Security Experts:

North Korea Accused of Stealing Bitcoin to Bolster Finances

North Korea (DPRK) appears to be targeting bitcoin (both users and exchanges) as a means to counter the increasing effect of international sanctions. Earlier this month the UN Security Council unanimously imposed new sanctions targeting the country's primary exports. Dwindling coal exports to China will be particularly severe, and DPRK's export revenues will likely be slashed by $1 billion.

Recent cyber-attacks against South Korean bitcoin exchanges are now being blamed on North Korea. Radio Free Asia (RFA) -- a non-profit East Asian News Agency -- has reported that DPRK has already launched three cyber-attacks on bitcoin exchanges in South Korea, and one in Europe. Details, including timings, are sparse -- so it is quite possible that the July hack of a Bithumb employee is included, and here attributed to North Korea.

North Korea FlagThis basic premise that North Korea is targeting bitcoins is reiterated in a report from the United Press International news agency. It says, "The CWIC Cyber Warfare Research Center in South Korea stated a domestic exchange for bitcoin, the worldwide cryptocurrency and digital payment system, has been the target of an attempted hacking... CWIC's Simon Choi said it is 'not only one or two exchanges where attack attempts have been made'."

The precise status of the Cyber Warfare Research Center in South Korea is not explained. Nevertheless, Choi is credited with claiming that phishing emails have been targeting not just bitcoin exchanges, but that "Startups that use blockchain, financial technology sector companies as well as others, may have been the target." The report adds, "According to CWIC, the malicious code attached to the emails was identical to viruses of North Korean origin."

Despite the lack of detail, these two reports have been elaborated by bitcoin news publications. One leads with "State-sponsored North Korean hackers have been accused of targeting South Korean bitcoin exchanges with cyberattacks and hacking attempts by a South Korean official." 

Frankly, it is not at all clear how much veracity can be attached to the reports -- there is no detail, no proof, no timings, and no definition of the status of CWIC (which is variously described as the Cyber Warfare Research Center and the Cyber Warfare Intelligence Center). However, the idea is certainly supported by motive and means: North Korea has both. In stealing bitcoins, the beleaguered nation can simultaneously bolster its finances and obtain 'foreign currency' that cannot be blocked by western governments. Merely surmising that this is now at the least semi-official policy of the cyber army of North Korea may not be far from the truth.

If cyber-attackers are spear-phishing bitcoin users/holders, then it presupposes knowledge of the targets' email addresses. Choi has apparently suggested that "North Korea has some how gained details about all those individuals who regularly do trading with BTC exchanges." However, this could easily be explained if it was indeed North Korea behind the July Bithumb breach. At this time, roughly 31,000 users – representing 3 percent of the company’s total number of customers – had their email and phone information stolen.

In a blog post, Ross Rustici, Cybereason's senior director of intelligence services suggests that any such North Korean hacking policy will have good, bad, and ugly ramifications.

The good, he suggests, is "it means that the DPRK threat, in totality, will be degraded. By focusing on currency generation, groups that would otherwise be gearing up for network attacks or traditional espionage will be diverted to filling out the bottom line."

The bad, he wrote is that, "Banking, financial institutions, and currency exchanges are likely to see a steady increase in malicious and sophisticated intrusion attempts." These attacks are likely to focus on institutions in South Korea, America and Japan to serve the dual purpose of political retaliation and revenue generation; but would likely also apply wherever network security is largely weak."

The ugly, however, is particularly ugly. "Given current tensions and the potential desire to retaliate for perceived assaults on the regime," comments Rustici, "the DPRK has the latent capacity to conduct a heist and destroy the network on the way out. The likelihood of this combination happening is low, but it is not zero."

At this point, it would be worth considering WannaCry, largely attributed to North Korea. The very poor process of ransom collection built into the original WannaCry led some researchers to conclude its real purpose was destructive: ransomware without decryption is effectively a cyberweapon wiper. NotPetya was more clearly a disguised cyberweapon, although in this instance more likely an attack by Russia against the Ukraine.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.