Watch out. North Korean hackers are coming for your bitcoin


As sanctions on its nuclear programme leave Pyongyang strapped for cash, North Korean cyber thieves are turning their attention to individual investors

John Power

North Korean hackers have taken to stealing cryptocurrency from individual investors as part of a new strategy by Pyongyang to blunt the impact of international sanctions.

The targeting of individuals holding

virtual currencies

such as bitcoin marks a departure from its previous methods,

which have targeted exchanges and financial institutions

. Analysts say the shift shows Pyongyang is seeking a new source of income as it buckles under sanctions targeting its illicit

nuclear weapons programme


“Previously, hackers directly attacked exchanges,” Simon Choi, the founder of the cyber warfare research group IssueMakersLab, said. “They targeted staff at the exchanges, but now they are attacking cryptocurrency users directly.”

“With the US, the UN and others imposing sanctions on the North Korean economy,

North Korea

is in a difficult position economically, and cryptography has come to be seen as a good opportunity.”

The Korea Internet and Security Agency in Seoul, South Korea, monitors cyberattacks originating in the North. Photo: AP


Kwon Seok-chul, CEO of South Korean cybersecurity firm Cuvepia, said his company had detected more than 30 cases since April in which suspected North Korean hackers had preyed on people holding cryptocurrency.


“They are just simple wallet users investing in cryptocurrency,” said Kwon, adding that some cases had probably gone undetected and that the true number may be well over 100.

“In fact, when cryptocurrencies are hacked, there is nowhere one can make complaints, so hackers are increasingly hacking into cryptocurrencies.”

The hackers typically send victims an email with a text file which, when opened, infects the computer with a malicious code that gives them control of the machine.

Choi said the shift towards attacking individuals might be a response to exchanges and financial institutions strengthening security against cyberattacks.


“They’ve already had successes and are continuing to progress, but during that time, the exchanges have become used to the attacks and boosted their security somewhat,” he said. “Direct attacks on exchanges have become harder, so hackers are thinking about alternatively going after individual users with weak security.”

Although antivirus software entrepreneur John McAfee famously claimed to have created an “unhackable” wallet for bitcoin, it and other cryptocurrencies have become a lucrative commodity for cyber thieves across the globe. An investigation carried out by Reuters last year found that more than US$6 billion worth of bitcoin had been stolen from exchanges since 2011.

Choi said most of the recent victims of North Korean hackers had been relatively wealthy South Koreans such as company CEOs.

“They believe that if they target CEOs of wealthy firms and heads of organisations, more so than ordinary people, they can take advantage of billions of won in virtual currencies,” he said.

North Korea tests a Hwasong-12 intermediate range missile. Analysts say Pyongyang is seeking new sources of income to thwart sanctions on its nuclear programme. Photo: AP


North Korea is widely thought to have cultivated one of most formidable hacking armies in the world under its shadowy spy agency, the Reconnaissance General Bureau.

Last month, Russian cybersecurity company Group IB released a report accusing North Korean hackers of stealing US$571 million from five cryptocurrency exchanges, including South Korea’s YouBit and Japan’s Coincheck, since 2017. Group IB traced the attacks to the

Lazurus Group

, the popular code name for an elite hacking unit widely believed to have carried out the

2014 hacking of Sony Pictures

.Luke McNamara, an analyst at California-based cybersecurity firm FireEye, said the hackers behind these attacks could have gleaned information that allowed them to target individual cryptocurrency users.

“It’s possible from previous intrusions they’ve been able to collect information related to the email addresses, usernames of the people using these exchanges,” he said.

McNamara said North Korea had shown an aptitude for getting to know its targets, one of the most effective weapons in a hacker’s arsenal.

“When they understand and know the targets, when they are able to craft lures specific to those organisations or entities that they are going after – to me, that says they are effective at what they are doing.”



Please enter your comment!
Please enter your name here