North Korean Hackers Target Crypto Exchange UPbit’s South Korean Users

shutterstock_148621247
31 May 2019

North Korean hackers have allegedly attacked users of South Korean exchange UpBit with a clever phishing exploit.

According to data released by the security company East Security, the hacker attempted a cyberattack by sending a phishing e-mail on May 28. The subject of the mail suggested that UPbit needed more information regarding a fictional sweepstakes payout for tax purposes. The mail did not come from the exchange but from another server outside of South Korea.

The email contained a file claiming to contain documentation for the payout. According to East Security, running this file displayed what looked like a normal document but would activate malicious code. It would then send data about the user’s machine as well as exchange logins to the hackers and then connect the machine to a command-and-control system for later remote access.


East Security believes that this cyber attack came from a North Korean hacking group.

“In analyzing attack tools and malicious codes used by hacker groups, there are unique characteristics we saw,” said Mun Chong Hyun, head of the ESRC Center at East Security. He noted that these are similar to another attack called Operation Fake Striker that attacked Korean government agencies earlier this month.

The hackers also used the same techniques in January to target reporters, though this seems the first attack by the suspected group on a crypto firm.

“As bitcoin prices rise, more and more people are using exchanges. What this means to the hackers is that the number of targets have increased, and so have the chances of stealing cryptocurrencies stored in the exchanges,” said Mun Chong Hyun.

In a clever move, the hackers password-protected the malicious file with the word “UPBIT.” This means that traditional anti-virus tools would not be able to detect the malicious code.

“We have not heard of any reported damage,” noted Mun Chong Hyun. “In order to avoid cyber attacks, you should not install or click suspicious files or documents.”

Research by Park Geunmo at CoinDesk Korea.
Image via Shutterstock