Security Experts:

Connect with us

Hi, what are you looking for?



North Korean Hackers Targeting Crypto-Currency Exchanges: FireEye

Over the past several months, threat actors believed to have ties with North Korea have been targeting crypto-currency exchanges to obtain hard currencies for the Pyongyang regime, FireEye says.

Over the past several months, threat actors believed to have ties with North Korea have been targeting crypto-currency exchanges to obtain hard currencies for the Pyongyang regime, FireEye says.

The attacks, which FireEye has observed since May 2017, are said to be part of a campaign that started in 2016, when banks and the global financial system were hit. Given the impressive spike in value Bitcoin has seen since the beginning of the year, it’s no surprise that threat actors are interested in the potential crypto-currencies have.

Traditionally, North Korean actors have been engaging in activities typically associated with nation-state cyber espionage, but they started shifting focus to conduct cybercrime as of last year. Given the country’s position as a pariah nation that has been cut off from much of the global economy, as well as its tight control of its military and intelligence capabilities, this doesn’t come as a surprise.

North Korea Stealing Bitcoin via hacksAs such, the recently observed interest in crypto-currencies isn’t surprising either, and FireEye considers the recent attacks to be part of a larger campaign that started last year. Since May 2017, the security researchers have observed North Korean actors targeting at least three South Korean crypto-currency exchanges, supposedly in an attempt to steal funds.

The attacks, FireEye says, involved spear-phishing attacks that often targeted the personal email accounts of employees at digital currency exchanges. Tax-themed lures were frequently employed to trick users into installing malware such as PEACHPIT and similar variants, which have been previously linked to North Korean actors.

The spear-phishing attacks started in early May and targeted one crypto-currency exchange at a time. By early June, three South Korean exchanges were hit, along with various other, unknown victims, which the security researchers suggest might be crypto-currency service providers in South Korea.

“Add to that the ties between North Korean operators and a watering hole compromise of a Bitcoin news site in 2016, as well as at least one instance of usage of a surreptitious crypto-currency miner, and we begin to see a picture of North Korean interest in crypto-currencies, an asset class in which Bitcoin alone has increased over 400% since the beginning of this year,” FireEye notes.

Prior to these attacks, South Korean crypto-currency exchange Yapizon was compromised in April, but FireEye says that “at least some of the tactics, techniques, and procedures” reportedly employed during this incident were different, and there are no clear indications of North Korean involvement.

At the end of April, however, the United States announced a strategy of increased economic sanctions against North Korea, and the subsequent attacks on South Korean exchanges might be the result of this announcement. A July attack on Bithumb might also be the result of North Korea’s increased interest in Bitcoin, a report published last month revealed.

The targeting of Bitcoin and crypto-currency exchanges fits with the previously observed North Korean actors’ interest in conducting financial crime on the regime’s behalf. By compromising a crypto-currency exchange, the actors can move crypto-currencies out of online wallets, swap them for more anonymous ones, and even “send them directly to other wallets on different exchanges to withdraw them in fiat currencies such as South Korean won, US dollars, or Chinese renminbi,” FireEye notes.  

“As the regulatory environment around cryptocurrencies is still emerging, some exchanges in different jurisdictions may have lax anti-money laundering controls easing this process and make the exchanges an attractive tactic for anyone seeking hard currency,” the researchers continue.

Nation states are starting to take notice of the potential presented by Bitcoin and other crypto-currencies, given their recent increase in value. Thus, this emerging asset class is becoming a “target of interest by a regime that operates in many ways like a criminal enterprise,” FireEye notes, adding that other rising cyber powers might follow a similar path.

“Cyber criminals may no longer be the only nefarious actors in this space,” the researchers conclude.

Just last night, the UN Security Council voted unanimously to adopt new sanctions on North Korea, including restrictions on oil shipments, banning import and export of textiles, and barring countries from issuing new work permits to North Koreans working abroad.

Related: North Korea Accused of Stealing Bitcoin to Bolster Finances

Related: US Suspects North Korea in $81 Million Bangladesh Theft: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.