FireEye: North Korea's Stealing Cryptocurrency

FireEye revealed that groups that appear to be sponsored by North Korea have targeted South Korean cryptocurrency exchanges and service providers. At least three attacks on these orgs have been conducted since May, the security company said, and more could be planned for the future. Those fears pale in comparison to North Korea testing nuclear weapons, but cryptocurrency owners should probably still be concerned.

It's no surprise that someone has been trying to steal cryptocurrency. Bitcoin, Ethereum, and other "coins" have all surged in popularity in recent months, at least for short periods of time. That rise prompted many people to buy graphics cards so they can mine their own cryptocurrency, which has in turn created a shortage of GPUs that makes it next to impossible for gamers to find low-end or mid-tier cards at reasonable prices.

North Korea doesn't seem interested in mining, but that doesn't mean the country's leadership wants to ignore the money it can make by acquiring and selling cryptocurrency. According to FireEye, it would rather steal those funds, as evidenced by the company's timeline of attacks:

  • April 22 – Four wallets on Yapizon, a South Korean cryptocurrency exchange, are compromised. (It is worth noting that at least some of the tactics, techniques, and procedures were reportedly employed during this compromise were different than those we have observed in following intrusion attempts and as of yet there are no clear indications of North Korean involvement).
  • April 26 – The United States announces a strategy of increased economic sanctions against North Korea. Sanctions from the international community could be driving North Korean interest in cryptocurrency, as discussed earlier.
  • Early May – Spearphishing against South Korean Exchange #1 begins.
  • Late May – South Korean Exchange #2 compromised via spearphish.
  • Early June – More suspected North Korean activity targeting unknown victims, believed to be cryptocurrency service providers in South Korea.
  • Early July – South Korean Exchange #3 targeted via spear phishing to personal account.

FireEye didn't mince words in its report. The company said North Korea is a "pariah nation" that "operates in many ways like a criminal enterprise" and has been forced to find new ways to make money by various economic sanctions. The relative lack of regulation and lax security of some cryptocurrency service providers makes them a prime target for a "Hermit Nation" looking to make a quick buck.

Cryptocurrency might also be easy for the attackers to launder into more established currencies. The whole purpose of these exchanges is to convert a cryptocurrency into something like U.S. dollars or South Korean won. Unless those companies are honest and diligent, it probably wouldn't be particularly hard for someone to sell off their ill-gotten cryptocurrency with no one being the wiser.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
  • bloodroses
    I can just see the N. Korea's slogan now:
    "Cryptocurrency: funding all our nuclear needs"

    Hopefully this issue gets tackled soon.
  • bit_user
    DPRK has long been a source of high-quality counterfeit bills. I think this is just a sign of them trying to not to be left behind, as the world transitions away from paper currency.

    Unfortunately, cryptocurrencies are resilient against counterfeiting, meaning they have to resort to tactics akin to that of a high-tech pickpocket or con artist. Since mining is highly energy-intensive and requires good connectivity, it would be a bad move for them.

    Even without ICBMs and H-bombs, the only way anyone can do anything about North Korea is to make it more painful and costly for China to keep coddling them. Their conventional weapons deterrent is already quite effective. For decades, they've had the capability to flatten Seoul, without using a single nuke. That's already a price no one wants to pay.

    So, besides sanctions (which only seem to make them mad), the only things you can do are to use cyberwarfare and go after China. Cyber is tricky, because by virtue of being so far behind the rest of the world, they have the tactical advantage of a very small attack surface. China is tricky because if you're not careful, they'll hurt you worse.
  • SockPuppet
    Yes, a military that puts 80% of it's resources and personnel parading along the same spot twice per year to appease the child-like fascinations of their man-child leader would just be SO hard to take out.