View Markets Data →

New report shows just how North Korea uses malware to steal cryptocurrencies

A new report issued by cybersecurity firm Recorded Future has illustrated how North Korea leverages malware to steal cryptocurrencies from online exchanges.

A new report issued by cybersecurity firm Recorded Future has illustrated how North Korea leverages malware to steal cryptocurrencies from online exchanges.

Studies this year have shown that North Korea has ramped up its hacking attempts on cryptocurrency exchanges and services by some 370% by December last year, and now a new report issued by cybersecurity company Recorded Future has revealed that the rogue nation leverages malware similar to the WannaCry virus to steal thousands of dollars in cryptocurrencies.

The report elucidates that a North Korean hacking coalition dubbed ‘Lazarus Group’ (known to US Agencies as ‘Hidden Cobra’) is behind the various attacks that have befallen numerous South Korean exchanges and custodial services.

Read: Hacker escapes justice with over $400K USD in BlackWallet theft

Specifically, Recorded Futures elaborates that “North Korean government actors, specifically Lazarus Group, continued to target South Korean cryptocurrency exchanges and users in late 2017, before Kim Jong Un’s New Year’s speech and subsequent North-South dialogue. The malware employed shared code with Destover malware, which was used against Sony Pictures Entertainment in 2014 and the first WannaCry victim in February 2017”.

Recorded Futures describes that the malware utilized in such attacks leverages a known Ghostscript exploit  and is “tailored to target only users of a Korean language word processor, Hancom’s Hangul Word Processor.”

Reports have illustrated that between January and September of 2017 alone, over 5,366 ransomware attacks targeting cryptocurrency-related entities have occurred. Between the months of July and August, the Korean Internet & Security Agency (KISA) uncovered malicious software housed within the desktop systems of many South Korean Bitcoin exchanges.

Recorded Futures further investigated a series of phishing operations that have targeted employees of South Korean financial institutions. The firm found that Lazarus Group specifically targeted employees of South Korean exchange Coinlink, as well as a group of South Korean students known as the ‘Friends of the Ministry of Foreign Affairs’, who meet to express their interest in foreign affairs.

The Bitcoin lifeline

North Korea’s operations first shifted to target financial institutions in 2016 in a bid to circumvent sanctions levied against the nation by international powers such as the United States and United Nations.

Under the Lazarus Group, the actors in question began to target cryptocurrencies by February 2017 – taking their first large haul (at an estimated $7 million USD) in cryptocurrency from South Korean exchange Bithumb.

Targeting cryptocurrency-related operations – specifically those involving Bitcoin – provides North Korea with a form of lifeline considering mounting tensions between itself, the United States, and China.

The full report can be read here.

Read: Cryptocurrency investor loses over $34,000 in theft through a second-hand hardware wallet

Have your say!

How could we – or should we – control the use of cryptocurrencies (and better secure platforms where they can be bought) against theft by rogue governments? Be sure to let us know your opinion in the comments below!

Follow Bryan Smith on Twitter: @bryansmithSA