Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



North Korea Accused of Stealing Bitcoin to Bolster Finances

North Korea (DPRK) appears to be targeting bitcoin (both users and exchanges) as a means to counter the increasing effect of international sanctions. Earlier this month the UN Security Council unanimously imposed new sanctions targeting the country’s primary exports.

North Korea (DPRK) appears to be targeting bitcoin (both users and exchanges) as a means to counter the increasing effect of international sanctions. Earlier this month the UN Security Council unanimously imposed new sanctions targeting the country’s primary exports. Dwindling coal exports to China will be particularly severe, and DPRK’s export revenues will likely be slashed by $1 billion.

Recent cyber-attacks against South Korean bitcoin exchanges are now being blamed on North Korea. Radio Free Asia (RFA) — a non-profit East Asian News Agency — has reported that DPRK has already launched three cyber-attacks on bitcoin exchanges in South Korea, and one in Europe. Details, including timings, are sparse — so it is quite possible that the July hack of a Bithumb employee is included, and here attributed to North Korea.

North Korea FlagThis basic premise that North Korea is targeting bitcoins is reiterated in a report from the United Press International news agency. It says, “The CWIC Cyber Warfare Research Center in South Korea stated a domestic exchange for bitcoin, the worldwide cryptocurrency and digital payment system, has been the target of an attempted hacking… CWIC’s Simon Choi said it is ‘not only one or two exchanges where attack attempts have been made’.”

The precise status of the Cyber Warfare Research Center in South Korea is not explained. Nevertheless, Choi is credited with claiming that phishing emails have been targeting not just bitcoin exchanges, but that “Startups that use blockchain, financial technology sector companies as well as others, may have been the target.” The report adds, “According to CWIC, the malicious code attached to the emails was identical to viruses of North Korean origin.”

Despite the lack of detail, these two reports have been elaborated by bitcoin news publications. One leads with “State-sponsored North Korean hackers have been accused of targeting South Korean bitcoin exchanges with cyberattacks and hacking attempts by a South Korean official.” 

Frankly, it is not at all clear how much veracity can be attached to the reports — there is no detail, no proof, no timings, and no definition of the status of CWIC (which is variously described as the Cyber Warfare Research Center and the Cyber Warfare Intelligence Center). However, the idea is certainly supported by motive and means: North Korea has both. In stealing bitcoins, the beleaguered nation can simultaneously bolster its finances and obtain ‘foreign currency’ that cannot be blocked by western governments. Merely surmising that this is now at the least semi-official policy of the cyber army of North Korea may not be far from the truth.

If cyber-attackers are spear-phishing bitcoin users/holders, then it presupposes knowledge of the targets’ email addresses. Choi has apparently suggested that “North Korea has some how gained details about all those individuals who regularly do trading with BTC exchanges.” However, this could easily be explained if it was indeed North Korea behind the July Bithumb breach. At this time, roughly 31,000 users – representing 3 percent of the company’s total number of customers – had their email and phone information stolen.

In a blog post, Ross Rustici, Cybereason’s senior director of intelligence services suggests that any such North Korean hacking policy will have good, bad, and ugly ramifications.

Advertisement. Scroll to continue reading.

The good, he suggests, is “it means that the DPRK threat, in totality, will be degraded. By focusing on currency generation, groups that would otherwise be gearing up for network attacks or traditional espionage will be diverted to filling out the bottom line.”

The bad, he wrote is that, “Banking, financial institutions, and currency exchanges are likely to see a steady increase in malicious and sophisticated intrusion attempts.” These attacks are likely to focus on institutions in South Korea, America and Japan to serve the dual purpose of political retaliation and revenue generation; but would likely also apply wherever network security is largely weak.”

The ugly, however, is particularly ugly. “Given current tensions and the potential desire to retaliate for perceived assaults on the regime,” comments Rustici, “the DPRK has the latent capacity to conduct a heist and destroy the network on the way out. The likelihood of this combination happening is low, but it is not zero.”

At this point, it would be worth considering WannaCry, largely attributed to North Korea. The very poor process of ransom collection built into the original WannaCry led some researchers to conclude its real purpose was destructive: ransomware without decryption is effectively a cyberweapon wiper. NotPetya was more clearly a disguised cyberweapon, although in this instance more likely an attack by Russia against the Ukraine.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.