South Korea’s National Intelligence Service today released evidence of North Korea hacking Bitcoin. The hack earlier this year of Bithumb, a Korean crypto currency exchange, was carried out by a North Korean group. Bithumb is one of the top five crypto currency exchanges in the world, and the largest in Korea.
The hack took place in February 2017, but was not discovered until June. The cyber thieves stole electronic currency worth about $7 million at the time of the theft, but is worth over $80 million at current exchange rates.
Failure to Protect User Data
More troubling to the South Korean government was the failure of Bithumb to protect user data in a separate attack. The hackers stole the ID’s and passwords of over 31,000 users, in addition to stealing the money from nearly 300 accounts. The South Korean government imposed fines and penalties on Bithumb this week equaling about 60 million won, or roughly 55,000 dollars for failing to safeguard user data.
Authorities have traced the attacks to North Korean IP addresses. Although it is common for North Korean hackers to mask their origins by using proxy servers, the proxy servers failed this time. The resulting exposure of the original IP address pointed counter-threat researchers directly to Pyongyang.
In a similar incident, a London-based crypto currency exchange was targeted in a spear phishing attack designed to look like an employment opportunity. ZDNet reports that hackers probably affiliated with The Lazarus Group targeted a UK firm. The Lazarus Group is linked to North Korea, and has been affiliated with previous high-profile cyber thefts.
Hacking Bitcoin Instead of Defense Firms
Rafe Pilling, a security researcher at Secureworks, described the spear phishing attack to ZDNet. They target finaincial executives at crypto currency firms, pretending to offer the recipient a CFO job at another, undisclosed firm. The email contains a Word document that directs the user to enable editing upon opening it. When editing is enabled, a custom designed Trojan downloads in the background, granting the hackers access to the computer.
This approach is typical of the Lazarus Group, but until this year it was targeted at executives of defense companies. North Korea seems to have changed its focus to Bitcoin as it begins to struggle under the pressure of the international sanctions. Since Bitcoin is not inhibited by international borders and is nearly anonymous in its movements, it’s the perfect currency for sanctions evasion. “It’s a perfect mechanism for North Korean money,” says Joshua Chung, another security researcher at Secureworks.
Pilling said, “The interesting thing here is that the technique and the tactics being used since last summer mark a change in the nature of the lure and the nature of the targeting. Previously, Lazarus used defence-themed lures to target defense organizations, but now they’re using Bitcoin-themed lures to target financial companies. Our inference based on previous activity is that this is the goal of the attack, particularly in light of recent reporting from other sources that North Korea has an increased focus on Bitcoin and obtaining Bitcoin.”
Unregulated, Unprotected, Uninsured
This is especially dangerous for Bitcoin users and owners, because crypto currencies remain largely unregulated. That means that since they fall outside government authority, they also fall outside the umbrella of government protection. There is no federal deposit insurance, no requirement that exchanges reimburse users for stolen money.
Bithumb, the South Korean company, has promised users it will cover their losses up to about $85. That is cold comfort to the man who claims he lost over a million dollars. It remains unclear how far Bithumb is willing to go to restore customer confidence.
It is difficult to shout into the wind, warning buyers to beware of purchasing cyber currency when it appreciates in value so rapidly. A single unit of Bitcoin that was worth about $1,000 a year ago is worth about $17,000 today. Those who have seen a bubble before don’t want to be holding the asset when the bubble bursts, but newcomers can see only the increase. Perhaps the threat of hacking and cyber theft will be sobering, and let a little air out of the bubble.