Breach bankrupts Seoul-based company after it reformed in wake of a previous heist.
When you’re developing intercontinental ballistic missiles and nuclear weapons while under some of the harshest economic sanctions the world has seen, every bit—and every bitcoin—apparently helps.
North Korea has been implicated in both the WannaCry cryptographic worm and its bitcoin ransom demands as well as stealing about $81 million in traditional money through fraudulent funds transfers from a Bangladeshi bank. And now it appears that North Korean hackers are responsible for bringing down the Youbit cryptocurrency exchange in South Korea.
The Wall Street Journal reports that South Korean officials suspect North Korean hackers in the digital theft from Youbit on December 19, making it the latest victim in a string of bitcoin repository hacks and frauds over the last six years. Attackers made off with 17 percent of the exchange’s cryptocurrency assets, including an undisclosed amount of bitcoin. In the wake of the attack, Youbit has declared bankruptcy and is allowing customers to withdraw only 75 percent of their accounts; the remainder will be paid out after the company is liquidated.
There have been three documented attacks attributed to North Korea against other South Korean cryptocurrency exchanges this year, including one against Youbit’s predecessor company, Yapizon, in April—in which even more cryptocurrency was stolen.
This is the second major bitcoin-related digital heist reported this month. On December 7, the Slovenia-based cryptocurrency-mining exchange service NiceHash was robbed of more than $60 million dollars’ worth of bitcoin in a security breach.
In a report released in September, FireEye noted that North Korea’s interest in obtaining—and stealing—cryptocurrency has risen as sanctions imposed by the United Nations Security Council have mounted. The thefts earlier this year were linked to North Korea through malware and tradecraft, though the earlier Yapizon theft—which specifically targeted four digital wallets at the service—varied in its approach from the others. It may not be linked to the most recent attack.
FireEye’s Luke McNamara wrote the following in September:
Since May 2017, we have observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds… The spear phishing we have observed in these cases often targets personal email accounts of employees at digital currency exchanges, frequently using tax-themed lures and deploying malware (PEACHPIT and similar variants) linked to North Korean actors suspected to be responsible for intrusions into global banks in 2016.
One of the three exchanges was compromised by the attackers.
The attraction of cryptocurrencies to North Korea is fairly obvious. The North Korean regime can access cryptocurrency funds with little fear of running into regulatory roadblocks. And the mounting value of bitcoin delivers high returns on the thefts and obfuscation efforts. Plus, cryptocurrencies are relatively easy to “launder,” either through the use of coin “tumbler” services (spreading out the contents of pilfered wallets across multiple smaller transactions to a large collection of other wallets makes tracking their provenance difficult) or by converting them into less easily traceable cryptocurrencies. In the case of the funds collected by the WannaCry worm’s associated wallets, the wallets were emptied and apparently exchanged for XMR, the “untraceable” private digital currency backed by Monero.
All this digital currency theft doesn’t add up to a lot relative to the entire bitcoin market. But for North Korea, which has a gross domestic product smaller than many American cities—roughly $16 billion, about the same as the metropolitan area of Fort Wayne, Indiana—a million here and a million there are vital to keeping the nation’s economy afloat.