North Korea Allegedly Hacked South Korean Bitcoin Exchange Youbit

Earlier this week, major South Korean Bitcoin exchange Youbit announced that it had suffered a large-scale security breach that led to the theft of one fifth of user funds.

Almost immediately after the hacking attack, Youbit’s parent company Yapian filed for bankruptcy. In an official statement, the Youbit team told its users that 75 percent of their holdings on the Youbit exchange would be accessible and ready for withdrawal. In order to claim the rest of the funds, however, the company stated that investors would have to wait until the final settlement of bankruptcy proceedings, which will take years to be resolved.

Upon the discovery of the hacking attack, the Youbit team told its clients that the company is working closely with South Korean law enforcement to investigate the security breach.

According to the Wall Street Journal, sources familiar with the ongoing investigation into the Youbit security breach have discovered telltale signs and historical evidence that North Korean state-funded hackers likely engaged and initiated the hacking attack.

In September 2017, security research firm FireEye revealed in a threat research paper that it had found evidence to link various cryptocurrency exchange hacking attacks to North Korea by analyzing the tools that were used to hack into South Korean platforms.

One of the methods used by the North Korean hacking group was spear phishing, which targets individual cryptocurrency users with highly sophisticated phishing attacks and malware. FireEye also revealed that there is some evidence to link previous South Korean cryptocurrency exchange security breaches to North Korea.

Specifically, the FireEye team wrote that the following activities were likely initiated by North Korean hackers:

  • April 22: Four wallets on South Korean Bitcoin exchange Yapizon compromised.
  • Early May: Spear Phishing against South Korean exchange one.
  • Late May: South Korean exchange two compromised via Spear Phish.
  • Early June: Cryptocurrency service providers targeted by hackers.
  • Early July:
    South Korean exchange three targeted via Spear Phishing to a personal account.

In their report, FireEye researchers wrote that given the imposition of harsh international sanctions against North Korea by the US government and the financial instability of the North Korean regime, e that North Korean hackers have had many incentives to target South Korean exchanges.

“While Bitcoin and cryptocurrency exchanges may seem like odd targets for nation-state actors interested in funding state coffers, some of the other illicit endeavors North Korea pursues further demonstrate an interest in conducting financial crime on the regime’s behalf. North Korea’s Office 39 is involved in activities such as gold smuggling, counterfeiting foreign currency, and even operating restaurants.”

In an interview with The Wall Street Journal, Troy Stangarone, a senior director at the Korea Economic Institute, shared a similar sentiment with FireEye and stated that North Korea is in an ideal position to target Bitcoin companies as it has to find ways to earn back money from the recently imposed sanctions. Stangarone said:

“North Korea is an ideal country to use hacking and financial tools like Bitcoin. They’re experimenting with ways to earn back lost money from sanctions.”

South Korean law enforcement and cybersecurity agencies are expected to focus on finding solid evidence to link the hacking attack on Youbit to North Korean hackers.