North Korea’s Elite Hacking Team Targets Crypto Users

20 to 30 elite cyber warriors may be behind the hacks.

South Korea’s cryptocurrency mania is well-documented, but the country’s northern neighbor is every bit as keen on crypto – and appears to be prepared to steal whatever it cannot earn. Per South Korea’s government, North Korean hackers have already plundered “millions of dollars” from Seoul-based cryptocurrency exchanges, could be behind last month’s mammoth raid of Japan’s Coincheck platform – and show no signs of slowing down.

But just how are North Korean hackers getting away with so many successful smash-and-grab sorties – and how are they managing to outwit their famously tech-savvy neighbors below the 38th parallel (the border between North and South Korea prior to the Korean War)?

Per South Korean intelligence services, the North has already reaped a total of USD 9.2 billion from its hacking efforts, which also comprise numerous ransomware attacks. The United States, for example, has blamed Pyongyang for last year’s devastating WannaCry attacks.

South Korean military security expert Kim Min-seok says North Korea’s relentless nuclear development and missiles tests have seen international sanctions intensify, and trade with China slowing – leaving it desperate for cash. Kim says, “That is why North Korea is now concentrating on attacking overseas banks and cryptocurrency exchanges in an effort to secure funds.”

Kim also claims that North Korean hackers are currently active in India, Malaysia, New Zealand, Nepal, Kenya, Mozambique and Indonesia – and that the North’s hacking team comprises some “20 to 30 elite cyber warriors.”

Innovative Means

Earlier this month, Kim Byung-kee, a spokesman for the south’s parliamentary intelligence committee, told reporters how emails sent from North Korea were being used to “hack into cryptocurrency exchanges and [access] their customers’ private information.”

Using virus-containing email attachments to steal passwords and login information from exchanges is the oldest trick in the crypto-hacking book. But per the committee, North Korean hackers are often particularly ingenious with their emailing strategies. They are, for instance, fond of targeting exchange staff, sending them emails that appear to come from major South Korean companies or recruiting agencies, with “attachments disguised as job application forms.”

Northern hackers are exceptionally attentive to detail in most cases, going to great lengths to make their emails appear to have originated from real domains. And above all, they are timely – sent out at the exact same time that large enterprises begin on genuine, large-scale, nationwide recruitment drives.

Voice phishing is another ruse favored by the North. Scammers call unsuspecting victims, pretending they are calling on behalf of friends or relatives in urgent need of funds. The hackers’ goal is to get victims to deposit funds into cryptocurrency exchange accounts and purchase funds in bitcoin or other currencies. Once the hackers get hold of these funds, they make use of legal loopholes and administrative blind spots, transferring their gains fast, moving them around until cyber-police can no longer keep up. In some cases, they appear to have transferred funds to accounts at Eastern European exchanges, possibly in an effort to throw investigators off the scent.

Hankook Ilbo quotes the head of the South’s Financial Supervisory Service (FSS), as saying, “It is difficult to track what is happening to funds in situations like these, and transactions of this sort do not usually get red-flagged by banks as potentially suspicious transactions. We are considering revising legislation in the near future, in order to force exchanges and banks to use anti-money laundering monitoring networks.”

Unparalleled Success

North Korean hacking attacks are nothing to sneeze at – in fact, last year they forced Youbit, formerly one of Seoul’s biggest cryptocurrency exchanges, out of business.

Striking in the early hours of the morning on December 19, a massive attack on Youbit’s wallets wiped out 17% of the company’s assets, forcing it to immediately file for bankruptcy. Signs, said sources reportedly close to the Seoul government, pointed to yet another attack from the North.

The hack was the second in eight months for the platform. Previously known as Yapizon, the exchange was forced to rebrand itself as Youbit after a previous hack in April 2017. In the April attack, thieves made off with around 4,000 BTC after a midnight raid on four of Youbit’s hot wallets. Korea’s Internet and Security Agency (KISA) again blamed North Korea for the attack.

KISA has also said North Korean cybercriminals were responsible for a June raid on South Korea’s Bithumb exchange, compromising the accounts of some 36,000 user accounts, as well as a USD 2 million raid on the Coinis platform.

Furthermore, experts believe that they have uncovered malware that forces computers to mine the Monero cryptocurrency for servers based in North Korea. Internet security company AlienVault has alleged that the malicious code remotely mines Monero coins for a server at North Korea’s Kim Il Sung University.

Indeed, speaking with Newsweek, AlienVault’s Chris Doman said he believes that North Korean hackers have been targeting cryptocurrency-related companies since May last year. Doman said, “Clearly, North Korean hackers have a large interest in cryptocurrencies as an easy method for economic gain, as well as an opportunity to economically weaken their enemies.”