Alleged North Korean hackers scouted crypto exchange employees before stealing currency, researchers say
Suspected North Korean hackers have breached cryptocurrency exchanges in Japan, Europe, the U.S. and Israel in an effort to steal millions of dollars from the platforms in the last three years, according to a new private sector report.
The analysis published Monday by the Israeli security firm ClearSky names Lazarus Group, which U.S. officials say works on behalf of the North Korean government, as the suspect in a hacking campaign that began with attackers scouting cryptocurrency exchange employees and ended with money leaving user accounts.
Cryptocurrency helps North Korea blunt the financial impact of international sanctions, as virtual payment techniques are popular on black markets, difficult to trace and exist largely outside the global financial system.
A United Nations panel in 2019 implicated North Korean hackers in the theft of $571 million from five cryptocurrency exchanges in Asia. Those hacks are “probably” done to fund North Korean “government priorities, such as its nuclear and missile programs,” U.S. intelligence agencies said in an April assessment.
The effort to infiltrate cryptocurrency exchanges has since grown more elaborate. Suspected North Korean hackers set up a fake company pretending to be a trading platform to convince victims to install malicious software, according to researchers.
The Japanese Computer Emergency Response Team, the Finnish firm F-Secure and other private sector researchers investigated a recent effort known by the various names CryptoCore, CryptoMimic, Dangerous Password and Leery Turtle. ClearSky in June 2020 reported on hacks of cryptocurrency wallets that caused $200 million in losses in two years.
The report did not identify victim organizations by name.
At the time, ClearSky said it suspected the perpetrators of being from Eastern Europe. But now, ClearSky says there is a “medium-high likelihood” that the culprit was Lazarus Group, based on a review of malicious software used in related breaches. F-Secure has also attributed some of the activity to Lazarus Group.
North Korea’s alleged attempts to siphon off money from digital currency exchanges are no secret. But the ClearSky report points to the continued ability of Pyongyang’s digital operatives to steal large sums from currency traders. And it suggests that Lazarus Group has expanded its pool of potential targets as Kim Jong Un’s regime searches for financing in the face of stifling international sanctions.
“Until recently, this group was not known to attack Israeli targets,” the ClearSky report noted.
By targeting Israeli organizations, the suspected North Korean hackers are inviting greater scrutiny of their activity. Israel is home to a bevy of security researchers who are skilled in tracking state-linked hacking groups.
The alleged North Korean hacking against Israeli organizations apparently goes beyond cryptocurrency exchanges. The Israeli Ministry of Defense in August accused North Korean hackers of trying to steal sensitive data from the Israeli defense sector.