Beset by international sanctions, the North Korean government has begun hacking into cryptocurrency exchanges to steal bitcoins, researchers say. At least three South Korean bitcoin exchanges have been targeted by North Korean military hackers in 2017, according to a report from the cybersecurity firm FireEye.
Major cryptocurrencies have surged in value in 2017, with the value of a single bitcoin rising from $963 at the beginning of the year to $4,222, and Ethereum jumping from $8 to $299. That makes them a ripe target for theft, said Luke McNamara, a FireEye senior analyst.
“I see there being two macro drivers of this threat activity,” McNamara told BuzzFeed News. The first is the tightening sanctions on North Korea’s economy, he said. “But you also have cryptocurrencies appreciating significantly since the beginning of the year. So you see cryptocurrency exchanges, particularly in South Korea, becoming a logical target,” he added.
One exchange believed to be targeted by North Korea is Bithumb, South Korea’s largest cryptocurrency company. Bithumb was hacked in February, though it didn’t notice the breach until June, and it was only made public in July. A number of users reported bitcoin and ethereum stolen from their accounts, with one customer claiming more than a million dollars’ worth of digital currency was stolen, according to local news report.
“This is very consistent with what I would expect North Korea to be doing,” said Claire Finkelstein, a national security expert and faculty director at the University of Pennsylvania’s Center for Ethics and the Rule of Law. The fact that cryptocurrencies are decentralized, an appealing feature to enthusiasts who tout that bitcoin and similar technologies aren’t regulated by any outside agency, also makes them appealing to criminals, she said.
“Bitcoin is a high risk currency because it’s so easily manipulated,” Finkelstein said. “And when you combine the fact that the North Korean government operates substantially like a criminal enterprise, it’s not at all surprising to learn that they’re very interested in cryptocurrencies.”
North Korea was first observed stealing money, instead of merely conducting more traditional espionage on financial institutions, in 2016, when, according to many researchers, including the US National Security Agency, it hacked into the Bangladesh Bank, that country’s central bank, and wired away $81 million.
That same hacker group, McNamara said, is behind not only other attacks on Asian banks, which have gone unreported and which he declined to name because they are FireEye clients, but also the more recent attacks on South Korean bitcoin exchanges.
All those attacks saw the same pattern of hackers targeting employees with spearphishing emails to their personal accounts, reusing passwords to gain access to company networks, then using some variant of a type of custom malware that FireEye has dubbed “PEACHPIT” to create a backdoor into a victim’s networks.
Spearphishing emails to employees of cryptocurrency exchanges, McNamara said, focused on bitcoin financial regulations and new tax rules, reflecting the difficulties those companies face in keeping up with frequently changing laws and regulations.
“Given a lot of the regulatory concerns in most countries regarding cryptocurrencies, that would be something especially interesting or of interest to someone who works at those exchanges,” McNamara said. “I think they were very clever in the lures they used for these operations.”
If international sanctions helped spur North Korean hacking and theft, that’s unlikely to end soon. On Monday, the United Nations agreed to yet more sanctions against the country.
Kevin Collier is the Cybersecurity correspondent for BuzzFeed News and is based in New York.
Contact Kevin Collier at firstname.lastname@example.org.