrency exchanges and service providers. At least three attacks on these orgs have been conducted since May, the security company said, and more could be planned for the future. Those fears pale in comparison to North Korea testing nuclear weapons, but cryptocurrency owners should probably still be concerned.

It's no surprise that someone has been trying to steal cryptocurrency. Bitcoin, Ethereum, and other "coins" have all surged in popularity in recent months, at least for short periods of time. That rise prompted many people to buy graphics cards so they can mine their own cryptocurrency, which has in turn created a shortage of GPUs that makes it next to impossible for gamers to find low-end or mid-tier cards at reasonable prices.

North Korea doesn't seem interested in mining, but that doesn't mean the country's leadership wants to ignore the money it can make by acquiring and selling cryptocurrency. According to FireEye, it would rather steal those funds, as evidenced by the company's timeline of attacks:

April 22 – Four wallets on Yapizon, a South Korean cryptocurrency exchange, are compromised. (It is worth noting that at least some of the tactics, techniques, and procedures were reportedly employed during this compromise were different than those we have observed in following intrusion attempts and as of yet there are no clear indications of North Korean involvement).April 26 – The United States announces a strategy of increased economic sanctions against North Korea. Sanctions from the international community could be driving North Korean interest in cryptocurrency, as discussed earlier.Early May – Spearphishing against South Korean Exchange #1 begins.Late May – South Korean Exchange #2 compromised via spearphish.Early June – More suspected North Korean activity targeting unknown victims, believed to be cryptocurrency service providers in South Korea.Early July – South Korean Exchange #3 targeted via spear phishing to personal account.

FireEye didn't mince words in its report. The company said North Korea is a "pariah nation" that "operates in many ways like a criminal enterprise" and has been forced to find new ways to make money by various economic sanctions. The relative lack of regulation and lax security of some cryptocurrency service providers makes them a prime target for a "Hermit Nation" looking to make a quick buck.

Cryptocurrency might also be easy for the attackers to launder into more established currencies. The whole purpose of these exchanges is to convert a cryptocurrency into something like U.S. dollars or South Korean won. Unless those companies are honest and diligent, it probably wouldn't be particularly hard for someone to sell off their ill-gotten cryptocurrency with no one being the wiser.